EECS Technical Database

User Tools

Site Tools

You are here: Technical Database » Web Publishing including Protected Areas » Password Protecting Web Areas » Forcing Page Access Over HTTPS
Trace:
web:password-protected:force_https

This is an old revision of the document!

Forcing Page Access to https://

If your web page is requesting a password, it is best to send the password over an encrypted channel.

Before your authentication block, add this code to redirect http://URL to https://URL: 

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

Surrounding your authentication block, add this condition which forces authentication to only occur when your page is served over https: 

<If "%{HTTPS} == 'on'">
  <Your authentication block>
</If>

That's all you need to do! Putting it together, here's an example: 

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

<If "%{HTTPS} == 'on'">
  AuthType Basic
  AuthName "My Page"
  AuthBasicProvider pam
  require valid-user
</If>
web/password-protected/force_https.1513780248.txt.gz · Last modified: 2017/12/20 09:30 by jas
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki