Require SSL and Apache authentication

I wanted to password protect a website and require SSL for that website.  That all worked perfectly except when users would browse to http://site.example.com they would be provided with a 302, error page.  Here were my options set in the <Directory> section for that site.

AuthName “Restricted Access”
AuthType Basic
AuthUserFile “/path/to/htpasswd/file/users”
Require valid-user
SSLRequireSSL
RewriteEngine on
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{SERVER_NAME}/%{REQUEST_URI} [L]
With the settings above, the SSLRequireSSL option takes precedence over the other option because SSL negotiations are done before Apache negotiations so I was getting an Apache error page 302.
Some users wouldn’t realize from the error page to add https:// to the URI.  So I tried setting up a redirect from http://site.example.com to https://site.example.com
I commented out the SSLRequireSSL and tried again. Now when I browsed to http://site.example.com I would get prompted for username and password but the site still didn’t have https://site.example.com so the usernames and passwords were being submitted via clear text.
Wanting the require SSL and have the redirect work before the user enters their credentials I got it to work by adding the following to the <Directory> directive.
SSLOptions +StrictRequire
SSLRequireSSL
ErrorDocument 403 https://site.example.com
This causes the SSLRequireSSL to be processed first and upon the 403 page it would typically server, Apache redirects to the secure site and then prompts for the user credentials.
PROBLEM SOLVED! Yeah!
Advertisements

1 Comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s