Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

strange 401 error appears for some urls when using .htaccess to redirect http to https

OK, here is the 7th day of unsuccessfull attempt to find an answer why 401 error appears...

Now, .htaccess in the root folder contains the only 3 strings (was simplified) and there are NO more .htaccess files in the project:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

So, it redirects all requests to be https. It works fine for any urls, even for /administration directory.

So,

http://mydomain.com

becomes

https://mydomain.com

If https://mydomain.com was entered, there are no redirections.

http://mydomain.com/administration/index.php

becomes

https://mydomain.com/administration/index.php

If https://mydomain.com/administration/index.php was entered, there are no redirections.

That's clear, and the problem is below.

I want /administration directory to be password protected. My Shared Hosting Control Panel allows to protect directories without manual creating of .htaccess and .htpasswd (you choose a directory to protect, create username and password, and .htaccess and .htpasswd are created automatically). So, .htaccess appears in the /administration folder. .htpasswd appears somewhere else, the path to .htpasswd is correct, and everything looks correct (it works the same way as to create it manually). So, there are 2 .htaccess files in the project, one in the root directory and one in the /administration directory (with .htpasswd at the directory .htaccess knows where it is).

Once the password is created, the results are:

You enter:

https://mydomain.com/administration/index.php

Then it asks to enter a password. If you enter it correctly, https://mydomain.com/administration/index.php is displayed. The result: works perfect.

But, if you enter http://mydomain.com/administration/index.php (yes, http, without S) then instead of redirecting to the same,but https page, it redirects to

https://mydomain.com/401.shtml (starts with httpS)

by unknown reason and even does NOT ask a password. Why?

I've contacted a customer support regarding this question and they are sure the problem is in .htaccess file, and they do not fix .htaccess files (that's clear, they do not, I don't mind).

Why does this happen? Did I forget to put some flags, or some options to change default settings in the .htaccess file?

P.S.Creating .htaccess and .htpasswd manually (not from hosting Control Panel) for the folder /administration causes the same 401 error in case if not https, but http was entered.

And the problem appears with URLs to /administration directory only.

Thank you.

like image 555
Haradzieniec Avatar asked Feb 11 '12 09:02

Haradzieniec


People also ask

Why http to https redirection does not work with htaccess file?

Problem 1: http to https redirection does not work with .htaccess file. What’s the solution ? When loading the page with http, the .htaccess redirect URL to https but when loading the page with https, there is an infinite loop. Solution 1: You might be using Nginx as a reverse proxy along with apache or might be behind a load balancer.

How to force HTTPS on all incoming traffic using 301 redirects?

One of the many functions you can perform via .htaccess is the 301 redirects, which permanently redirects an old URL to a new one. You can activate the feature to force HTTPS on all incoming traffic by following these steps: Go to File Manager in your hosting panel and open .htaccess inside the public_html folder.

Why does my 401 page redirect to 401 instead of 401?

Because the username and password is not send when first requesting the page, the authentication module internally 'rewrites' the request url to the 401 page's url. After this mod_rewrite comes and % {THE_REQUEST} now contains 401.shtml instead of the original url. So the resulting redirect contains the 401.shtml, and not the url you want.

How to configure SSL certificate with htaccess redirect?

After successful installation of SSL, the first step involves editing of .htaccess file. You can do it via FTP or cPanel File Manager. The second step involves htaccess redirect to https in Apache or NGINX. Insert this code to the .htaccess file and force all web traffic to use HTTPS.


1 Answers

Try using this instead. Not the L and R flag.

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Also clear your browsers cache first, to remove the old incorrect redirect.

If that doesn't work try using this.

RewriteCond %{HTTPS} !on
RewriteCond %{THE_REQUEST} ^(GET|HEAD)\ ([^\ ]+)
RewriteRule ^ https://%{HTTP_HOST}%2 [L,R=301]

I feel a bit bad about writing it, as it seems kind of hackish in my view.

EDIT Seems the 2nd option fixed the problem. So here is the explanation as to why it works.

The authentication module is executed before the rewrite module. Because the username and password is not send when first requesting the page, the authentication module internally 'rewrites' the request url to the 401 page's url. After this mod_rewrite comes and %{THE_REQUEST} now contains 401.shtml instead of the original url. So the resulting redirect contains the 401.shtml, and not the url you want.

The get to the original (not 'rewritten') url, you need to extract it from %{THE_REQUEST}. THE_REQUEST is in the form [requestmethod] [url] HTTP[versionnumber]. The RewriteCond extracts just the middle part ([url]).

For completeness I added the [L,R=301] flags to the second solution.

like image 167
Gerben Avatar answered Nov 05 '22 22:11

Gerben