Sites that utilize CU WebAuth are required to use SSL.
There are two options for having an SSL configured. One is referred to as "HTTPS" and one as "BOTH".
If you wish to have ALL traffic protected by SSL we recommend that you request "HTTPS" for the protocol. This will create a redirect so that any traffic that goes to http://\[my site]/ will be redirected to https://\[my site]/.
In some cases you may wish to only have a portion of your site protected by SSL while the option portion is not. In this case if you specify "BOTH" then you will be responsible for determining whether a page can be displayed using SSL or non-SSL.
When using "BOTH" non-SSL connections have NO restrictions, that means that all files are publicly available unless you explicitly put in a ".htaccess" to protect the directory using CU WebAuth.
Some examples of restricting access via a ".htaccess" file:
Require SSL (will just cause a 403 error)
SSLRequireSSL
Redirect to SSL
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Note that if you protect a directory with CU WebAuth and you go to the non-SSL site you will get the following error "CUWebAuth error... Server is not properly configured. Check the Kerberos principal.". In this case you need to be sure to specify the "https" URL and not the "http" URL to avoid getting the error. If you wish to setup a redirect from the non-SSL site to the SSL site for the ".htaccess" protected directory you'll either need to specify the redirect in a parent directory or via a custom vhost include.