If I have a redirect rule for a certain directory (either through httpd.conf or an .htaccess file) that redirects all http requests to https, then the basic authorization dialogue for apache should be over an ssl connection.

It seems like this should be the case in theory. Does anyone know if this is not what actually happens?

Thanks

You should have separate virtualhosts for SSL and non-SSL vhosts, that should do the trick.

You could also add the SSLRequireSSL directive to that directory. (In that case, regular http requests will get access denied.)

Thanks for the replies.

Just to be clear:
I have a main, non-secure page, with a private subfolder (eg: www.foobar.com/private) that requires ssl and apache basic authentication. I just want to make sure that when a user moves from the non-secure main page to the private area, the basic authentication will happen through ssl.

I think this is what happens with the way I have things setup now (as described in the original post). The virtual host is probably the best solution, but just so I understand:

in the httpd.conf file, would I have to put the redirect rule (using mod_rewrite to ensure ssl) before the <Directory> basic authentication rule? Does order matter in this case?

Order does not matter, however, you must specify your rewrite rule in the root of the vhost (not in the Directory section or .htaccess).