1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:58 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

mod_rewrite, forcing SSL, and authentication: two problems

         

Reynaldo Moon

6:11 pm on Mar 21, 2005 (gmt 0)

10+ Year Member



I am trying to use mod_rewrite to force http requests to URLs within a certain directory (/secure) to redirect to the same URL using https. I modified some code I found in this thread [webmasterworld.com], but I'm still having two problems.

Here is the code I came up with (this is within a <Directory> block in httpd.conf): 


 RewriteEngine on
 RewriteCond %{SERVER_PORT}!443$
 RewriteRule ^(.*) https://domain.com/secure/$1 [R,L]

PROBLEM #1: This works almost correctly, redirecting [domain.com...] to [domain.com...] [domain.com...] to [domain.com...] etc. However, [domain.com...] (no trailing /) gets redirected to [domain.com...] (!). (This is the actual path of the directory on the Apache server.) I don't understand this at all. Why is this happening, and what's the right way to fix it? I have it working for now by adding this below the RewriteEngine line: 
 RewriteCond %{SERVER_PORT}!443$
 RewriteRule ^/var/www/html/secure$ https://domain.com/secure/ [R,L]

... but this, obviously, is an ugly kludge and there must be a better way.

PROBLEM #2: I want access control on this directory, so I added basic authentication to the <Directory> block in httpd.conf. However, if a user requests [domain.com...] they are prompted for authentication, then redirected to [domain.com...] then prompted for authentication again. Not only is this annoying from a user perspective, but it is a security issue because the first set of authentication credentials is passed outside of SSL (in plain text). Is there any way to only perform authentication once the SSL redirect has taken place?

sitz

2:21 am on Mar 25, 2005 (gmt 0)

10+ Year Member



My first suggestion would be to ensure that your port 80 and port 443 instances are seperate <VirtualHost> blocks. You can then issue a redirect (using the 'Redirect' directive, most likely) to direct /secure to [example.com...] (note the lack of any trailing slashes).
Then configure authentication in just the SSL <VirtualHost> (in a <Location /secure> container).

Reynaldo Moon

7:38 pm on Mar 30, 2005 (gmt 0)

10+ Year Member



Is it possible for the two <VirtualHost> blocks to have the same fully qualified domain name, one for normal http and one for SSL?

I don't want a "main" domain name and a "secure" domain name - I'm really just trying to set up a single always-SSL domain name like "https://clientzone.example.com" and tell everyone who has access to that server to go to that URL - only problem being, you KNOW some users will forget the https, so I wanted to see if it was possible to redirect them without their having to remember it, AND have each user's directory protected with Apache's Basic Authentication. Maybe this isn't actually possible, though.

I suppose I could get around the problem by creating my own cgi-based authentication system or something instead of using Apache's, but that would take a long time to really do right.

sitz

10:17 pm on Mar 30, 2005 (gmt 0)

10+ Year Member



Is it possible for the two <VirtualHost> blocks to have the same fully qualified domain name, one for normal http and one for SSL?

Yes, this can be done. You define two 'NameVirtualHost' directives: 


NameVirtualHost 192.168.1.1:80
NameVirtualHost 192.168.1.1:443

<VirtualHost 192.168.1.1:80>
 ServerName clientsite.example.com
 RedirectPermanent / https://clientsite.example.com/
</VirtualHost>

<VirtualHost 192.168.1.1:443>
 ServerName clientsite.example.com
 (other SSL directives here)
</VirtualHost>
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:58 pm May 1, 2026