I have this configuration in my httpd.conf:
<VirtualHost 192.168.1.6:80 192.168.1.6:443>
ServerName .... etc... etc...
<Directory /httpd/domain.xyz/public_html/ssl/>
SSLRequireSSL
</Directory>
</VirtualHost>
In my /ssl/ directory I have this .htaccess file:
AuthUserFile /httpd/domain.xyz/.htpasswd
AuthGroupFile /dev/null
AuthName "Private stuff"
AuthType Basic
order deny,allow
deny from all
allow from 192.168.1.50
require valid-user
satisfy any
As you see, my intention is to give access to my own internal IP address
(without logging in) and all other must login as a valid user. This
actual works okay (the login), but it is also possible for a valid user
to see the page without HTTPS!?
I guess it is the "satisfy any" directive that says "I do not care that
you are without SSL as you are a trusted user".
How do I enforce SSL... always, without any exceptions to any user or IP
address?
Anders.