How to force SSL (https) on Apache Location

Question

I'm trying to force SSL (https) on an SVN repository served by mod_dav_svn. Here's what I have:

<Location /svn/projectname>
  DAV svn
  SVNPath /var/repo/projectname
  Require valid-user
  AuthType Basic
  AuthName "Subversion repository"
  AuthUserFile /etc/svn-auth-projectname

  #here's what I tried (didn't work)
  SSLCipherSuite HIGH:MEDIUM
</Location>

However, I don't get redirected to https when I log in via http; it stays in http. Why doesn't the above work? How do I get this https redirect to work?

I've seen suggestions about using mod_rewrite, e.g.:

# /dir/.htaccess
RewriteEngine on
RewriteCond %{SERVER_PORT}!443
RewriteRule ^(.*)$ https://www.x.com/dir/$1 [R,L] 

However, I don't understand exactly what this does, so I'm afraid to use it. Plus, it looks more like an ugly hack than the correct solution.

Answer 1

Its not a hack. here's a quick breakdown for you:

# Turn on Rewriting
RewriteEngine on 

# Apply this rule If request does not arrive on port 443
RewriteCond %{SERVER_PORT} !443 

# RegEx to capture request, URL to send it to (tacking on the captured text, stored in $1), Redirect it, and Oh, I'm the last rule.
RewriteRule ^(.*)$ https://www.x.com/dir/$1 [R,L]

Answer 2

We use a slightly different, but mostly equivalent syntax. Rather than checking the port the request was received on, we check that HTTPS isn't being used. And we use the %{HTTP_HOST} environment variable rather than hardcoding the host name.

  RewriteEngine              On
  RewriteCond     %{HTTPS}   Off
  RewriteRule     .*         https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

I like this approach a little better, because it works when Apache is listening on non-standard ports. There could be a problem with using %{HTTP_HOST} if your site is behind a proxy, but we haven't tried that yet.

Answer 3

Try

 <Location />
    SSLRequireSSL
 </Location>

Answer 4

We define everything with name Virtual hosts. Then, if you are within a <Virtualhost *:80> definition, you don't have to check if it is not port 443, you already know it's not. You Can then just force everything that hits 80 over to 443 with a rule like:

RewriteEngine On
RewriteRule ^(.)$ https://www.yourdomain.com/$1 [R,L]

Answer 5

Additionally to the already mentioned redirect you might want to add the SSLRequireSSL directive to your Location container which will deny access if you do not use an HTTPS connection. However, the solution with a VirtualHost for your SVN site which only listens on *:443 is more elegant.

Answer 6

Assuming Apache 2:

You've done everything except actually enable SSL by the looks of things. Use the "SSLEngine", "SSLCertificateFile", and "SSLCertificateKeyFile" commands, as described here:

You'll need to generate and/or buy an the PKI files (SSL certificate and related private key file) for the SSLCertificate*File commands.

http://www.debianhelp.co.uk/apacheinstall.htm

# /dir/.htaccess
1. RewriteEngine on
2. RewriteCond %{SERVER_PORT}!443
3. RewriteRule ^(.*)$ https://www.x.com/dir/$1 [R,L]

This says:

1. Enable URL redirection and rewriting support
2. For all connections that don't come through port 443 (in other words, all non-SSL connections)
3. Redirect them to the same page under https://www.x.com/dir/. So if they ask for http://www.x.com/y, they'll be redirected to x under the SSL server's dir: https://www.x.com/dir/x

If your site supports SSL now, and you're just trying to force SSL on the svn subdirectory, you might try something like:

1. RewriteEngine on
2. RewriteCond %{SERVER_PORT}!443
3. RewriteRule ^/svn/(.*)$ https://www.x.com/svn/$1 [R,L]

Which would do the same as above, but only for stuff under the subversion directory.

Answer 7

Use SSLRequireSSL in Location block

Answer 8

What you want to do is to force a redirect to https for regular web connections. The rewrite rules seem to accomplish that. That is not an ugly hack but rather the correct way to do it. Your present configuration does not force a redirect.