Secure Url with mod_rewrite and symfony - .htaccess

I have few pages which need to be secured through mod_rewrite and the code is based on mvc architecture
Let me say I have a page login its url is http://www.example.com/login it needs to be redirected to https://www.example.com/login
If any url other than desired secured url uses https we need to change it to http for example
https://www.example.com/sitemap must be redirected to http://www.example.com/sitemap
I am using the following code in .htaccess
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^login$ https://%{HTTP_HOST}/login [R=301,L]
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{REQUEST_URI} !^/login$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]
# we check if the .html version is here (caching)
RewriteRule ^$ index.html [QSA]
RewriteRule ^([^.]+)$ $1.html [QSA]
RewriteCond %{REQUEST_FILENAME} !-f
# no, so we redirect to our front web controller
RewriteRule ^(.*)$ index.php [QSA,L]
The problem I get is, it gets looped where it says "server is redirecting the request for this address in a way that will never complete".
Can you please help me out with the solution where only the following urls are secured and others are not. I need a solution with .htaccess and not with any symfony plugin.
https://www.example.com/login
https://www.example.com/account
https://www.example.com/register
Thanks
Nizam

I think the problem is an unwanted slash in your fifth line's regex. Try this
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^login$ https://%{HTTP_HOST}/login [R=301,L]
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{REQUEST_URI} !^login$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]

This worked perfectly for me
# SSL here
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/?(login|account|register|mypage)(.*) https://%{HTTP_HOST}/$1$2 [R,L]
# not anywhere else
RewriteCond %{SERVER_PORT} !^80$
RewriteCond %{REQUEST_URI} !^/?(login|account|register|mypage)(.*)
RewriteCond %{REQUEST_URI} !^/?index\.php$
RewriteRule .? http://%{HTTP_HOST}%{REQUEST_URI} [R,L]
Thanks Prem, Amar, Harry for the solution.

Related

.htaccess force ssl execlude some url(s)

I'm trying to redirect every request to "https" instead of any call to "example.org/forum/...", but hunderets of solutions did not work and I can't figure out why for example this approach does not work:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/forum/.*$
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://example.org$1 [R=301,L]
RewriteCond %{REQUEST_URI} ^/forum/.*$
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$ http://example.org/$1 [R=301,L]
EDIT: I've tried this example now on a domain with just some folders, index.html files and a .htacess file with nothing but these two rules in the root and works like charm!
The point is that I try to achieve this on a domain with a cms underneath, it is a contao installation and there it does not work. I also tried it on a wordpress installation and there it does not work too!
So I think it has something to do with internal redirections, does anyone has a clue!? I can't find such a case on the web...
The RewriteCond directive REQUEST_URI is starting with /, you should make these rules change:
RewriteCond %{REQUEST_URI} !^/forum/.*$
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://example.org/$1 [R=301,L]
RewriteCond %{REQUEST_URI} ^/forum/.*$
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$ http://example.org/$1 [R=301,L]
RewriteEngine on
RewriteCond %{HTTP_HOST} ^yourdomaim.com$
RewriteRule (.*) https://www.yourdomain.com/$1 [R=301,L]
RewriteRule ^$ folder name [L]
It works for me redirect all to https
Foldername is the folder after youdomain.com/foldername

Avoid infinite loop with 301 redirects

I'm using .htaccess to redirect
http://www.example.com/foo/
to
http://www.example.com/foo/bar
This is my code:
redirect 301 /foo/ http://www.example.com/foo/bar
However this produces a feedback loop, something like
http://www.example.com/foo/barbarbarbarbarbar etc.
I've tried placing delimiters around it:
redirect 301 ^/foo/$ http://www.example.com/foo/bar
but then the redirect simply doesn't take place. I'm probably missing some very simple point of syntax. Any ideas? Thanks.
EDIT
Here's my (almost) full .htaccess file:
RewriteEngine On
RewriteBase /
# Canonical is www version
RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]
#redirect => http unless special page
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/(javascripts|images|library|stylesheets)
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#redirect => https for special pages
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# send to router
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [L]
Have your rules like this:
RewriteEngine On
RewriteBase /
# Canonical is www version
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteRule ^ http://www.example.com%{REQUEST_URI} [L,R=301]
#redirect => http unless special page
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{HTTPS} on
RewriteCond %{THE_REQUEST} !/(javascripts|images|library|stylesheets)
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#redirect => https for special pages
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{HTTPS} off
RewriteRule !^index\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteRule ^foo/?$ /foo/bar [L,NC,R=301]
# send to router
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L]
make sure to test this in a new browser or clear your browser cache before testing.
For your information, it really depends on your hosting provider. It may be behind a Load Balancer and you don't have the proper env var set (like HTTPS and others...).
In my case (Infomaniak), nothing actually worked and I got infinite redirect loop.
The right way to do this for Infomaniak is actually explained in their support site:
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://your-domain.com/$1 [R=301,L]
So, always check with your hosting provider. Hopefully they have an article explaining how to do this. Otherwise, just ask the support.
It depends on what is the resource that you want to expose with your redirect.
Is it a file or a directory.
if you would expose a directory under bar you should try :
RedirectMatch 301 ^/foo/ http://www.example.com/foo/bar/
if you would redirect to a file you should use this syntax :
redirect 301 /foo http://www.example.com/foo/bar
you can see this post for more informations
Instead of using redirect, you can use passthrough.
RewriteRule ^/foo$ /foo/bar [PT]

Redirecting from https to http with the exception of some URI's

So the problem I am currently having is that our entire website is indexed using https. we want to redirect to http using .htaccess. the problem is that we need a couple of URIs to still use https and I am not sure how to write the exception for URIs
I know the below example would work if our site functioned like this www.example.com/account.php but our site urls are like www.example.com/index.php?l=account
# Turn SSL on for account
RewriteCond %{HTTPS} off
RewriteCond %{SCRIPT_FILENAME} \/account\.php [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
how can i fix this, any guidance would be appreciated.
thanks
EDIT!
So this code below I have working but I would like to make one more exception that I cant seem to get to work, I also want the root (index.php) to only use http.
I tried using...
RewriteCond %{REQUEST_URI} !^/index.php
but this did not work
# invoke rewrite engine
RewriteEngine On
RewriteBase /
RewriteCond %{https} off
RewriteCond %{QUERY_STRING} !^l=product_detail
RewriteCond %{QUERY_STRING} !^l=product_list
RewriteCond %{QUERY_STRING} !^l=page_view
RewriteRule ^(.*)$ https://%{HTTP_HOST}/development/$1 [R=301,L]
thanks
Try
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/account.php
RewriteCond %{QUERY_STRING} !^l=account
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/account.php [OR]
RewriteCond %{QUERY_STRING} ^l=account
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Redirect select pages to https

I have a very simple question that for some reason I cannot figure out, and hours of searching has not helped either. Using an .htaccess file, how can I redirect just /login.php and /index.php to https, and then redirect any other page to just http? I currently use this code to redirect to https, but it redirects every page:
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*) https://www.ruxim.com/$1 [R]
thank you very much.
The %{SERVER_PORT} variable depends on the UseCanonicalPhysicalPort in your config. If it's not setup, then you may not be able to match against that variable, easier to use %{HTTPS} instead.
RewriteCond %{HTTPS} off
RewriteRule ^/?(login|index)\.php https://www.ruxim.com%{REQUEST_URI} [L,R]
RewriteCond %{HTTPS} on
RewriteRule !^/?(login|index)\.php http://www.ruxim.com%{REQUEST_URI} [L,R]
If you don't need the redirect to non-https, then you don't need the second rule.
Try something like this;
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_FILENAME} =index.php [OR]
RewriteCond %{REQUEST_FILENAME} =login.php
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
I'm note 100% sure if the [OR] will comply suddenly in the middle.
Please apply following conditions to secure only /login.php and /index.php pages. Other pages will be work on HTTP path (non-secure pages).
RewriteEngine On
RewriteBase /
# force https for /login.php and /index.php
RewriteCond %{HTTPS} =off
RewriteRule ^(index|login)\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# don't do anything for images/css/js (leave protocol as is)
RewriteRule \.(gif|jpe?g|png|css|js)$ - [NC,L]
# force http for all other URLs
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^/(index|login)\.php$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Remove www site-wide, force https on certain directories and http on the rest?

Firstly, I would like to remove the www. from my domain name
http://www.example.com => http://example.com
I would also like for certain directories to be secure (https), while the rest remain http
http://example.com/login => https://example.com/login
Obviously it needs to work for all conditions, for example if someone types in:
http://www.example.com/login => https://example.com/login
Also when people navigate away from the login page it returns to http. Currently in the .htaccess is the following which is done automatically by the software I am using and I suppose needs to be there for it to work:
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* ./index.php
Any ideas on how I can achieve dream control all these things?
Thanks in advance!
===================
#Gumbo Following your advice this is my complete .htaccess
RewriteEngine On
# remove www from host
RewriteCond %{HTTP_HOST} ^www\.(.+)
RewriteCond %{HTTPS}s/%1 ^(on(s)|offs)/(.+)
RewriteRule ^ http%2://%3%{REQUEST_URI} [L,R=301]
# force HTTPS
RewriteCond %{HTTPS} =off
RewriteRule ^(login)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# force HTTP
RewriteCond %{HTTPS} =on
RewriteRule !^(login)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* ./index.php
Options -Indexes
Navigating to http://example/login still goes to http://example/index.php when it should go to https://example/login Do I have the order wrong?
Try these rules:
# remove www from host
RewriteCond %{HTTP_HOST} ^www\.(.+)
RewriteCond %{HTTPS}s/%1 ^(on(s)|offs)/(.+)
RewriteRule ^ http%2://%3%{REQUEST_URI} [L,R=301]
# force HTTPS
RewriteCond %{HTTPS} =off
RewriteRule ^(login|foo|bar|…)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# force HTTP
RewriteCond %{HTTPS} =on
RewriteRule !^(login|foo|bar|…)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
You also might want to add some additional conditions to only change the protocol on GET and HEAD requests but not on POST requests.
This code works for me:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
remove www (tested):
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{HTTP_HOST} ^www\.yoursite\.com$ [NC]
RewriteRule ^(.*)$ http://yoursite.com/$1 [L,R=301]
redirect (not tested):
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{THE_REQUEST} \/login/?.*\ HTTP [NC]
RewriteRule ^(.*)$ https://yoursite.com/login [L,R=301]
After reading this all post time line i have get success for following error: My website(c4dprime.com) was attached https: in mozilla firefox browser. Google and internet explore are show domain address as http: (The real problem in firefox) I did not want https: for my domain in any browser because one unknow redirect attached with my domain by https: (Cause for this error)after Installing following plugins in wordpress,(Easy redirect for ssl).... I have told to every one do not use any low level plugins for wordpress.
Anyway! After reading many articles and tutorials at this topic via google search engine. Now i am happy to say i have solve this problem from this post tips. Remember one thing about me i am new to in this form and wordpress.
This tip is help full for me
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{HTTP_HOST} ^www\.yoursite\.com$ [NC]
RewriteRule ^(.*)$ http://yoursite.com/$1 [L,R=301]
After edit or some changes in my .htaccess file following code i have use now with solved this error.
AddHandler c4d-prime .com
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteBase /
RewriteRule ^$ http://www.c4dprime.com/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Resources