In Progress CPANEL-40585 - Force HTTPS on password-protected directory

[msklut]

We have a password-protected directory /admin that is not automatically redirecting to a secure/HTTPS page. The .htaccess has a redirect rule for the entire website, but it is not working for this directory because of the password-protection. Does anyone have suggestions?

pre_virtual_host.conf (Apache Configuration » Include Editor)

<Directory "/home/myuser/public_html/admin">
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /etc/apache2/htpasswd/.htpasswd
Require valid-user
ErrorDocument 401 "Authentication Required"

Options +Includes
</Directory>

public_html/.htaccess

#HTTPS Redirect
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

[cPRex]

Hey there! I believe this is due to the order of your configuration. The Apache includes will get read before the local .htaccess with your example. However, if you use the cPanel >> Directory Privacy tool, that creates a local .htaccess inside the specific directory you're protecting with the following code:

#----------------------------------------------------------------cp:ppd
# Section managed by cPanel: Password Protected Directories     -cp:ppd
# - Do not edit this section of the htaccess file!              -cp:ppd
#----------------------------------------------------------------cp:ppd
AuthType Basic
AuthName "Protected 'public_html/privacytest'"
AuthUserFile "/home/username/.htpasswds/public_html/privacytest/passwd"
Require valid-user
#----------------------------------------------------------------cp:ppd
# End section managed by cPanel: Password Protected Directories -cp:ppd
#----------------------------------------------------------------cp:ppd

Doing that instead of using the Apache include system will likely get things working how you expect.

 

[msklut]

I gave that a try, but it still doesn't redirect to HTTPS when I access that directory.

 

[cPRex]

I did some additional testing on my end and confirmed this isn't working as intended. I've created case CPANEL-40585 for our developers to look into this, and you can follow along with that case here:

https://support.cpanel.net/hc/en-us/articles/5918925276311

 

[msklut]

Based on Apache 2.4, would this be the preferred 'HTTPS redirect' method?

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName www.yourdomain.com
   Redirect / https://www.yourdomain.com
</VirtualHost>

 

[cPRex]

I always perform the redirect inside the .htaccess file. For other pieces of software, such as WordPress, you may need a plugin like ReallySimpleSSL or similar to ensure the WordPress structure is redirected properly.

That is the correct format for an Apache redirect, although many people prefer to use " Redirect permanent / Example Domain" as the last line. With a cPanel-based machine though, remember you can't edit the Apache configuration directly.

 

[msklut]

This method worked:

Apache .htaccess: SSLRequireSSL produces HTTP 500 internal server error

I have an Apache web server hosted on one.com. The OpenSSL module is active and working. I can manipulate .htaccess and I see the reactions. I want to rely on SSL, and redirection by rewriting work...

serverfault.com