This article demonstrates how to force a browser from “http” to “https” before sending credentials across the Internet.
Put the following into your “.htaccess” file. If will first force the connection to “https” and then it will prompt for the credentials. Notice the “commented out” IF statement. IF statements only work on and after Apache version 2.3. test it for yourself. Check the logs as you test it to ensure the password is sent (not necessarily asked for) over HTTPS.
# Force from HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Secure this /secured section
#<If "%{HTTPS} == 'on'">
AuthUserFile /etc/httpd/website1.password
AuthName "Secured by AGIX"
AuthType Basic
require valid-user
#</If>
See related information here “http://www.agix.com.au/secure-your-web-site-with-a-htaccess-file/”.
Reference “http://stackoverflow.com/questions/13977851/htaccess-redirect-to-https-www”.
I would love to try this, on a shared hosting DreamHost server but it’s still running 2.2.31. Apparently in the “near future”, DreamHost will upgrade to 2.4 (https://help.dreamhost.com/hc/en-us/articles/217214317-Apache-HTTP-Server). I’ve used the method:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq …
ErrorDocument 403 https://…
paired with basic auth, but it’s never worked as clean as preferred. Yes, it ensures credentials aren’t sent in the clear, but if I had attempted to access a valid URI/URL like http://example.com/some-request-uri or https://example.com/some-request-uri, after authenticating, I end up at the ErrorDocument destination. After authenticating, I can navigate to the original destination. Seems to be a limitation of the SSLOptions +StrictRequire method of forcing SSL, and if I understand correctly, the method you describe overcomes this.
Squirreled-away your .htaccess lines for future use. 🙂
Thanks for sharing!