Apache - Redirect to https before AUTH
Solution 1:
You can use the redirect directive on http virtualhost to redirect to the https site where authentification is done. You could also use mod_rewrite to do the redirection. The basic things is just to not set authentification on http virtualhost and redirect everything on the https virtualhost where authentication is done.
Solution 2:
Regardless of how you have the SSL vhost configured, I'd use this configuration for the non-SSL vhost:
<VirtualHost *:80>
ServerName www.sitename.com
ServerAlias sitename.com others-if-you-like.com
ServerAdmin [email protected]
RedirectMatch ^/(.*) https://www.sitename.com/$1 [L,R]
</VirtualHost>
Add lines for your logging, too, but nothing else is needed. Everything will be redirected permantently to the https:// URL, and the SSL site's .htaccess or other access control stuff won't be handled until after the redirect.
Solution 3:
Our client's webapp is installed in his webuser directory. Authorisation is handled before mod_rewrite rules (https://serverfault.com/a/443185/253111), and we could not get the accepted answer to work, so mod_rewrite seemed not an option.
Eventually we explicitly required SSL and used the webapp's root over HTTPS as 403 and 404 error documents. So when one visits any page over HTTP (which is unauthorized, hence the 403) or a non existing page (404), he is being redirected to ie. https://DOMAIN.TLD/~WEBUSER/admin.
This is the .htaccess file with some extra info in the comments.
### INFO: Rewrites and redirects are handled after authorisation
### @link https://serverfault.com/a/443185/253111
### INFO: Log out of a HTPASSWD session
### This was not always possible, but Firefox and Chrome seem to end sessions
### when a new one is trying to be using ie.:
### https://logout:[email protected]/~WEBUSER/
### @link http://stackoverflow.com/a/1163884/328272
### FORCE SSL: Explicitly require the SSL certificate of a certain domain to
### disallow ie. unsigned certificates. ErrorDocument's are used to redirect
### the user to an HTTPS URL.
### @link http://forum.powweb.com/showthread.php?t=61566
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "DOMAIN.TLD"
### HTPASSWD AUTHENTICATION
AuthUserFile /var/www/vhosts/DOMAIN.TLD/web_users/WEBUSER/.htpasswd
AuthType Basic
AuthName "Hello"
Require valid-user
### ERROR DOCUMENTS: Redirect user in case of a 403 / 404.
ErrorDocument 403 https://DOMAIN.TLD/~WEBUSER/admin
ErrorDocument 404 https://DOMAIN.TLD/~WEBUSER/admin