In an Apache 2 vhost I have the following configuration (in my case, in .htaccess of the document root (which is for simplicity the same for http:80 and https:443)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
in order to redirect any http-connections to https Moreover,
ErrorDocument 500 /error.php
ErrorDocument 404 /error.php
ErrorDocument 403 /error.php
ErrorDocument 402 /error.php
ErrorDocument 401 /error.php
to produce custom error messages. The third ingredient is a protected subfolder with authentication required (per .htaccess in that folder):
AuthType Basic
AuthName "Test"
AuthUserFile /some/path/to/passwords
Require user joe
Everything works fine except when someone tries to retrieve http://example.com/protectedfolder In fact, what happens is that the client gets a 302 Found reply with redirection to https://example.com/error.php
On the other hand,
https://example.com/protectedfolderleads to a custom (i.e., produced by error.php)401as expected.http://example.com/publicfolderleads to302redirect tohttps://example.com/publicfolder, then a301permanent redirect tohttps://example.com/publicfolder/, and finally (as DirectoryIndex is disabled) a customized403error. As expected.- Also,
http://example.com/nonexistentcauses a302tohttps://example.com/nonexistentand then a customized404, also as expected. - If I disable the
ErrorDocument 401configuration, a query forhttp://example.com/protectedfoldercauses401immediately, i.e., without redirection to https.
There is no specific entry in Apache error.log, but it seems that the problem occurs because the Auth requirement is evaluated before the Rewrite, thus invokes the ErrorDocument and that is wrongly still http??
What do I need to change in order to have the desired effect, i.e., that
http://example.com/protectedfoldercauses a redirect tohttps://example.com/protectedfolderand only that redirected URL causes a (customized)401?
