Apache - Redirect to https before AUTH

redirect apache-2.2 ssl http-authentication

Solution 1:

You can use the redirect directive on http virtualhost to redirect to the https site where authentification is done. You could also use mod_rewrite to do the redirection. The basic things is just to not set authentification on http virtualhost and redirect everything on the https virtualhost where authentication is done.

Solution 2:

Regardless of how you have the SSL vhost configured, I'd use this configuration for the non-SSL vhost:

<VirtualHost *:80>
    ServerName www.sitename.com
    ServerAlias sitename.com others-if-you-like.com
    ServerAdmin [email protected]

    RedirectMatch ^/(.*)    https://www.sitename.com/$1 [L,R]

</VirtualHost>

Add lines for your logging, too, but nothing else is needed. Everything will be redirected permantently to the https:// URL, and the SSL site's .htaccess or other access control stuff won't be handled until after the redirect.

Solution 3:

Our client's webapp is installed in his webuser directory. Authorisation is handled before mod_rewrite rules (https://serverfault.com/a/443185/253111), and we could not get the accepted answer to work, so mod_rewrite seemed not an option.

Eventually we explicitly required SSL and used the webapp's root over HTTPS as 403 and 404 error documents. So when one visits any page over HTTP (which is unauthorized, hence the 403) or a non existing page (404), he is being redirected to ie. https://DOMAIN.TLD/~WEBUSER/admin.

This is the .htaccess file with some extra info in the comments.

### INFO: Rewrites and redirects are handled after authorisation
### @link https://serverfault.com/a/443185/253111

### INFO: Log out of a HTPASSWD session
### This was not always possible, but Firefox and Chrome seem to end sessions
### when a new one is trying to be using ie.:
### https://logout:[email protected]/~WEBUSER/
### @link http://stackoverflow.com/a/1163884/328272

### FORCE SSL: Explicitly require the SSL certificate of a certain domain to
### disallow ie. unsigned certificates. ErrorDocument's are used to redirect
### the user to an HTTPS URL.
### @link http://forum.powweb.com/showthread.php?t=61566
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire  %{HTTP_HOST} eq "DOMAIN.TLD"

### HTPASSWD AUTHENTICATION
AuthUserFile /var/www/vhosts/DOMAIN.TLD/web_users/WEBUSER/.htpasswd
AuthType Basic
AuthName "Hello"
Require valid-user

### ERROR DOCUMENTS: Redirect user in case of a 403 / 404.
ErrorDocument 403 https://DOMAIN.TLD/~WEBUSER/admin
ErrorDocument 404 https://DOMAIN.TLD/~WEBUSER/admin

Related

Postgresql 9.2 "invalid locale name" on Ubuntu 12.04
has my server been hacked w00tw00t.at.ISC.SANS.DFind
How do I determine what the Windows Installer (msiexec) is doing?
Getting SSL certificate chain from jabber server
Backup storage server with ZFS
Anybody have experience with using Nexenta? [closed]
SSH between EC2 instances not permitted
Minimum number of disks to implement RAID6
RAID strategy - 8 1TB drives
Installing open-vm-tools in Ubuntu via Puppet; what's the lesser evil?
Automated hardware testing of HP servers?
SSSD Authentication to Windows Domain without @domain.com everywhere