Reputation: 1157
How to make Apache reject non-SSL entirely for one directory
I have a server at https://writeapp.me which only allows SSL connections. It is on the Chrome and Firefox HSTS lists, uses the HSTS header, and includes a rewrite rule to redirect any HTTP requests to HTTPS.
This setup works great for casual users using a web browser but now I'm developing an API and I need any non-HTTPS requests to one path to be rejected and not redirected.
The api will live at https://writeapp.me/api/. I want all HTTP requests containing /api to return a 400 Bad Requests or a 403 Forbidden (not sure which status makes most sense yet) while all other plain HTTP requests can continue to be redirected to their HTTPS counterparts.
The plan is to include these rules in the vhost config, not an htaccess file. /api isn't an actual directory, it's just a route provided by a framework so .htaccess files inside of /api won't work. (not that it matters, I guess. I'm just being extra detailed here).
Upvotes: 1
Views: 658
Answers (1)
Reputation: 122739
You can use SSLRequireSSL in your directory configuration.
Something like this:
<Location /api>
SSLRequireSSL
</Location>
Of course, you'll need this to be placed in the right location (depending on the rest of your configuration), so that it takes precedence over potential rewrite/redirects.
Upvotes: 2
Related Questions
- Letsencrypt apache, disable https for specific directory
- Using APACHE REWRITE To Force A Specific Directory To Be HTTPS (.htaccess)
- Force HTTPS except with certain directories
- Disable .htaccess rule to a specific directory
- disable ssl on specific page directory
- Exclude a specific directory from SSL
- Redirect everything to https except for certain directory using .htaccess
- .htaccess turn SSL off for specific directory
- Exclude Directory from being forced to https
- Force https except for one directory