Hello,

it would be nice to have an option 'Require SSL for ACP' before login.

I know this could be easily done via htaccess, but we use htaccess to passwort protect the acp directory and mod_auth is handled first.
So before a redirect to SSL can occur, the password prompt appears - data entered is transmitted via http, which is unsecure...

Thanks for ideas

have you tried this?

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "site.com" #or www.site.com
ErrorDocument 403 https://site.com

An interesting thing when using the mod_ssl instead of mod_rewrite to force SSL is that apache gives mod_ssl priority ABOVE mod_rewrite so it will always require SSL.


EDIT: LINK (http://www.htaccesselite.com/htaccess/redirecting-all-or-part-of-a-server-to-ssl-vt61.html)

hope that helps

Yes, this would work - but: The directory is protected via password (htaccess), since mod_auth is handled always first you would have to enter the password before the SSL Require, which makes nada sense...