apache: basic authentication before rewrite

Question

I have an Apache in frontend that should redirect a request via a RewriteRule.

I have to put a basic authentication before the request is redirected, so I put this in the config file:

<VirtualHost *:443>
    ServerAdmin xxxxxx
    DocumentRoot /var/www/html/
    ServerName xxxxxxx
    RewriteEngine on
    ErrorLog logs/error.log
    CustomLog logs/access_log common

    <Directory /var/www/html/>
        AuthType Basic
        AuthName "Restricted Files"
        AuthUserFile /etc/httpd/conf/tag.pwd
        Require valid-user
        RewriteRule ^/(.*) http://xxxxxx:xxx/$1   [P,L]
    </Directory>
</VirtualHost>

But it doesn't work.

Any suggestions?

UPDATE: I would expect that all requests after authentication would be redirected with the rule RewriteRule ^/(.*) xxxxxx:xxx/$1 [P,L] but this doesn't happen. Apache search the page under /var/www/html

Answer 1

In general, Apache does the rewrite phase before the authorization phase, which is why your code performs the rewrite without ever asking for user to authenticate.

You can get around this with the LA-U:REMOTE_USER variable. Preface your RewriteRule with a condition which looks ahead ("LA") to the authorization phase:

RewriteCond %{LA-U:REMOTE_USER} !^$
RewriteRule ^/(.*) http://xxxxxx:xxx/$1 [L]

See notes about this in http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond

As other posters point out, it's also better to take the RewriteRule directives out of the block so they are more reliable.