1

I want to force https and basic auth for server-status output (mod_status). If I enable auth and user asks for http://site/server-status apache first asks for pass, then redirects to httpS, then asks for pass again.

This question is similar to Apache - Redirect to https before AUTH and force https with apache before .htpasswd but I cannot get it work because we are speaking not about generic folder but Location structure.

My config (shortly) is as follows:

<Location /server-status>
    SSLRequireSSL
    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteBase /server-status
        RewriteCond %{HTTPS} off
                RewriteCond %{SERVER_PORT} 80
                RewriteRule ^ - [E=nossl]
                RewriteRule (.*) https://site/server-status} [R=301,L]
    </IfModule>

    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from localhost ip6-localhost
    Allow from 1.2.3.0/24

    Allow from env=nossl

    AuthUserFile /etc/httpd/status-htpasswd
    AuthName "Password protected"
    AuthType Basic
    Require valid-user

    Satisfy any
</Location>

I assume Allow from env=nossl should allow everyone with RewriteCond %{HTTPS} off and server port 80, then force it to redirect but it does not work.

Please note, I do not want force to SSL the whole site but /server-status only. If it matters the server has several sites.

What am I doing wrong? Thank you.

Community
  • 1
Putnik
  • 2,095
  • 3
  • 23
  • 40

2 Answers2

1

Is there a way you can separate HTTP and HTTPS into two virtual hosts? You can put the Auth on only the HTTPS and have the HTTP redirect to HTTPS. The full configuration would look something like this.

<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect / https://example.com/
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
.
.
.
</VirtualHost>
</IfModule>
Felix Jen
  • 403
  • 4
  • 17
0

I didn't have much luck getting RewriteCond %{HTTPS} off working - instead, what worked for me was 

RewriteCond    %{SERVER_PORT}   !443

Another suggestion (from this question) would be to move the Auth lines into a <VirtualHost *:443> section.

Community
  • 1
chris
  • 3,933
  • 6
  • 26
  • 35