Exclude specific URL from HTTP to HTTPS redirect in apache2 virtual host

Question

I'm looking for an easy configuration to exclude a specific URL(pattern) from my apache2 HTTP to HTTPS redirect and failed so far. Background is an API with typical authorization mechanics which should never be sent via normal HTTP, so I do not want to redirect but rather return a 403 or 404 if someone tries to access the API via plain HTTP. My current Virtual Host is a typical redirect for everything:

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

What I want is to skip this redirect for URLs like http://example.com/api/(.*). Is it really necessary to omit the Redirect-directive and build a rather complex mod_rewrite configuration for this simple task?

Answer 1

Okay, actually I figured out the following solution I might live with:

<VirtualHost *:80>
    ServerName example.com
    Redirect gone /api
    Redirect permanent / https://example.com/
</VirtualHost>

This seems to catch all requests to /api/(.*) first and returns a 410.

I would like to give some more background why I do not want to return a simple 301 and why I think this is important. If someone calls a simple request module in his desired language with the HTTP URL which follows the redirect, there is the potential risk that the users credentials/authorizations get sent unencrypted through the internet for every request and nobody is noticing.

I'm not sure how other developers handle this but does anyone agree that it is better to block the HTTP access instead of redirecting for such credential critical requests?