force https with apache before .htpasswd

Question

I have this in my .htaccess file

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.myweb.com/phpmyadmin$1 [R,L]

AuthUserFile /var/www/myweb/.htpasswd
AuthGroupFile /dev/null
AuthName "Sovereign Databases"
AuthType Basic

<Limit GET>
require valid-user
</Limit>

But everytime I go to http://www.myweb.com/phpmyadmin, the .htpasswd prompts me for a credentials BEFORE i'm redirected to https://www.myweb.com/phpmyadmin. After I type in my username and password, I get redirected to https://www.myweb.com/phpmyadmin. The problem is that I don't want anyone to submit their username and password unencrypted via http.

How do I force people to login via the https version even if they typed in the http version?

score 5 · Accepted Answer · answered May 28 '10 at 14:27

5

Move the Auth statements to a <VirtualHost *:443> block.

(Someone else might have a more elegant and better answer).

answered May 28 '10 at 14:27

Chris S

77,337
11
120
212

That's actually the most correct and elegant way to do it. – joschi May 29 '10 at 05:58
Do I have to have access to Apache config or can I use it in the .htaccess file ? – SkyHiRider Apr 14 '14 at 01:22
.htaccess applies to all VirtualHosts which access a directory, so no, it wouldn't work that way. – Chris S Apr 14 '14 at 01:45

force https with apache before .htpasswd

1 Answers1

Linked