tags:

views:

215

answers:

2
Q: 

Using .htaccess to force either HTTP or HTTPS

I have already have this code to force these URLs to HTTPS:

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/my/?.*$
RewriteCond %{REQUEST_URI} !^/my/basket/add?.*$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/login/?.*$
RewriteCond %{REQUEST_URI} ^/logout/?.*$
RewriteCond %{REQUEST_URI} ^/register/?.*$
RewriteCond %{REQUEST_URI} ^/newsletter/?.*$
RewriteCond %{REQUEST_URI} ^/reset-password/?.*$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

And this works really well, but what I want to do is force any URL that does not comply with the above conditions to HTTP, firing a 301.

I don't want to create a list of HTTP pages and redirect them like I have with the HTTPS above. The secure pages URLs will always remain the same, unless I change the system somehow, but I can update them when needed. The non-secure pages can by dynamic, and created / edited by some of the sales team here, therefore these need to be target intelligently.

Any thoughts on how I could do this? It has to be done using .htaccess, I have been achieving this by handling it within our PHP framework, but this has caused a pretty significant performance problem as well as causing problems with our Google crawls.

Cheers!

+1  A: 

As you are using the L flag on your rule there, you should be able to just use a RewriteCond such as the one below to rewrite any requests that have not been caught in the previous conditions to HTTP? Place it AFTER the rules you have posted. This seems a bit too obvious, but it might work.

RewriteCond %{REQUEST_URI} ^.*$
RewriteCond %{HTTP} OFF
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [L]
Seidr  2010-03-30 15:49:49
I'm not quite sure if this will do the trick - I'm way too tired to know for sure! Hopefully it can point you in the right direction though.
Seidr  2010-03-30 15:57:50
I will try it when I'm back at work tomorrow and report back! Thanks :D
ILMV  2010-03-30 23:53:21
Unfortunately this did not work
ILMV  2010-04-14 09:13:13
+2  A: 

A modification to the answer from Seidr, because in fact you only want to redirect if the HTTPS is on, when you want it to be off (also, there is no %{HTTP} variable). Again, put this after all your rules.

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/login/?.*$
RewriteCond %{REQUEST_URI} !^/logout/?.*$
RewriteCond %{REQUEST_URI} !^/register/?.*$
RewriteCond %{REQUEST_URI} !^/newsletter/?.*$
RewriteCond %{REQUEST_URI} !^/reset-password/?.*$
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Haven't tested this though, so not 100% that it will work.

Edit: Conditions for secure pages required, so that they will still be left in HTTPS mode.

Kazar  2010-04-14 09:33:08
Ok I get it, the `L` flag on my HTTPS `RewriteRule` say that if there's a match there and we're using HTTP then we redirect and that's the last rule processed. But what if we're already using HTTPS? It will ignore my original conditions and redirect back to HTTP... won't it?
ILMV  2010-04-14 09:59:58
In fact, when I test this it never redirect anything to HTTPS, always to HTTP.
ILMV  2010-04-14 10:04:14
You're right, you are going to have to add a condition for the secure pages (will require some duplication tho). See edit.
Kazar  2010-04-14 10:11:23
You will also need to add a condition for the first set of rules.
Kazar  2010-04-14 10:12:39
Righto, I think I have a small bug in my `.htaccess` so I'll resolve that and try your option... cheers Kazar!
ILMV  2010-04-14 10:19:13
After spending lots of time adjusting my htaccess file I've managed to get it to work. Thanks for your help.
ILMV  2010-04-15 12:20:53
Nice one, my bad on the bogus HTTP variable. Assumption is the mother of all .... ups, hey.
Seidr  2010-04-19 08:22:09

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.