Apache - forcing https for certain URLs

PhantomBeaker

Heyya,

I'm a webmaster on an Apache server that is capable of secure connections with mod_ssl.

Now I've checked the mod_ssl howtos and the Apache site, but I can't seem to find a straight answer to this (And I'm sure it's not the first time that someone's wanted to do this - and if it's in the FAQs, it's worded very oddly):

On the site, there are certain sensitive areas that people will be transmitting usernames and passwords for verification. As far as links go on the site, we arrange the link so that it connects via SSL i.e. (we link to https://blah.com rather than http://) especially in the cases of services like phpMyAdmin and the like. However, if users choose to type in the URL themselves, and just connect over http they can.

I'm looking to find some httpd.conf/.htaccess directive or set of them to allow access to those directories ONLY if they are connecting through https but not if they're connecting through http so that no unencrypted information is sent.

Has anyone managed anything similar? Just for info, we're running the following: Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7d

Thanks for the help (and if it doesn't belong here, please feel free to dump it elsewhere)
Take care,
Phantom Beaker.

mneylon

You might want to look into mod_rewrite
http://www.webmasterworld.com/forum13/3345.htm

cgarvey

SSLRequireSSL is your friend....

Stick it in a .htaccess and visitors using http only will get a 403 (which, of course, you can customise to explain they need to use SSL). Or stick it in a <Location> block in your configs.

.cg

steve-hosting36

Pair cgarveys comment with a redirect to https:// in the same htaccess and you're sorted