When running a web server with mixed content security requirements, administrators often need to enforce HTTPS for sensitive directories while maintaining HTTP accessibility for public content. Apache 2.2 provides several mechanisms to implement this selective SSL enforcement.
First, ensure you have both HTTP (port 80) and HTTPS (port 443) virtual hosts configured:
<VirtualHost *:80>
ServerName myserver.com
DocumentRoot /var/www/html
# Public directory accessible via HTTP
<Directory "/var/www/html/public">
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName myserver.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/key.pem
# All directories accessible via HTTPS
<Directory "/var/www/html">
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
For the most user-friendly approach, redirect HTTP requests to HTTPS for your secure directories:
<VirtualHost *:80>
ServerName myserver.com
# Redirect only the topsecret directory
RedirectMatch 301 ^/topsecret(/.*)?$ https://myserver.com/topsecret$1
# Public content remains accessible via HTTP
<Directory "/var/www/html/public">
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
If you prefer to deny HTTP access completely rather than redirect:
<VirtualHost *:80>
ServerName myserver.com
<Location "/topsecret">
Order deny,allow
Deny from all
ErrorDocument 403 "This content must be accessed via HTTPS"
</Location>
<Directory "/var/www/html/public">
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
If you prefer directory-level configuration (requires AllowOverride):
# In your httpd.conf or virtual host:
<Directory "/var/www/html/topsecret">
SSLRequireSSL
ErrorDocument 403 /ssl-required.html
</Directory>
For more complex scenarios using mod_rewrite:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/topsecret
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
After implementing any of these solutions, verify using:
curl -I http://myserver.com/topsecret
curl -I https://myserver.com/topsecret
curl -I http://myserver.com/public
Check for proper redirects (301/302) or 403 errors where appropriate.
When running Apache 2.2 with mixed-content requirements, we often need to enforce HTTPS for sensitive directories while maintaining HTTP accessibility for public content. The challenge lies in implementing this at the directory level without affecting other parts of the site.
There are two effective approaches to solve this:
1. Using Redirect in Virtual Host
For the most reliable solution, add this to your <VirtualHost *:80> block:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/topsecret [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
2. Directory-Level SSL Enforcement
Create a dedicated configuration for your secure directory:
<Directory "/var/www/topsecret">
SSLRequireSSL
Options -Indexes
Order allow,deny
Allow from all
</Directory>
Here's a full working example for Apache 2.2:
<VirtualHost *:80>
ServerName myserver.com
DocumentRoot /var/www/html
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/topsecret [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>
<VirtualHost *:443>
ServerName myserver.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/key.pem
<Directory "/var/www/html/topsecret">
SSLRequireSSL
Require all granted
</Directory>
</VirtualHost>
- Always test with
apachectl configtestbefore restarting - HTTP/HTTPS coexistence requires proper certificate setup
- Consider adding HSTS headers for additional security
- Cache-control headers should be set differently for secure content
If redirects aren't working:
- Verify
mod_rewriteis enabled (a2enmod rewrite) - Check for conflicting rules in .htaccess files
- Examine Apache error logs for rewrite module messages