ansaurus

Question

.htaccess require SSL for a particular URL

Answer 1

+1 A:

You should take a look at mod_rewrite documentation

hayalci 2008-11-03 03:35:22

Answer 2

+2 A:

You can use the Redirect directive:

Redirect 301 /signup https://www.example.com/signup

This will automatically preserve anything following /signup in the URL. Be sure to configure this directive only on your non-SSL site, or it might get into a recursive loop!

Greg Hewgill 2008-11-03 03:37:40

Answer 3

A:

@ Greg Hewgill

When I use your code example, and then in Firefox and go to http://example.com/signup to test to see if it redirects to https, I receive the following Firefox error:

"Firefox has detected that the server is redirecting the request for this address in a way that will never complete."

Timmy_ 2008-11-03 03:51:13

You probably added the Redirect directive to both the SSL and non-SSL sites. You will want to add it *only* to the non-SSL site.

Greg Hewgill 2008-11-03 03:57:58

Answer 4

A:

You can do this with mod_rewrite -

RewriteCond %{SERVER_PORT} !^443$

RewriteRule ^/signup https://example.com/signup

RewriteRule ^/signup/(.*)$ https://example.com/signup/$1

Should work, though I haven't tested it.

-- edit --

Correction, I just tried this on one of my servers, and it works fine for me. You may want to doublecheck your mod_rewrite configuration. Also, if you're using .htaccess, you'll want to make sure overrides are allowed for that directory.

As a side note, this assumes your SSL traffic is coming over port 443. If it isn't, you'll need to adjust the rewrite condition accordingly.

Bill B 2008-11-03 03:55:19

Answer 5

A:

@Bill B

I tried your code, unfortunately, it doesn't redirect for either case:

http://example.com/signup

or

http://example.com/signup/plan

:(

Anyone else have any ideas?

Timmy_ 2008-11-03 04:02:50

Answer 6

+1 A:

I think this was what i used:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} ^/somefolder/?
RewriteRule ^(.*)$ https://www.domain.com/somefolder/$1 [R,L]

(from here)

Murat Ayfer 2008-11-03 04:19:44

MuratWhen I try using your code and test http://example.com/somefolder it redirects to https://example.com/somefolder/somefolder (noticed the double "somefolder" in the url.

Timmy_ 2008-11-03 05:28:09

Answer 7

A:

@Murat

When I try using your code and test http://example.com/somefolder it redirects to https://example.com/somefolder/somefolder

Notice the double "somefolder" in the url.

Timmy_ 2008-11-03 05:28:33

what happens when you try it with this: (question mark is a part of the regex)"%{REQUEST_URI} ^/somefolder/?"

Murat Ayfer 2008-11-03 09:41:03

Answer 8

+1 A:

Thank Murat,

Yours almost worked but figured out how to get it to exactly work.

The following is what works: RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} ^/somefolder/? RewriteRule ^(.*)$ https://www.domain.com/$1 [R,L]

Notice that I didn't include somefolder in the www.domain.com rewriterule

Timmy_ 2008-11-03 15:07:00

try to answer comments in comments =)

Seiti 2008-11-03 17:54:42

Answer 9

+1 A:

I used the following to require the checkout section of a website to require SSL:

<Directory "/var/www/html">
        RewriteEngine on
        Options +FollowSymLinks
        Order allow,deny
        Allow from all
        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule \.(gif|jpg|jpeg|jpe|png|css|js)$ - [S=1]
        RewriteRule ^checkout(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</Directory>

So for example, hitting http://www.example.com/checkout redirects to https://www.example.com/checkout

The rule will skip file extensions that are typically included within a page so that you don't get mixed content warnings. You should add to this list as necessary.

If you want multiple pages change the RewriteRule to something like:

RewriteRule ^(checkout|login)(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

Of course, the directory should match the actual path on your server. This page may also help with some more information for your specific needs: http://www.whoopis.com/howtos/apache-rewrite.html

I'm using this on a website that runs Plesk 8.6 but that shouldn't matter. This is in my vhost.conf file which is like putting it in your httpd.conf file. I'm not sure if you'd need to adjust anything to use it in a .htaccess file but I doubt it. If adding to a conf file don't forget to restart apache to reload the configuration.

If you are like me and want to use SSL only on particular pages then you also want a rewrite rule that sends you back to regular http for the rest. You can use the following for the reverse effect:

RewriteCond %{SERVER_PORT} ^443$
RewriteRule \.(gif|jpg|jpeg|jpe|png|css|js)$ - [S=1]
RewriteRule !^(checkout|login)(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [L,R]

If you are using Plesk like I am keep in mind that all non-SSL traffic uses the vhost.conf file but all SSL traffic uses the vhost_ssl.conf file. That means your first rewrite rule to require SSL would go in the vhost.conf file but the second rule to force back to non-SSL will have to go in the vhost_ssl file. If you are using httpd.conf or .htaccess I think you can put them both in the same place.

I've also posted this tutorial on my blog: Apache rewrite rules to force secure/non-secure pages.

2009-03-28 17:39:14

ansaurus

tags:

views:

answers:

.htaccess require SSL for a particular URL

related questions