All HowTo's Cyber-Security Web Servers

Force to HTTPS for Basic Authentication | Apache & .htaccess

This article demonstrates how to force a browser from “http” to “https” before sending credentials across the Internet.

Put the following into your “.htaccess” file. If will first force the connection to “https” and then it will prompt for the credentials. Notice the “commented out” IF statement. IF statements only work on and after Apache version 2.3. test it for yourself. Check the logs as you test it to ensure the password is sent (not necessarily asked for) over HTTPS.

# Force from HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Secure this /secured section
#<If "%{HTTPS} == 'on'">
 AuthUserFile /etc/httpd/website1.password
 AuthName "Secured by AGIX"
 AuthType Basic
 require valid-user
#</If>

See related information here “https://agix.com.au/secure-your-web-site-with-a-htaccess-file/”.

Reference “http://stackoverflow.com/questions/13977851/htaccess-redirect-to-https-www”.

2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *