Determine HTTPS in htaccess to Set Environment

Determine HTTPS in htaccess to Set Environment

I want to redirect the user to the authentication page only if the request is ‘https’.
Currently I have written the following in my .htaccess file to do the same, but it doesn’t work.
SetEnvIf Request_Protocol ^HTTPS.* IS_HTTPS

AuthType shibboleth
AuthName “Login”
ShibRequireSession on
require user abcd
Allow from env=IS_HTTPS

Is the regex for determining HTTPS correct? Earlier I had the SetEnvIf statement as follows. This too didn’t work.
SetEnvIf %{SERVER_PORT} ^80$ IS_NON_SSL

AuthType shibboleth
AuthName “Login”
ShibRequireSession on
require user abcd
Allow from env=!IS_NON_SSL

But as per the documentation for SetEnvIf directive (http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html), the SERVER_PORT variable is not available.

Solutions/Answers:

Solution 1:

I don’t think that the value Request_Protocol can be used to determine this – according to the docs page you linked, that contains something like (e.g., “HTTP/0.9”, “HTTP/1.1”, etc.) – so the protocol itself will always be HTTP; and that makes sense, as HTTPS is not a real “protocol”, but only the common name for HTTP with TLS “wrapped around it”, on the OSI level below it (6).

I’m not sure about the actual order of request processing (and don’t know where to find it right now off the top of my head) – but maybe you could combine this with mod_rewrite to achieve what you want? A RewriteCond is able to check whether HTTPS is used by checking the variable HTTPS for the value on – and a RewriteRule following that condition could set an environment variable for you using the [E] flag – something like this:

RewriteCond %{HTTPS} ^on$
RewriteRule . - [E=IS_HTTPS]

This will set the environment variable IS_HTTPS with an empty value, but that should be enough to check it with Allow from env=IS_HTTPS.

Mind giving this a try? As I said, I’m not sure if this will work because of processing order – but tryin’ cost nuffin, right?

Related:  How Session Works?

Solution 2:

You can try:

SetEnvIf Request_Protocol ^HTTPS.* IS_HTTPS

AuthType shibboleth
AuthName "Login"
ShibRequireSession on
require user abcd
Satisfy    any
Order      deny,allow
Deny from  all
Allow from env=IS_HTTPS

References