Rewrite rule for targeting http only (no https) - .htaccess

A website that I manage was currently turned via cpanel to redirect at https. Unfortunately a single site/folder/program works only in http and not in https (idk why).
Is there any rewrite rule that will force this site to load in http only?
The whole thing is made like this:
https://example.com --> HTTPS (ok and desired to be in https)
http://example.com/NastyWebApp --> HTTP (doesn't work in https)
What I need, is to force the NastyWebApp to load in http only.

Perhaps not the ideal solution, but a solution that will do the job, via Javascript:
<HTML><HEAD><title>Nasty Web App</title></HEAD>
<body><SCRIPT LANGUAGE="JavaScript">(window.location.replace("http://stackoverflow.com/nastywebapp.php"));

Related

CLoudflare page rules: force SSL except specified URL pattern?

Is it possible to force SSL with Cloudflare except specified URL pattern? for example: example.com/* forced to use SSL, but example.com/iframe use HTTP only, not HTTPS.
If you are using Automatic HTTPS Rewrites within CloudFlare's Crypto section, yes. Create a Page Rule for example.com/iframe* where Automatic HTTPS Rewrites is off. See attached image for the Page Rule setting:
But you might be redirecting with Microsoft IIS or Apache. In that case, you must make the distinction there.

How to redirect from http to https with a redirect on IIS

I would like all traffic to my site to use https on IIS.
How do I configure a redirect to do that?
(Note: this will be self answered, as there is no correct answer anywhere on this.)
This blog link supposedly answers this question:
However, no-one so far as been able to get it the answer to work, as you end up with an endless loop of a redirect redirecting to a redirect.
So after working with this and resolving it, here is the correct answer:
Install the Http Redirect Feature if it is not already installed.
Create two sites, not one site. The first site is the insecure site which is bound to http only. Do not bind https on this site.
The second site is your secure site. This is bound to https and your security cert.
On the insecure site, add the http redirect: "Redirect requests to this destination: https://example.com" Select status code of Permanent (301).
Test. Any request to http://example.com will be forwarded to https://example.com.

ignore url mod-rewrite via htaccess

i use Prestashop and force https for all url.
I need to add script with this url:
src="//c.imedia.cz/js/retargeting.js"
i need url keep like this in html.
but htaccess seems change it to
src="https://c.imedia.cz/js/retargeting.js"
which doesn't work then.
i tried to add Rewrite rule to prevent override this url
RewriteRule retargeting\.js$ - [L,NC]
Any solution please?
htaccess does not change the src in your HTML. The browser will replace // with the protocol that is used in the request. i.e. https. It's commonly referred to as protocol relative URL.
More info in this answer about that
So if you don't want it to use https then you should explicitly set it as http. That will however cause mixed content when served over https and modern browsers will probably block it. So if you force https then ALL your resources have to be https as well or it will be blocked and not loaded even using http.
So then you should get a wildcard SSL certificate for your subdomains so that your resources can be served as https as well.

Do browsers follow 301 redirects from HTTP to HTTPS, on a secure site?

If I load a page https://example.org over HTTPS that contains references to HTTP resources like
<script src="http://example.org/script.js"></script>
I understand that the browser refuses to load the script unless it's src="https://example.org/script.js".
My question is, if I implement a 301 redirect from http://example.org/script.js to https://example.org/script.js, will the browser follow the redirect and load the script via HTTPS, or will it still refuse to load it?
I believe browsers that block mixed content will still block a script from HTTP->HTTPS redirect.
They certainly should do, because it's not secure. An attacker could have intercepted the HTTP request and changed it to redirect to an HTTPS address that is not the one the page referencing the script intended.

How to redirect https to subdomain?

I want to redirect both http://www.mysite.com and https://www.mysite.com to https://secure.mysite.com under IIS7.5.
I've installed the HTTP Redirect module, which seems to work fine for http:// redirect, by setting up a site binding to http and a HTTP redirect to (exact site)
But how do I redirect https://www.mysite.com to https://secure.mysite.com?
If I set up a HTTPS binding for the website it seems to bind to www.mysite.com automatically, even though the SSL certificate is for secure.mysite.com, and there doesn't seem to be any way to split the two.
Ideally I'd like to do this via IIS configuration rather than code..

Resources