I have an Apache 2.2 server with an SSL certificate hosting several services that should be only access using SSL.
ie: https://myserver.com/topsecret/ should be allowed while http://myserver.com/topsecret/ should be either denied or, ideally, redirected to https.
http://myserver.com/public should not have this restriction, and should work using either http or https.
The decision to allow/deny http is made at the top level directory, and affects all content underneath it.
Is there a directive that can be placed in the Apache config to retrict access in this manner?
The SSLRequireSSL directive is what you're looking for.
Inside your
<VirtualHost>, or at the top level if you're not using virtual hosts:Or in
.htaccess:In the global configuration you could use:
Similarly you could use a .htaccess file in the first directory of the secure directory tree:
That last one could also be placed inside a directory directive in the global or virtual host configuration.
Someone mentioned SSLRequireSSL but I don't think it works by itself and I haven't found a successful example with it. The recommended way is https://wiki.apache.org/httpd/RedirectSSL I've applied that and it works well!
Alternatively, you could use the server-side language to do the processing for you, rather than using Apache's configuration options (if, perhaps, you don't have access to the server's configuration).
For example, with PHP:
(though just be aware - if you're using ISAPI on Microsoft IIS, if the request is not being routed through HTTPS, then the value of the $_SERVER['HTTPS'] variable will be "off")
Assuming you are using VirtualHost directives,
Place a Directory directive in the non-ssl virtualhost denying access.
Then, place a Directory directive in the ssl virtualhost granting access.
I've always done this mod_rewrite in an .htaccess file, though you should be able to do it within your main config file as well.
Here's a guide with a few ways of making this happen: Smart HTTP and HTTPS RewriteRule Redirects