Forcing HTTPS on entire CodeIgniter driven site creates request loops... why? - .htaccess

I have a pretty basic CodeIgniter setup for a site that now needs to be run entirely on SSL. So, I figured I need to force https by some .htaccess rules as that seems to be the most intuitive and straight forward approach. This is what I do:
config:
$config['base_url'] = 'https://cooldomain.com';
$config['index_page'] = '';
.htaccess:
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
#remove ugly index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1
The result is that I get lots of identical GET requests in my FireBug resulting in a "blank" error screen.
Doesn't CI URI patterns like .htaccess redirects? Surely this must work?

Shouldn't
RewriteCond %{S} off
actually be
RewriteCond %{HTTPS} off
?

Because this answer came up quite high on my google search I'll answer this one.
Reading from the comments there seems to be a loadbalancer infront of the webserver. When this happens you can check the following as well to see if there's a https connection:
RewriteCond %{HTTP:X-Forwarded-Proto} =http

Related

Exclude specific browsers (Puffin and Photon) from HTTP/HTTPS rewrite in .htaccess

So my site is going secure. Except one directory (/da) has old Flash content (that I cannot edit) that simply refuses to work under SSL. So, I pieced a few StackOverflow user solutions (THANK YOU!) together, wrote a HTTP --> HTTPS rewrite where I carve out an exception for the /da directory and got that much working just fine.
The only issue is with mobile browsers which play Flash content (such as Puffin and Photon). For some reason, they don't like the rewrite code and continue to open the /da directory under HTTPS... thus the Flash content doesn't work.
I thought that I could just exclude those browsers from the rewrite, but I can't get that piece to work. Please see below and let me know what I'm doing wrong. It's the "Puffin|BonEcho" line which I'm trying to get to work. Am I doing it wrong?
Or is there a better solution? Is there a way to get Puffin and Photon to comply with the HTTP/HTTPS rewrite script?
Thanks!
RewriteEngine On
RewriteCond $1 !\.(gif|jpe?g|png)$ [NC]
# Force HTTPS for anything which isn't /da
RewriteCond %{HTTPS} =on
RewriteCond %{THE_REQUEST} ^[A-Z]+\s/da [NC]
RewriteCond %{HTTP_USER_AGENT} !"Puffin|BonEcho" [NC,OR]
RewriteRule ^(da) http://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
# Force HTTP for anything which is /da
RewriteCond %{HTTPS} !=on
RewriteCond %{THE_REQUEST} !^[A-Z]+\s/da [NC]
RewriteRule !^da https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
# Remove index.php from URLs
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1

.htcaccess rules not working properly

I encountered a small issue while trying to make my site redirect all http requests to https. Before I start, however, I should warn you that I'm rather new to this, so please show mercy ;)
Here's my htcaccess file:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^.*$ ./index.php
RewriteCond %{HTTPS} !=on
RewriteRule ^.*$ https://nordicraft.net/%{REQUEST_URI} [NC]
To start off, I'm runing my site on shared hosting, and the everything to the first RewriteRule was in the file the first time I opened it. I have no idea what the -d and -f conditions mean or what are they supposed to do, so I left them untouched. The only things I added were the last RewriteCond and RewriteRule.
Now, the issue is, it works as intended ONLY when accessing the main page, that is, simply entering nordicraft.net in the address bar. It redirects me to the https version, as intended. Also, it does the same thing if I explicitly try to access the index.php file. However, if I try accessing any other website feature, like the forums, it redirects me to https://${REQUESt_URI}. In my case, https://forum. You can view the site in real time at http://nordicraft.net.
Any ideas what is causing this, or possible fixes? Thanks!
Try with:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://nordicraft.net%{REQUEST_URI} [NE,L]
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^ /index.php [L]

htaccess rewrite rule tweak

I have a website with HTTPS installed.
I need to ensure all pages (except the ones that are intentionally HTTPS) are forced to show on non-https.
The HTTPS is installed ONLY on domain-name.com/ssl-directory/what-ever-page-goes-here/
So, only the pages after domain-name.com/ssl-directory/ should keep the HTTPS (they do now) and all other (including domain-name.com/ssl-directory/ itself should be forced to non-https).
So far, this is what I've got but it's not working and as I'm not an expert with htaccess redirects, I don't know why.
RewriteEngine on
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^ssl-directory/(.*)
RewriteRule .* http://%{SERVER_NAME}%{REQUEST_URI} [R,L]
As I said, I'm not an expert in this, but I think this should mean =>
turn RewriteEngine on
If HTTPS and
If REQUEST_URI is not a child of ssl-directory
Rewrite to same page, but with http
Obviously I'm doing something wrong, so any help would be appreciated.
Thanks
Replace your code with this:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/ssl-directory(/.*|)$ [NC]
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Better to use HTTP_HOST instead of SERVER_NAME and %{REQUEST_URI} has a / at the start.

SSL with Codeigniter htaccess

OK so i'm having a bit of trouble with .htaccess.
I'm using Codeigniter and have just installed a SSL certificate. It's working great except I don't get the blue bar in Firefox, it says 'Your connection to this site is only partially encrypted'
Here's my .htaccess file:
RewriteEngine on
Options +FollowSymLinks
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} (signin)
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !(signin)
RewriteRule ^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
I only want to force SSL on some pages, to start with the signin page (mydomain.com/signin). It seems to remove the index.php/ in the URL fine and it does seem to be forcing the SSL for that page but there's no blue bar :(
I also changed my base_url to the following in the config file to allow http and https:
$config['base_url'] = $config['base_url'] = "http".((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") ? "s" : "")."://".$_SERVER['HTTP_HOST'].str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']);
Any help is most appreciated :)
I think the error is caused by having elements in your page which are downloaded using HTTP instead of HTTPS.
You need to make sure that you either reference all the elements in the page with relative URLs or absolute URLs with the proper protocol (HTTPS instead of HTTP).

Force subset of webpages as HTTPS

I would like to force a subset of webpages to https and all other webpages as http.
In htaccess I use the following script that I found in another post, but that wasn't working...
RewriteCond %{HTTPS} off
RewriteRule ^(login|signup)\.php https://%{HTTP_HOST}%{REQUEST_URI} [R,L,QSA]
RewriteCond %{HTTPS} on
RewriteCond ${REQUEST_URI} !(login|signup)\.php
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R,L,QSA]
HTTP is forced as it should be, HTTPS is forced as it should be, but eg https://mywebsite.com/signup produces an infinite loop error in my browser. Any ideas what goes wrong?
I changed to code to the following which seems to work, but now the SSL is only partially implemented due to secure and insecure items on the webpage. I checked the URLS to e.g. images, style sheets and external javascript files bit these are all relative and shouldn't pose a problem... If someone knows how to deal with this I'd be glad to hear it.
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/login$ [OR]
RewriteCond %{REQUEST_URI} ^/signup$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !login$
RewriteCond %{REQUEST_URI} !signup$
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R,L]
Try adding this line somewhere on top of your .htaccess:
Options +FollowSymLinks -MultiViews
Maybe you have some other rules that do this redirect -- it would be good if you provide whole contents of your .htaccess file.
You may have redirect inside the actual php script.
In any acse -- if you can edit Apache's config files (httpd.conf or httpd-vhost.conf) then you can enable rewrite debugging (RewriteLoglevel 9) and see what exactly is going on -- this is the best option (if you can).

Resources