1

Is there a way to redirect to SSL before requiring authentication? This is my current .htaccess file. The problem is that if you go to the non-SSL site, it will prompt for login, rewrite to https, then prompt again for login.

How can I eliminate the first login and just rewrite first? I'm using Apache 2.2.29.

I tried what is mentioned in this post without success: Apache .htaccess redirect to HTTPS before asking for user authentication

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

AuthUserFile /path_to_passwords/.htpasswd
AuthName "Authorized personnel only."
AuthType Basic
Require valid-user
Community
  • 1
  • 1
Andy B
  • 205
  • 4
  • 9
  • Thanks Jon Lin - I tried adding the lines using the variable "IS_NON_SSL" as shown in the top answer, however I was still prompted twice for login. There is a comment from Alagappan that might explain why: SERVER_PORT is not an option available in SetEnvIf directive as per the documentation at httpd.apache.org/docs/2.2/mod./mod_setenvif.html#setenvif – Ramu Mar 20 '14 at 19:18 – Andy B May 22 '15 at 15:01

1 Answers1

2

Uh... how did the answer in that question that you linked to not work?

SetEnvIf %{SERVER_PORT} ^80$ IS_NON_SSL

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

AuthUserFile /path_to_passwords/.htpasswd
AuthName "Authorized personnel only."
AuthType Basic
require valid-user
Satisfy Any
Allow from env=IS_NON_SSL

The right way to do this, of course, is to have a completely separate document root setup for non-SSL, and have a single htaccess file there to redirect everything to HTTPS.

Community
  • 1
  • 1
Jon Lin
  • 142,182
  • 29
  • 220
  • 220