How do I force .htaccess authorization to occur over ssl?

I'm trying to force a particular directory to require only allowed IPs and a valid username/password through basic authorization. To ensure that the username/password are sent in encrypted form, I want the directory to also force SSL use. Here is what I have in my .htaccess file:

# Force HTTPS-Connection
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*)  https://www.mywebsite.com%{REQUEST_URI} [R,L]

## password begin ##
AuthName     "Restricted Access"
AuthUserFile /var/www/admin/.htpasswd
AuthType     Basic
Require valid-user
Order deny,allow
Deny from all
Allow from 79.1.231.151 62.123.134.83
Satisfy All

Unfortunately, when I access that directory using http protocol, it is asking for the password before it redirects the page to the secure version. This means the password is sent unencrypted. What am I doing wrong? Is there a way to do this?


Try putting SSLRequireSSL in your .htaccess file or the global Apache httpd configuration.


Rewrites and redirects are handled after autorisation. However: aliases in your httpd.conf are addressed first.

So what I did to get my http ://servername/webmail to https://webmail.servername was to put it in the httpd.conf like this:

<IfModule alias_module>
   Redirect permanent /webmail https://webmail.servername
</IfModule>

The basic autorisation can stay in your .htaccess and will be executed just once AFTER the redirect was executed...


If you have access to the Apache config, add the authentication stanza to the VirtualHost that has SSL enabled. Then the redirect will always happen first.

Also, using mod_rewrite to perform a simple redirect is a bit of overkill. Use the Redirect directive instead. It's possible this may even fix your problem, as I believe mod_rewrite rules are some of the last directives to be processed, just before the file is actually grabbed from the filesystem.