Apache is using as proxy for jboss. It is redirecting all requests from 80 port to jboss-s ports. I added https support of apache so all response to customer browser(JS, CSS etc) have has https links in header instead http.
Header example without ssl:
General
Request URL: http://www-prd.corp.sdl.com/ww/en/assets-re1/css/css.css
Referrer Policy: no-referrer-when-downgrade
Header with ssl include:
General
Request URL: https://www-prd.corp.sdl.com/ww/en/assets-re1/css/css.css
Referrer Policy: no-referrer-when-downgrade
I want rewrite header which apache returned to browser as was - http:\URL .
I tried
RewriteEngine on
Header edit request "^https://www-prd.corp.sdl.com/(.*)$" "http://www-prd.corp.sdl.com/$1"
RewriteEngine on
Header edit "^https://www-prd.corp.sdl.com/(.*)$" "http://www-prd.corp.sdl.com/$1"
and
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^www-prd.corp.sdl.com$ [NC]
RewriteRule ^(.*)$ https://www-prd.corp.sdl.com$1 [L]
But these didn't help me.
I used for changes by Substitute .
Related
everyone.
My problem is simple, but I cannot manage to find a solution.
All I need to do is use RewriteRule on Apache to redirect all request from a hostname to its FQDN.
For example, if the request is https://hostname/test.html, I want Apache to redirect the request to https://hostname.test.com/test.html. This has to be rewritten to any request to that hostname.
How can I do this?
Edit 1:
I've noticed that the following RewriteRule works for HTTP, but not for HTTPS:
RewriteCond %{HTTP_HOST} ^hostname$
RewriteRule ^(.*)$ https://hostname.test.com%{REQUEST_URI} [R,L]
What am I missing?
BR
I've managed to find the problem.
The redirect is working.
The problem is that the certificate does not contain the hostname version of the URL, only the FQDN.
Since the certificate is checked before the redirect, hence the problem.
Sorry for the mess up
I have the following in a .htaccess file:
Options +FollowSymLinks
RewriteEngine on
RewriteRule ^(.*)$ http://example.com/$1 [R=302,L]
Yet when I go to https://example.com I get an invalid certificate screen in the browser. How can I force the visitor to http:// temporarily until the SSL Cert gets purchased and installed?
Redirects happen on the HTTP layer with an HTTP response header. HTTPS encapsulates HTTP into a TLS connection; the TLS connection has to be negotiated first before interaction at the HTTP layer can happen. If your server fails to negotiate a valid TLS connection, e.g. because it cannot present a certificate the client will accept, then it also cannot redirect the client at the HTTP layer.
You could use the following Code in the .htaccess File:
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [L,R]
This will redirect the port request 443 (SSL) to 80 (HTTP).
I tried it out, it works fine for me.
I have setup the htaccess file to handle users requests with a specific rule and generic requests with other rules:
# users requests (i.e. users/login.html)
RewriteRule ^users/([^/]+)\.html$ mvc.php?rt=users/$1 [L,QSA,NC]
# generic requests (controller/action/id.html)
RewriteRule ^([^/]+)/([^/]+)/([^/]+)\.html$ mvc.php?rt=$1/$2&id=$3 [L,QSA,NC]
# generic requests (controller/action/)
RewriteRule ^([^/]+)/([^/]+)/$ mvc.php?rt=$1/$2 [L,QSA,NC]
# generic requests (controller/id.html)
RewriteRule ^([^/]+)/([^/]+)\.html$ mvc.php?rt=$1&id=$2 [L,QSA,NC]
# generic requests (controller.html)
RewriteRule ^([^/]+)\.html$ mvc.php?rt=$1 [L,QSA,NC]
RewriteRule ^$ mvc.php?rt=index [L,QSA,NC]
This works fine, and URL translation is handled correctly. My goal is now to force all users requests to be sent over HTTPS. I'm trying to setup a redirect rule as described in RewriteHTTPToHTTPS. I know this is not the recomended solution, but my server doesn't seem to support VirtualHost statements. Here is my code:
# users http to https
RewriteCond %{HTTPS} !=on
RewriteRule ^users(.*) https://%{SERVER_NAME}/users$1 [R,L]
Unfortunately this doesn't seem to work because I needed to insert the L flag after all rules, which causes the processing to stop when the rule is met. So, if the http-to-https rule is inserted first in htaccess, this rule is met and user specific rule is ignored (and viceversa for other case). Is there a way to both:
handle users requests with a specific rule
force users requests to be sent over HTTPS
with htaccess rules?
For many reasons my advice is to :
- do 301 redirect to https on all http requests
- use HSTS on all https answer
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
or
<VirtualHost *:80>
ServerAlias *
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
And in the 443 Virtualhost :
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
WARNING : Set the Strict-Transport-Security ONLY when the https works on all webpage. You can try with 3600 (10 minutes) in the begining if you are not sure. The "includeSubDomains" will for https for all subdomains and "preload" will allow your website to be added to the preload list of browsers.
If you have a login page do not forget the Secure attribute on the cookies (without it the cookie will be sent with insecure http request too).
Why ?
- Because without HSTS someone can force the browser to do a request to http://example.com/mysecurepage and then intercept the http request before you answer a 301, and respond the same page than the one you respond, but with http links instead. This attack is called sslstrip and the only thing that can prevent it is HSTS (preloaded if possible)
- With HSTS protect you if you forgot to add the secure attribute on cookies (but not all browser know HSTS, that's why it's still important to use the secure attribute!)
- Because it's easy to miss which pages must be mark secure :
if a page ask for personal data (email, name, ...) then in most European country you have the obligation to secure it ; sometimes, a page do not ask personal data but display it ; sometime the fact that the content of the page is public do not mean the visitor accept that anyone know he visits it.
- With HTTP2 and SPDY encrypted page can be served faster than not encrypted one: https://istlsfastyet.com/
in a search from google , i found my domain url with https and not http .
For example : https://xxxx.com/yyyy/zzzz and not http://xxxx.com/yyyy/zzzz
It's possible redirect from https to http for the domain xxxx.com ?
I use centos and apache web server
On the same server, i have a certificate https that respond to https://zzzz.com
Thanks
Carlo
This will work with mod_rewrite on. Put this code in .htaccess file at root of the site.
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
I am currently using HA proxy in front of an apache setup. Since HA proxy is doing the https termination, i can't use apache to tell if it's https or http.
So I got HA proxy to add a custom header to send to apache (X-Forwarded-Proto = http or https)
In my htaccess i would like to do a redirect based on that header, but it looks like i can only access the headers apache has specifically listed.
for example i can't do:
RewriteCond %{HTTP_X_FORWARDED_PROTO} !^https$
RewriteRule ^(.*) https://%{HTTP_HOST}$1
is there another way i can test the header?
You can use this rule:
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R=301,L]