I have setup a private website that needs to be accessible by only a few people via the internet. I'd like to setup a combination of basic authentication and https.
So far I have everything works ok if开发者_运维技巧 I directly type in https://blah.com/location1
. However what I need is to have apache redirect http://blah.com/location1
to https://blah.com/location1
and THEN do basic authentication i.e I don't want basic authentication to be done before the redirection. At the moment this is what I have on my apache config.
WSGIScriptAlias /site /path/to/site/apache/site.wsgi
<Directory /path/to/site/apache>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
<Location /site>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
AuthType Basic
AuthName "Site login"
AuthUserFile /path/to/site/.htpasswd
Require valid-user
</Location>
Note: I only need the authentication for /site
. So I should be able to access http://blah.com/site1
, http://blah.com/site2
without needing authentication.
The problem with the rewrite rules that "convert" HTTP requests into HTTPS requests is that they don't prevent the first request to be made over plain HTTP (as you get a redirect to the HTTPS URL).
What you could do is split your site into two virtual hosts: one for HTTP and one for HTTPS.
On the HTTP virtual host, implement the rewrite if you want, but forbid access to <Location /location1>
in all cases (only do the rewrite).
On the HTTPS virtual host, configure <Location /location1>
with basic authentication.
I replied here Apache 2.2 redirect to SSL *then* do auth (with solution < but is it crap?), a solution which use SSLRequireSSL
, and a ErrorDocument 403
returning an html 403 error page containing a JavaScript which will reload the page to HTTPS ... the best solution I found without splitting the configuration file in two, one loaded by the VirtualHost
on port HTTP, on the other on port HTTPS.
精彩评论