Force subset of webpages as HTTPS - .htaccess

I would like to force a subset of webpages to https and all other webpages as http.
In htaccess I use the following script that I found in another post, but that wasn't working...
RewriteCond %{HTTPS} off
RewriteRule ^(login|signup)\.php https://%{HTTP_HOST}%{REQUEST_URI} [R,L,QSA]
RewriteCond %{HTTPS} on
RewriteCond ${REQUEST_URI} !(login|signup)\.php
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R,L,QSA]
HTTP is forced as it should be, HTTPS is forced as it should be, but eg https://mywebsite.com/signup produces an infinite loop error in my browser. Any ideas what goes wrong?
I changed to code to the following which seems to work, but now the SSL is only partially implemented due to secure and insecure items on the webpage. I checked the URLS to e.g. images, style sheets and external javascript files bit these are all relative and shouldn't pose a problem... If someone knows how to deal with this I'd be glad to hear it.
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/login$ [OR]
RewriteCond %{REQUEST_URI} ^/signup$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !login$
RewriteCond %{REQUEST_URI} !signup$
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R,L]

Try adding this line somewhere on top of your .htaccess:
Options +FollowSymLinks -MultiViews
Maybe you have some other rules that do this redirect -- it would be good if you provide whole contents of your .htaccess file.
You may have redirect inside the actual php script.
In any acse -- if you can edit Apache's config files (httpd.conf or httpd-vhost.conf) then you can enable rewrite debugging (RewriteLoglevel 9) and see what exactly is going on -- this is the best option (if you can).

Related

Exclude specific browsers (Puffin and Photon) from HTTP/HTTPS rewrite in .htaccess

So my site is going secure. Except one directory (/da) has old Flash content (that I cannot edit) that simply refuses to work under SSL. So, I pieced a few StackOverflow user solutions (THANK YOU!) together, wrote a HTTP --> HTTPS rewrite where I carve out an exception for the /da directory and got that much working just fine.
The only issue is with mobile browsers which play Flash content (such as Puffin and Photon). For some reason, they don't like the rewrite code and continue to open the /da directory under HTTPS... thus the Flash content doesn't work.
I thought that I could just exclude those browsers from the rewrite, but I can't get that piece to work. Please see below and let me know what I'm doing wrong. It's the "Puffin|BonEcho" line which I'm trying to get to work. Am I doing it wrong?
Or is there a better solution? Is there a way to get Puffin and Photon to comply with the HTTP/HTTPS rewrite script?
Thanks!
RewriteEngine On
RewriteCond $1 !\.(gif|jpe?g|png)$ [NC]
# Force HTTPS for anything which isn't /da
RewriteCond %{HTTPS} =on
RewriteCond %{THE_REQUEST} ^[A-Z]+\s/da [NC]
RewriteCond %{HTTP_USER_AGENT} !"Puffin|BonEcho" [NC,OR]
RewriteRule ^(da) http://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
# Force HTTP for anything which is /da
RewriteCond %{HTTPS} !=on
RewriteCond %{THE_REQUEST} !^[A-Z]+\s/da [NC]
RewriteRule !^da https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
# Remove index.php from URLs
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1

Force HTTP for all pages except specific URLs

I have a situation where I need to force every single page in my site to redirect to HTTP except for two specific URLs which need to force redirect to HTTPS.
The two pages that need to redirect to HTTPS pages are:
/microsoft-moc-on-demand-video-training/moc-registration-page/
/courses/register/
The code I've been using in my .htaccess file looks like this:
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/courses/register/
RewriteCond %{REQUEST_URI} !^/microsoft-moc-on-demand-video-training/moc-registration-page/
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} off
RewriteRule ^(/courses/register/|/microsoft-moc-on-demand-video-training/moc-registration-page/)/ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Unfortunately this doesn't seem to be working. The entire site does redirect to HTTP (so part of the code works), but those two exceptions (which should redirect to HTTPS) do not do that, they stay as HTTP links.
Any idea what I'm doing wrong here?
The problem is that for RewriteRule, there is no initial / in the requested path. Therefore, you're trying to match something that isn't present.
You also had an extra / at the end of each option in the first capture group, which when combined with the final / would require a path such as /courses/register//.
The following code should suit your needs:
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/courses/register/
RewriteCond %{REQUEST_URI} !^/microsoft-moc-on-demand-video-training/moc-registration-page/
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} off
RewriteRule ^(courses/register|microsoft-moc-on-demand-video-training/moc-registration-page)/ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

htaccess rewrite rule tweak

I have a website with HTTPS installed.
I need to ensure all pages (except the ones that are intentionally HTTPS) are forced to show on non-https.
The HTTPS is installed ONLY on domain-name.com/ssl-directory/what-ever-page-goes-here/
So, only the pages after domain-name.com/ssl-directory/ should keep the HTTPS (they do now) and all other (including domain-name.com/ssl-directory/ itself should be forced to non-https).
So far, this is what I've got but it's not working and as I'm not an expert with htaccess redirects, I don't know why.
RewriteEngine on
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^ssl-directory/(.*)
RewriteRule .* http://%{SERVER_NAME}%{REQUEST_URI} [R,L]
As I said, I'm not an expert in this, but I think this should mean =>
turn RewriteEngine on
If HTTPS and
If REQUEST_URI is not a child of ssl-directory
Rewrite to same page, but with http
Obviously I'm doing something wrong, so any help would be appreciated.
Thanks
Replace your code with this:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/ssl-directory(/.*|)$ [NC]
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Better to use HTTP_HOST instead of SERVER_NAME and %{REQUEST_URI} has a / at the start.

Forcing HTTPS on entire CodeIgniter driven site creates request loops... why?

I have a pretty basic CodeIgniter setup for a site that now needs to be run entirely on SSL. So, I figured I need to force https by some .htaccess rules as that seems to be the most intuitive and straight forward approach. This is what I do:
config:
$config['base_url'] = 'https://cooldomain.com';
$config['index_page'] = '';
.htaccess:
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
#remove ugly index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1
The result is that I get lots of identical GET requests in my FireBug resulting in a "blank" error screen.
Doesn't CI URI patterns like .htaccess redirects? Surely this must work?
Shouldn't
RewriteCond %{S} off
actually be
RewriteCond %{HTTPS} off
?
Because this answer came up quite high on my google search I'll answer this one.
Reading from the comments there seems to be a loadbalancer infront of the webserver. When this happens you can check the following as well to see if there's a https connection:
RewriteCond %{HTTP:X-Forwarded-Proto} =http

complex mod_rewrite. Any idea?

I want to :
- switch from http to https if http is used
- redirect the subdomain to index?o=subdomain except www
- redirection the subdirectory to index?u=user
Example :
http://www.mydomain.com will be redirected to https://www.mydomain.com
http://subdomain.mydomain.com will be redirected to https://www.mydomain.com/index?o=subdomain
https://subdomain.mydomain.com will be redirected to https://www.mydomain.com/index?o=subdomain
http://subdomain.mydomain.com/user will be redirected to https://www.mydomain.com/index?o=subdomain&u=user
https://subdomain.mydomain.com/user will be redirected to https://www.mydomain.com/index?o=subdomain&u=user
Is mod_Rewrite the best to do that ? Any idea ?
Thanks in advance
I don't have time to test it right now, but you can try this and see if it works. There may be some potential for some things to go wrong, so if you have trouble with it I'd be happy to work out any kinks later. Also, I think that I covered everything you wanted to do, but let me know if I left something out.
RewriteEngine On
# Force redirect to HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^.*$ https://%{HTTP_HOST}/$0 [R=301,L]
Edit: I've updated the ruleset below. I thought about your question though, and aren't you going to have issues attempting to serve up your subdomains over TLS/SSL? That aside, one of the following should do what you want (without errors this time, I hope):
If you wanted internal redirection:
RewriteCond %{HTTP_HOST} !=mydomain.com
RewriteCond %{HTTP_HOST} !^www
RewriteCond %{REQUEST_URI} !^/index
RewriteCond %{HTTP_HOST}%{REQUEST_URI} ^([^\.]+)[^/]*/([^/]+)?
RewriteCond %1&u=%2 ^([^&]+)(&u=.+)?
RewriteRule ^.*$ /index?o=%1%2
If you wanted external redirection:
RewriteCond %{HTTP_HOST} !=mydomain.com
RewriteCond %{HTTP_HOST} !^www
RewriteCond %{REQUEST_URI} !^/index
RewriteCond %{HTTP_HOST}%{REQUEST_URI} ^([^\.]+)[^/]*/([^/]+)?
RewriteCond %1&u=%2 ^([^&]+)(&u=.+)?
RewriteRule ^.*$ https://www.mydomain.com/index?o=%1%2 [R=301,L]

Resources