ansaurus

Question

Using 'mod_rewrite' how do I force HTTPS for certain paths and HTTP for all others?

Answer 1

A:

to do it:

RewriteCond %{HTTP_HOST}         ^www.example.com(:80)?$

RewriteRule ^/panel/(.*) https://www.example.com/panel/$1 [R=301,L]

the same for the other path

Hope it helps

Ass3mbler 2009-11-29 17:33:26

This won't also redirect HTTPS that don't match the pattern to HTTP

Nat Ryall 2009-11-29 17:38:47

put th :80 part out of the ()? quantifierRewriteCond %{HTTP_HOST} ^www.example.com:80$ORRewriteCond %{HTTPS} !=onORRewriteCond %{SERVER_PORT} !^443$

Ass3mbler 2009-11-29 17:51:10

of course you can use any or all the three RewriteCond before the RewriteRule directive

Ass3mbler 2009-11-29 17:54:40

Thanks for your help but I think you're missing the point. That rule will redirect HTTP to HTTPS but not HTTPS to HTTP for all URLs that don't have `/panel/` in.

Nat Ryall 2009-11-29 17:57:35

Answer 2

+1 A:

The general rule of good security is: if some of your site requires HTTPS, then all of your site requires HTTPS. If you will be using HTTPS in the payment section, then your landing page should be HTTPS as well.

Justice 2009-11-29 18:25:51

I'd be interested to know why you say this? HTTPS hits performance significantly enough to be avoided when not required IMHO. Then again, you're probably right when it comes to sending and receiving any sort of data and not just payment details. I just don't see why it's necessary for pages where no data is transferred other than responding to the request.

Nat Ryall 2009-11-30 12:37:45

The regular part of your site cannot be *trusted* if it is not delivered over HTTPS. One attack vector is to MIM if the regular part of the site is not delivered over HTTPS and rewrite the links to the payment part to an attack site. So the links are delivered by your site, but nevertheless are not trusted - they can be rewritten by an attacker.

Justice 2009-11-30 13:39:14

That's fair enough but is the security payoff from MIM protection really worth the HTTPS requests? Amazon don't seem to think so.

Nat Ryall 2009-11-30 15:15:56

I wouldn't be too worried about performance until you actually start having problems. Compared to parsing PHP scripts, opening database connections, rendering templates, etc., the overhead from an optimized SSL library is minimal. And yes, the security benefit is that: *your site is trustworthy as soon as the user visits it*.

Justice 2009-11-30 17:16:21

Answer 3

+3 A:

You can put something like this in your :80 vhost:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(panel/|store/payment) https://%{HTTP_HOST}%{REQUEST_URI}

And this in your :443 vhost:

RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule !^(panel/|store/payment) http://%{HTTP_HOST}%{REQUEST_URI}

tersmitten 2009-11-29 18:26:41

Great answer, thanks!

Nat Ryall 2009-11-30 12:39:18

Answer 4

A:

None of these solutions works with pretty url's. One suggestion: we were getting browser security warnings just using the http_host in the rewrite. Evidently, Thawte is retarded and therefore prefixing with 'www' or not makes a difference as to the perceived validity of the certificate. Here are a few lines to ensure that redirects to the secure site are always prefixed with 'www':

RewriteCond %{HTTP_HOST} ^www\.mysite\.com [NC]
RewriteRule ^(login\.php|members\.php)$ https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{HTTP_HOST} ^mysite\.com [NC]
RewriteRule ^(login\.php|members\.php)$ https://www.${HTTP_HOST}%{REQUEST_URI}

Or to do it in a little less space, you could drop the 2nd line and hard-code the domain in the 4th. I'm sure there's a more elegant way of doing it, but htaccess is frustrating, and this works.

2010-06-17 17:07:35

ansaurus

tags:

views:

answers:

Using 'mod_rewrite' how do I force HTTPS for certain paths and HTTP for all others?

related questions