1

I am attempting, as many people on the internet have done successfully, to force HTTPS on my website, but before the Basic Authentication dialogue window appears. I have attempted the two main ways of doing this, including the "FilesMatch" solution and the "ErrorDocument" solution. The former resulted in a Internal Server Error and the latter caused a redirect loop issue. Here is what I have so far (trying to get the Error Document solution to work):

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

SSLRequireSSL 
ErrorDocument 403 https://website.com/private/https.php

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /srv/users/serverpilot/apps/intranet/public/.htpasswd
Require valid-user

The https.php file is simply:

<?php
header("LOCATION: /");
exit();

My server is running Apache 2.2 and the redirect works after you've authenticated. What am I doing wrong?

Colin
  • 2,428
  • 3
  • 33
  • 48

2 Answers2

3

Your http redirect should be set up on your port 80 virtual host, whilst your authentication configuration should only be added to your port 443 virtual host.

For example:

<VirtualHost *:80>
   ServerName www.server.com
   DocumentRoot /var/www/site

   <Directory /var/www/site>
      RewriteEngine On
      RewriteCond %{HTTPS} !=on
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
   </Directory>
</VirtualHost>

<VirtualHost *:443>
   ServerName www.server.com
   DocumentRoot /var/www/site

   <Directory /var/www/site>
      Options FollowSymLinks MultiViews
      AllowOverride none
      Require all granted
   </Directory>

   <Location />
      AuthType Basic
      AuthName "Password Protected Area"
      AuthUserFile /srv/users/serverpilot/apps/intranet/public/.htpasswd
      Require valid-user
   </Location>
</VirtualHost>

Actually, having thought about it, because we know that all port 80 (non-https) accesses are to be redirected, we can simply do that more directly like this:

<VirtualHost *:80>
   ServerName www.server.com
   RedirectPermanent / https://www.server.com
</VirtualHost>

Then just use the port 443 virtual host as above.

To achieve something similar using only .htaccess settings this works:

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.server.com"

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /var/www/site/.htpasswd
Require valid-user

ErrorDocument 403 https://www.server.com/
ErrorDocument 404 https://www.server.com/

The major downside to this is that you'll always be redirected to the home page (or wherever your ErrorDocument directives point to). The Apache website mentions (see here) that you can use a script as your ErrorDocument and that it is passed the original request URI, although when I tried this on Apache 2.4 it didn't seem to work that way.

Also, any settings in the main VirtualHost configuration might mess with this approach. Unfortunately .htaccess is quite restricted in comparison to the main server configuration.

The only other thing I can suggest is that if you don't need the whole site to be secured, you could set up your authorisation directives in another .htaccess file in a sub-directory.

Check out this site for some really good information on using .htaccess files

Alan Horrocks
  • 324
  • 1
  • 6
  • Added an example as requested – Alan Horrocks Feb 11 '16 at 23:28
  • Thanks for the response, Alan! However, I'd really prefer a solution through htaccess as I'm not sure I even have control over my virtual hosts.... Is there a way to do this through htaccess? – Colin Feb 12 '16 at 14:08
  • Added more info on a .htaccess solution as requested – Alan Horrocks Feb 13 '16 at 15:30
  • Thanks for the htaccess update! I tried adding it, but now I'm getting a redirect loop error again :( Any ideas? – Colin Feb 13 '16 at 20:20
  • Hmm... that worked for me. Did you just add the .htaccess from my answer or do you still have your rewrite directives in there? – Alan Horrocks Feb 13 '16 at 23:34
  • No rewrite directives! Just the .htaccess portion of your answer. – Colin Feb 16 '16 at 01:05
  • You also don't need to use your php script as the target of the 403/404 directives, just set them to the home page location. If that still doesn't work for you it may be that there's something in the main server configuration that's interfering with your .htaccess settings. – Alan Horrocks Feb 16 '16 at 12:29
  • Yeah, I wasn't using the php script with the 403/404 directives. Is there something I can check to see what server configuration might be causing the issue? – Colin Feb 17 '16 at 17:24
  • Is the SSL termination done in Apache or in a load-balancer in front of it? If it's a load-balancer, it can lead to this redirect loop behaviour. See [http://stackoverflow.com/questions/18328601](http://stackoverflow.com/questions/18328601) for information on this. – Alan Horrocks Feb 17 '16 at 20:50
0

I do not know if you have since sorted the problem or whether this will help, but the following is what I use on development machine to ensure https is used throughout the site I'm working on.

These two lines are in the .htaccess at root level of the site - the configuration in the main httpd.conf is considerably more complex but just that sets particular options for the ssl within the admin area and doesn't affect non-admin areas so I know this works ( whether it will for you I cannot say )

The admin area currently uses basic authentication after I did away with digest auth ~ though it all worked fine with that also.

I do not use an error document as you do above to redirect as the lines below ensure https - hope it helps!

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R,L]
Professor Abronsius
  • 33,063
  • 5
  • 32
  • 46