I'm writing a PerlAccessHandler for Apache in mod_perl 
that need to verify if you are coming in on HTTPS or 
HTTP.  Because the PerlAccessHandler is declared in the 
main site configuration, it is inherited by the SSL 
virutal host running at the same FQDN.

I've found that the $ENV{HTTPS} mechanism is flaky.  Even 
$r->subprocess_env('HTTPS') is sorta flaky.  Sometimes 
$ENV{HTTPS} is showing up on requests from HTTP and 
sometimes from HTTPS.

My solution is in the VirtualHost config for the SSL server to add:

<code>
<Location />
        AuthName "Intranet"
        AuthType Basic
        require valid-user 
        PerlSetVar HTTPS "ON"
        SSLOptions +StdEnvVars
</Location>
</code>

In my PerlAccessHandler, I check:

<code>
        if ($r->dir_config('HTTPS') eq "ON") {
                return DECLINED;
        } else {
                return OK;
        }
</code>

Mechanism now works flawlessly.  If you're http at this 
point in the logic, we know you're ok and can bypass the 
PerlAuthenHandler and PerlAuthzHandler.

Of course before that I perform this check:

<code>
        if (($d->{nav_url_secure_flag} == 1) && ($r->dir_config('HTTPS') ne "ON")) {
                $r->header_out( Location => "https://portal/$url" );
                return REDIRECT;
        }
</code>

Just to make sure that the content needs to be secure and 
is coming over HTTPS, if not then redirect.