I am using a mod_rewrite to force two pages to use HTTPS, while all other pages should remain HTTP. Currently, I can successfully force HTTPS on the pages I need -- however, when I try to change all other pages to HTTP, my HTTPS pages become unsecure. I am guessing this is because the rule is changing the URLS for the assets which the HTTPS page is loading for some reason.
Any ideas? Here is the .htaccess file I'm working with.
(Note that the ENV:HTTPS method is required on my host)
# FORCE HTTPS (WORKS JUST FINE)
RewriteCond %{ENV:HTTPS} !on [NC]
RewriteCond %{REQUEST_URI} ^(/index\.php|)/(donate|achdebit)/?$
RewriteRule ^(.*)$ https://www.site.org/$1 [R,NC,L]
# FORCE HTTP (IF ADDED, BREAKS THE SITE)
RewriteCond %{ENV:HTTPS} on [NC]
RewriteCond %{REQUEST_URI} !^(/index\.php|)/(donate|achdebit)/?$
RewriteRule ^(.*)$ http://www.site.org/$1 [R,NC,L]
I believe you are correct when you surmise that the second rule will force assets (css/js etc) that the secure page requests to be redirected to http. To prevent this add the following
# FORCE HTTP (IF ADDED, BREAKS THE SITE)
RewriteCond %{ENV:HTTPS} on [NC]
RewriteCond %{REQUEST_URI} !^(/index\.php|)/(donate|achdebit)/?$
#NEW# only redirect requests that are not for existing files
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ http://www.site.org/$1 [R,NC,L]
or explicity exclude assets by replacing #new above with
#only redirect requests that are not for existing files
RewriteCond %{REQUEST_URI} !\.(css|js|png|gif|etc) [NC]
Related
First of all, I know there are lots of answers on this, but I don't actually find one that works. This is what I have in the .htaccess file right now, and I want to mention that it worked previously, but it does not anymore.
Redirect 301 /unt-de-cacao-de-plaja/filtre/producator/crisnatur/ /ingrijire-corporala/unt-cacao/unt-de-cacao-pentru-plaja-100g
Options +FollowSymlinks
# Prevent Directoy listing
Options -Indexes
# Prevent Direct Access to files
<FilesMatch "(?i)((\.tpl|\.ini|\.log|(?<!robots)\.txt))">
Require all denied
## For apache 2.2 and older, replace "Require all denied" with these two lines :
# Order deny,allow
# Deny from all
</FilesMatch>
# SEO URL Settings
RewriteEngine On
# If your opencart installation does not run on the main web folder make sure you folder it does run in ie. / becomes /shop/
RewriteBase /
RewriteRule ^sitemap.xml$ index.php?route=extension/feed/google_sitemap [L]
RewriteRule ^googlebase.xml$ index.php?route=extension/feed/google_base [L]
RewriteRule ^system/download/(.*) index.php?route=error/not_found [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]
# FORCE HTTPS AND NON WWW
RewriteEngine on
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
As a mention, I will have a lot of Redirect 301 from old pages to the new ones since the entire structure has been changed.
And the links that I am redirecting inside my website come with "www" like:
https://www.example.com/unt-de-cacao-de-plaja/filtre/producator/crisnatur/
and needs to be redirected to:
https://example.com/ingrijire-corporala/unt-cacao/unt-de-cacao-pentru-plaja-100g
Redirect to https and non-www
To instead redirect all requests to https and non-www, use the following code instead of the previous:
Canonical HTTPS/non-WWW
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule (.*) https://example.com/$1 [L,R=301]
</IfModule>
As before, place this code in the root .htaccess of your site. Here is what it's doing:
Checks if mod_rewrite is available
Checks if HTTPS is off, or if the request includes www
If either condition matches, the request qualifies and is redirected
to the https/non-www address
OR
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
A few issues, in order of importance:
You have your canonical HTTP to HTTPS and www to non-www redirects at the end of the file. By placing it at the end of the file, after your front-controller, it's simply never going to be processed for most requests. This needs to be near the start of the .htaccess file, before your front-controller.
You should avoid mixing redirects from both mod_alias (Redirect) and mod_rewrite (RewriteRule) in the same scope. Different modules execute at different times throughout the request, despite their apparent order in the config file. Since mod_rewrite is required for other redirects, you should convert the mod_alias Redirect directives to use RewriteRule instead.
For example:
RewriteRule ^unt-de-cacao-de-plaja/filtre/producator/crisnatur/$ /ingrijire-corporala/unt-cacao/unt-de-cacao-pentru-plaja-100g [R=301,L]
You should include the canonical scheme and hostname in your URL redirects in order to avoid multiple redirects when requesting an "old" URL at a non-canonical scheme ot hostname.
For example:
RewriteRule ^unt-de-cacao-de-plaja/filtre/producator/crisnatur/$ https://example.com/ingrijire-corporala/unt-cacao/unt-de-cacao-pentru-plaja-100g [R=301,L]
Depending on what you mean exactly by "a lot of Redirect 301" - you should not be doing this at all in .htaccess and instead redirecting in your server-side script, once you have determined that the request will 404. This is to prioritise normal site visiters and not your redirects (that get executed on every single request).
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
Since you stated that these directives worked previously then I assume the use of the HTTPS environment variable is OK on your system. But note that, whilst this is relatively common, it's non-standard. (It implies the server is using some kind of SSL front-end/proxy.)
Note that the order of these rules will result in a double redirect when requesting http://www.example.com/<anything> (HTTP + www). Which is necessary if you are implementing HSTS, but otherwise, you should reverse these two rules to avoid this unnecessary double redirect.
My main pages are at "main.mysite.com".
Customer access site by "customer.mysite.com" which contains only a subset of the main pages.
When customer request page "customer.mysite.com/data.php", I want to check first if the file is in "customer.mysite.com" subdomain, if yes, then serve that page, if not, then serve the page at "main.mysite.com/data.php" subdomain.
I also want to keep the url at "customer.mysite.com/data.php" for the two cases.
My complete htaccess file is currently :
# This will enable the Rewrite capabilities
RewriteEngine On
RewriteBase /
# This rule will convert request urls like /category/page?id=1 to /?c=category&p=page&id=1
# Redirect to main page, which is Single Page Application and then manage to open the new tab
RewriteRule ^([A-Za-z]*)\/([A-Za-z]*)([?]?[A-Za-z0-9=&]*)$ /?c=$1&p=$2 [NC,R,QSA]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e. http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context
# First, this checks to make sure the connection is not already HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [NC]
# This rule will serve pages from main.mysite.com when browsed with customer.mysite.com
# By removing the [R=301], it makes an internal redirect, keeping the original url in the browser
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ https://main.mysite.com/$1 [L,NC,QSA]
# Disable Directory Listing
Options -Indexes
<Files .htaccess>
order allow,deny
deny from all
</Files>
However, when I browse "customer.mysite.com/page.php", I am redirected to "main.mysite.com/page.php", which is not what I want.
First , to redirect /category/page?id=1 to /?c=category&p=page&id=1 :
RewriteCond %{QUERY_STRING} ^id=(.*)$
RewriteRule ^([A-Za-z]+)\/([A-Za-z]+)$ /?c=$1&p=$2 [NC,R=301,QSA]
change this : RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [NC]
to this RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,R=301]
Because %{HTTP_HOST} it is request header including your target host
Moreover :
I f you handled error file like that , when there is no file in that target looping will happen so it is better to handle that like this :
replace this :
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ https://main.mysite.com/$1 [L,NC,QSA]
With this :
RewriteCond %{HTTP_HOST} !^(www\.)?main.mysite.com$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ https://main.mysite.com/$1 [L,NC,QSA]
#then you could handle the error that not found in main by this
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /path/to/error/page [L]
By adding the proxy flag [P] to the rule, the server makes an internal redirect, keeping the browser url unchanged. Normally, this would work by not specifying the R=301 flag, but it'S not enough when the rule is changing domain/subdomain.
What worked:
RewriteRule ^(.*)$ https://main.mysite.com/$1 [P,L,NC,QSA]
Note that the L flag is not required with P as it is added implicitely, as no other rules can be executed after that.
I need to modify my .htaccess file to redirect all URLs to a HTTPS version without the "www".
http://example.com --> https://example.com
http://www.example.com --> https://example.com
https://www.example.com --> https://example.com
This is how my .htaccess file looks like:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ redirect.php?id=$1&page=$2 [QSA,L]
What modifications do I need to make to .htaccess in order to forward to HTTPS without the "www"?
It depends on what you are doing with your current code. That just looks like a file that is called redirect but is trying to display a php page from a SEO friendly URL. So I think that might be confusing people.
Anyway, to do what you need to do and force https without www, you only need one more rule above.
Also your second rule needs two capture groups in the RewriteRule test string because you are wanting two different values using $1 and $2 back references.
RewriteEngine On
#rediect www to non www and/or http to https --- all combinations.
RewriteCond %{HTTP_HOST} !^example\.com [NC,OR]
RewriteCond %{HTTPS} !^on
RewriteRule ^ https://example.com%{REQUEST_URI} [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.+)/(.+)/?$ redirect.php?id=$1&page=$2 [QSA,L]
So this second rule will work for an URL formed like this.
https://example.com/123/pagename
So, here is the situation:
We are running a website which is powered by Drupal. Sometime ago, it was decided that the website should be served as SSL. The settings to redirect the site from http to https was done by a guy who is not with us anymore.
I can see in the .htaccess file the following lines
#Redirect http to https
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://docs.dev.domain.com/$1 [R,L]
mydomain.com points to the root of the LAMPP server and my site is in a folder inside the webroot (docs.dev.domain.com/mysite).
Now, it has been decided that the SSL is not needed and it has to be removed and all the pages must be served via http (301 redirect).
When I do that in the .htaccess file by using the RewriteRule to redirect a URL (e.g. https://docs.dev.domain.com/mysite/content/book) to http when a user visits https by using:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
#Redirect HTTPS to HTTP
RewriteCond %{SERVER_PORT} ^443$
#RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://docs.dev.domain.com/mysite/$1 [R=301,L]
#even tried this - RewriteRule ^(.*)$ http://docs.dev.domain.com/$1 [R=301,L]
but it redirects every request on https to http://mydomain.com/mysite/index.php (even the urls like (https://docs.dev.domain.com/mysite/content/book/1 which should ideally be redirected to its http counterpart).
How can I remove the https so that my dynamic URLs are served via plain http?
Sorry if this is very novice problem.
This is happening because you have a routing rule before the redirect. The rewrite engine will loop until the URI comes back unchanged, and at that point, it evaluates if the URI needs to be passed onto other modules in order to handle redirecting or proxying.
That means your request is getting routed to index.php, then the rewrite engine loops, then it sees that the request (which at this point is simply /index.php) needs to be redirected, so the request gets flagged to be redirected. Then mod_rewite redirects, but by now, the URI is mangled by your routing rule.
You need to swap the order:
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://docs.dev.domain.com/mysite/$1 [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
Enabling SSL or disabling it in Drupal has very easy method by enabling/disabling a module. You should check the module name securepages & if it is there you just need to disable it for disabling HTTPS...
Then you can go to your YOURSITE/sites/default & look into settings.php & if $base_url is defined then just remove the 'S' from 'HTTPS'.
You are done...
I don't think that guy enabled it from .htaccess & so I gave my answer even after you solved it by Jon Lin answer..
I have the following in my .htaccess - the clean url's declaration and the https redirect both work fine individually but put together are causing the continuous redirect error (this server is redirecting in a way which will never complete).
Here is my .htacess:
RewriteEngine on
# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# otherwise forward it to index.php
RewriteRule . index.php
# force to use https
#RewriteCond %{HTTPS} !=on
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Any idea how i can resolve this?
Thank you
Hope I am not late as I stumbled through your same problem and figured out the conflict just a day ago.
Write the following in your .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php
The first rule will automatically redirect any HTTP requests to HTTPS and (through the crucial [L] tag) stop other substitutions which will mess up the page (specifically, images and CSS stylesheets would not be served).
The second one is the Yii suggested way to check whether a particular URL corresponds to a real file or directory and, if not, to forward the request to index.php (the bootstrap file for the Web application). (The rules in the application's configuration file should do the rest, then).