How do I force .htaccess authorization to occur over ssl?

Question

I'm trying to force a particular directory to require only allowed IPs and a valid username/password through basic authorization. To ensure that the username/password are sent in encrypted form, I want the directory to also force SSL use. Here is what I have in my .htaccess file:

# Force HTTPS-Connection
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*)  https://www.mywebsite.com%{REQUEST_URI} [R,L]

## password begin ##
AuthName     "Restricted Access"
AuthUserFile /var/www/admin/.htpasswd
AuthType     Basic
Require valid-user
Order deny,allow
Deny from all
Allow from 79.1.231.151 62.123.134.83
Satisfy All

Unfortunately, when I access that directory using http protocol, it is asking for the password before it redirects the page to the secure version. This means the password is sent unencrypted. What am I doing wrong? Is there a way to do this?

Answer 1

Try putting SSLRequireSSL in your .htaccess file or the global Apache httpd configuration.

Answer 2

Rewrites and redirects are handled after autorisation. However: aliases in your httpd.conf are addressed first.

So what I did to get my http ://servername/webmail to https://webmail.servername was to put it in the httpd.conf like this:

<IfModule alias_module>
   Redirect permanent /webmail https://webmail.servername
</IfModule>

The basic autorisation can stay in your .htaccess and will be executed just once AFTER the redirect was executed...

Answer 3

If you have access to the Apache config, add the authentication stanza to the VirtualHost that has SSL enabled. Then the redirect will always happen first.

Also, using mod_rewrite to perform a simple redirect is a bit of overkill. Use the Redirect directive instead. It's possible this may even fix your problem, as I believe mod_rewrite rules are some of the last directives to be processed, just before the file is actually grabbed from the filesystem.