Apache .htaccess redirect to HTTPS before asking for user authentication

Question

This is my .htaccess:

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}  AuthUserFile /etc/hi AuthName "hi" AuthType Basic require valid-user 

It asks for user authentication using http, meaning that password will be sent in plain text. It will than redirect to the https version and ask the password again.

How can i fix it?

Answer 1

If you're running Apache 2.4 you can use configuration sections to solve this quite easily.

Eg...

# Redirect to HTTPS RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]  # Authenticate users only when using HTTPS # Enable for <v2.4  # SSLRequireSSL  # ErrorDocument 403 /secure-folder/ # Enable for >v2.4 <If "%{HTTPS} == 'on'">     AuthType Basic     AuthName "Special things"     AuthUserFile /etc/blah.htpasswd     # Prevent this 'Require' directive from overriding any merged previously    <IfVersion >= 2.4>       AuthMerging And    </IfVersion>     Require valid-user # Enable for >v2.4 </If>