[users@httpd] authtype and rewriterule process order question

[Jeff Sherk Forerunner Ministries <je...@ForerunnerTV.com>]

I have authtype basic setup on a folder (https://mydomain.com/myfolder) 
and would like to redirect the addresses below to it first and then have 
it ask for username and password:
http://mydomain.com/myfolder
http://www.mydomain.com/myfolder
https://www.mydomain.com/myfolder
(the above 3 should all be redirected to https://mydomain.com/myfolder)

Without the rewriterule, all 4 urls are accessible as is (and ask for 
username & password).

Here is my htaccess file so far, but what it appears to do is always ask 
for the username and password first and then redirect second. I want it 
to redirect first and then ask for username and password, so that you 
cannot enter your username & password with regular http but have to use 
https.

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} myfolder
RewriteRule ^(.*)$ https://mydomain.com/myfolder/$1 [R,L]

AuthType Basic
AuthName "AUTHORIZED ACCESS ONLY"
AuthUserFile "/home/mydomain/.htpasswds/public_html/myfolder/passwd"
require valid-user

Thanks

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] authtype and rewriterule process order question

[Jeff Sherk Forerunner Ministries <je...@ForerunnerTV.com>]

Thanks for the reply Nick...
I am pretty new to Apache (and all this related stuff). Can you give a 
little more explanation on what 'define it there" means when you said 
"Since you want password protection in your secure vhost, define it 
there."?
Even some links on something to read would be good!
The only way I know how to passwrod protect is with htaccess.
Thanks

Nick Kew wrote:
> Thatś entirely the wrong approach.  Since you want password protection
> in your secure vhost, define it there.  Not in some .htaccess, and
> especially not one which is shared with another vhost where it's
> not wanted.  It becomes a lot easier if it (or at least the protected
> area) also doesn't share a directory with the other vhost.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] authtype and rewriterule process order question

[Nick Kew <ni...@webthing.com>]

Jeff Sherk Forerunner Ministries wrote:
> I have authtype basic setup on a folder (https://mydomain.com/myfolder) 
> and would like to redirect the addresses below to it first and then have 
> it ask for username and password:
> http://mydomain.com/myfolder
> http://www.mydomain.com/myfolder
> https://www.mydomain.com/myfolder
> (the above 3 should all be redirected to https://mydomain.com/myfolder)
> 
> Without the rewriterule, all 4 urls are accessible as is (and ask for 
> username & password).
> 
> Here is my htaccess file so far, but what it appears to do is always ask 
> for the username and password first and then redirect second. I want it 
> to redirect first and then ask for username and password, so that you 
> cannot enter your username & password with regular http but have to use 
> https.

Thatś entirely the wrong approach.  Since you want password protection
in your secure vhost, define it there.  Not in some .htaccess, and
especially not one which is shared with another vhost where it's
not wanted.  It becomes a lot easier if it (or at least the protected
area) also doesn't share a directory with the other vhost.

As for the question in your subject line, rewriterules in a Directory
context (which includes htaccess) run after authnz.

-- 
Nick Kew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org