1: I'm writing a PerlAccessHandler for Apache in mod_perl 
   2: that need to verify if you are coming in on HTTPS or 
   3: HTTP.  Because the PerlAccessHandler is declared in the 
   4: main site configuration, it is inherited by the SSL 
   5: virutal host running at the same FQDN.
   6: 
   7: I've found that the $ENV{HTTPS} mechanism is flaky.  Even 
   8: $r->subprocess_env('HTTPS') is sorta flaky.  Sometimes 
   9: $ENV{HTTPS} is showing up on requests from HTTP and 
  10: sometimes from HTTPS.
  11: 
  12: My solution is in the VirtualHost config for the SSL server to add:
  13: 
  14: <code>
  15: <Location />
  16:         AuthName "Intranet"
  17:         AuthType Basic
  18:         require valid-user 
  19:         PerlSetVar HTTPS "ON"
  20:         SSLOptions +StdEnvVars
  21: </Location>
  22: </code>
  23: 
  24: In my PerlAccessHandler, I check:
  25: 
  26: <code>
  27:         if ($r->dir_config('HTTPS') eq "ON") {
  28:                 return DECLINED;
  29:         } else {
  30:                 return OK;
  31:         }
  32: </code>
  33: 
  34: Mechanism now works flawlessly.  If you're http at this 
  35: point in the logic, we know you're ok and can bypass the 
  36: PerlAuthenHandler and PerlAuthzHandler.
  37: 
  38: Of course before that I perform this check:
  39: 
  40: <code>
  41:         if (($d->{nav_url_secure_flag} == 1) && ($r->dir_config('HTTPS') ne "ON")) {
  42:                 $r->header_out( Location => "https://portal/$url" );
  43:                 return REDIRECT;
  44:         }
  45: </code>
  46: 
  47: Just to make sure that the content needs to be secure and 
  48: is coming over HTTPS, if not then redirect.