I have a web server with several virtual hosts. Some of those hosts have an associated ssl site. I have a DirectoryMatch directive in my main config file which requires basic authentication to any directory with secured as part of the directory path. On sites that have an SSL site, I have a rewrite rule (located in the non ssl config for that site), that redirects to the SSL site, same uri.

The problem is the http (80) site asks for credentials first, and then the https (443) site asks for credentials again. I would like to prevent the http site from asking and thus avoid the potential for someone entering credentials and having them sent in clear text. I know I could move the DirectoryMatch down to the specific site, and just put the auth statement in the SSL config, but that would introduce the possibility of forgetting to protect critical directories when creating new sites.

Here are the pertinent declarations: httpd.conf (all sites):

<DirectoryMatch "_secured_">
    AuthType Basic
    AuthName "+ + + Restrcted Area on Server + + +"
    AuthUserFile /home/websvr/.auth/std.auth
    Require valid-user
</DirectoryMatch>

site.conf (specific to individual site)

<DirectoryMatch "_secured_">
    RewriteEngine On
    RewriteRule .*(_secured_.*) https://site.com/$1
</DirectoryMatch>

Is there a way to leave DirectoryMatch in the main config file and prevent the request for authorization from the http site?

Running Apache 2 on Ubuntu 10.04 server from the default package. I have AllowOverride set to none - I prefer to handle things in the config files instead of .htaccess.