I have a tricky variation on an old problem.

I have an apache based site that should generally be accessed via http/port 80. However for certain areas protected areas that require authentication (designated by .htaccess), I want to be able to redirect the user the https/port 443.

The key here is that I want this to always happen for basic auth - i.e. I don't want to have to recreate each htaccess file with a redirect directive. I only want to enforce this for basic authentication (other traffic should be unencrypted). The protected areas are scattered all over the site. Is it possible to somehow redirect all basic authentication requests to the SSL host?

Adrian Heine
  • 328
  • 4
  • 22
  • 193
  • 2
  • 9

3 Answers3


I don't think it is possible to automatically redirect HTTP requests with Basic Authentication to a certain location - at least not with Apache httpd alone.

But you can use the SSLRequireSSL directive inside a Location block to force the clients to use HTTPS, otherwise they'll get an error 403.

  • 20,747
  • 3
  • 46
  • 50

I finally figured out how this was being done on one of our servers (Ugly Hack alert).

We basically disallow .htaccess files in the stanza for the non-SSL (port 80) host. This generates a 500 error when it hits a .htaccess file.

We redirect all 500 errors to the SSL host where .htaccess files are allowed. "Real" 500 error messages will presumably fail on the SSL side as well, while the .htaccess related redirects are now functional on the SSL enabled side of things.

Yup - pretty ugly. I don't want to replicate this, but I figured I would pass this along.

  • 193
  • 2
  • 9

In an .htaccess file within the directory that is access with Basic Auth, put this :

ErrorDocument 403 /erreurs/403.php
ErrorDocument 401 /erreurs/401.php

This will redirect your visitors using http to the 401 or 403 errors pages.

In these page, put this :

if($_SERVER["HTTPS"] != "on")
header('HTTP/1.1 301 Moved Permanently');
header('Status: 301 Moved Permanently');
header('Cache-Control: max-age=31536000');
header('Content-Language: en');
header('Location: https://www.example.com/'.$path.'');
echo '<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"/><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="'.$path.'">here</a></p></body></html>';
else {
echo '<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"/><title>Forbidden</title></head><body><h1>Forbidden</h1><p>Forbidden</p></body></html>';
} ?>

The Basic Auth will be redirect to HTTPS.