I’ve used this Tutorial as reference and successfully implemented the HTTPS redirect.
BUT… because i use AuthType Basic with .htpasswd file i have to enter Username:Password before i get redirected.
After the redirect i have to enter Username and Password again. That is kinda Sketchy and reminds me of a scam/phishing.
I don’t care… but because i want to give this to less tech savy people i don’t think thats optimal.
Does anyone know how to get the redirect working BEFORE Login prompt?
here is my .htaccess file:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:CF-Visitor} !{"scheme":"https"}
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# BEGIN InfinityFree Directory Protection
# DO NOT EDIT - YOUR CHANGES WILL BE OVERWRITTEN
AuthType Basic
AuthName "Login Required"
AuthUserFile "/home/vol17_1/infinityfree.com/if0_37179114/domain.com/htdocs/.htpasswd"
Require valid-user
Options -Indexes
# END InfinityFree Directory Protection
That’s an interesting observation. You would expect that the redirect is done before doing the authentication, but that doesn’t happen. Not only does that mean that you might have to login twice, it also means that the first authentication attempt is done without SSL, which is not secure.
A bit of web searching tells me of some settings that might work. Basically, it should work as you want it to if you modify the code like this:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:CF-Visitor} !{"scheme":"https"}
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
<If "%{HTTPS} == 'on'">
# BEGIN InfinityFree Directory Protection
# DO NOT EDIT - YOUR CHANGES WILL BE OVERWRITTEN
AuthType Basic
AuthName "Login Required"
AuthUserFile "/home/vol17_1/infinityfree.com/if0_37179114/domain.com/htdocs/.htpasswd"
Require valid-user
Options -Indexes
# END InfinityFree Directory Protection
</If>