.htaccess "Allow from env" disables SSLRequire

Question

Using Apache, I force HTTPS on a folder:

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.example.com"
ErrorDocument 403 https://www.example.com/admin/

and I protect the folder using Apache AuthBasic:

AuthType Basic
AuthName "Administration"
AuthUserFile /path/to/my/.htpasswd
Require valid-user
Satisfy all

Like this, the password is always sent over HTTPS. It works well, but then I tried to disable authentication for a single URL:

SetEnvIf Request_URI "crm/index\.php$" removeme_uri
Order deny,allow
Deny from all
Allow from env=removeme_uri
Satisfy any

This URL does not ask for authentication, and the others do. So all is well, but HTTPS is not required anymore, and the password can be sent in clear !

What am I doing wrong here ?

score 1 · Accepted Answer · edited May 23 '17 at 12:16

Thanks to Jon's answer, I could try different solutions. I found this question and applied the answer to my situation:

In the main directory, the .htaccess contains

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.example.com"
ErrorDocument 403 https://www.example.com/admin/

AuthType Basic
AuthName "Administration"
AuthUserFile /path/to/my/.htpasswd
Require valid-user
Satisfy all

And in the crm subdirectory, the .htaccess has:

<FilesMatch "index\.php">
    Allow from all
    Satisfy any
</FilesMatch>

It forces the SSL in any case, and allows the access to crm/index.php.

score 0 · Answer 2 · answered Aug 12 '12 at 23:26

This is kind of weird, because the Satisfy directive affects access restrictions, and eventhough the SSLRequireSSL and SSLRequire affect SSL, they're considered part of access restriction. So when you use Satisfy Any when allowing access to a URI to pass through without the need for valid-user, it also made it so the SSL access requirement is part of that Any. And since the options for Satisfy is either All or Any, you can't say "this one always, but these other 2 any".

You may have to use something like mod_rewrite to force SSL in your htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Hi Jon, thanks for your answer ! I tried your solution, but unfortunately it did not work. However, I was able to explore further and found a way :) I wanted to upvote your answer but I do not have enough reputation yet. Sorry :/ — Andreas Schwarz, Aug 15 '12 at 21:08

.htaccess "Allow from env" disables SSLRequire

2 Answers2