Apache2 and problems with SSL and .htaccess

[Anders Jensen]

I have a directory on my webserver (Apache v2.0.53), that I want to
encrypt with SSL. That is no problem. I also want to restrict the access
to this directory even more by putting in a .htaccess file, that should
only give access to a certain user or a certain network (my own private
IP address).

I have this configuration in my httpd.conf:
<VirtualHost 192.168.1.6:80 192.168.1.6:443>
ServerName .... etc... etc...
<Directory /httpd/domain.xyz/public_html/ssl/>
SSLRequireSSL
</Directory>
</VirtualHost>

In my /ssl/ directory I have this .htaccess file:
AuthUserFile /httpd/domain.xyz/.htpasswd
AuthGroupFile /dev/null
AuthName "Private stuff"
AuthType Basic
order deny,allow
deny from all
allow from 192.168.1.50
require valid-user
satisfy any

As you see, my intention is to give access to my own internal IP address
(without logging in) and all other must login as a valid user. This
actual works okay (the login), but it is also possible for a valid user
to see the page without HTTPS!?

I guess it is the "satisfy any" directive that says "I do not care that
you are without SSL as you are a trusted user".

How do I enforce SSL... always, without any exceptions to any user or IP
address?

Anders.