3

I have setup a private website that needs to be accessible by only a few people via the internet. I'd like to setup a combination of basic authentication and https.

So far I have everything works ok if I directly type in https://blah.com/location1. However what I need is to have apache redirect http://blah.com/location1 to https://blah.com/location1 and THEN do basic authentication i.e I don't want basic authentication to be done before the redirection. At the moment this is what I have on my apache config. 

WSGIScriptAlias /site /path/to/site/apache/site.wsgi

<Directory /path/to/site/apache>
    WSGIApplicationGroup %{GLOBAL}
    Order deny,allow
    Allow from all
</Directory>

<Location /site>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    AuthType Basic
    AuthName "Site login"
    AuthUserFile /path/to/site/.htpasswd
    Require valid-user
</Location>

Note: I only need the authentication for /site. So I should be able to access http://blah.com/site1, http://blah.com/site2 without needing authentication.

domino
  • 2,137
  • 1
  • 22
  • 30
  • A question, why do you want basic authentication with https? With basic authentication the user credentials will be send in plain text. – anil Nov 11 '10 at 09:15
  • 2
    That is why I need basic authentication to be done from `https` and not `http`. That way they are sent encrypted – domino Nov 11 '10 at 09:18
  • 1
    i think u should just shift the `AuthType Basic ..` from http config to https, that's mean two separate configuration – ajreal Nov 11 '10 at 10:00
  • Possible duplicate of [Apache .htaccess redirect to HTTPS before asking for user authentication](https://stackoverflow.com/questions/10267102/apache-htaccess-redirect-to-https-before-asking-for-user-authentication) – LWC Aug 06 '17 at 21:28

2 Answers2

1

The problem with the rewrite rules that "convert" HTTP requests into HTTPS requests is that they don't prevent the first request to be made over plain HTTP (as you get a redirect to the HTTPS URL).

What you could do is split your site into two virtual hosts: one for HTTP and one for HTTPS.

On the HTTP virtual host, implement the rewrite if you want, but forbid access to <Location /location1> in all cases (only do the rewrite).

On the HTTPS virtual host, configure <Location /location1> with basic authentication.

Bruno
  • 119,590
  • 31
  • 270
  • 376
0

I replied here Apache 2.2 redirect to SSL *then* do auth (with solution < but is it crap?), a solution which use SSLRequireSSL, and a ErrorDocument 403 returning an html 403 error page containing a JavaScript which will reload the page to HTTPS ... the best solution I found without splitting the configuration file in two, one loaded by the VirtualHost on port HTTP, on the other on port HTTPS.

Community
  • 1
  • 1
Anthony O.
  • 22,041
  • 18
  • 107
  • 163