I am attempting to rewrite the URL displayed in a browser to eliminate the https:// portion. Not being familiar with Apache coding, I have tried many different ways of tweaking other code to achieve the result, but without success.
My .htaccess file includes 310 redirect rules, as well as some rewrite conditions, all of which are presently working:
# Force browswer to use SSL, even when referring URL is non-secure
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Catch-all for any potential 404 error (file not found) will
# redirect to the index (/) page
Options +SymLinksIfOwnerMatch
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . / [L,R=301]
Any help on this front is greatly appreciated!
I am attempting to rewrite the URL displayed in a browser to eliminate the https:// portion.
I would be curious to see your "attempts". And why you are wanting to do this?
Basically, you can't.
You have no control over how the browser displays the protocol (ie. https, or http), or any part of the URL for that matter, in the browser's address bar. And any attempt to "rewrite" the URL to remove https:// is only likely to stop your site serving content over SSL - which is not your intention. The only way to change the physical appearance of the URL in the browser's address bar is by changing the physical URL. This is basic browser security - the website should not be able to control this behaviour. You don't want the website to be able to pretend to be something it is not (ie. phishing).
However, some browsers do allow the user to control this behaviour to some extent. For example, Opera will show a more friendly URL by default, omitting the HTTP protocol and even the query string. However, this "friendly" display format can be disabled in settings to instead show the complete "real" URL.
Generally, by default, browsers tend to hide the protocol when serving over plain HTTP and show it only when serving over HTTPS - an additional indication to the user that the site is secure. Any attempt to remove the protocol is only going to disturb user trust.
Related
checked the Forum but could not find an ideal answer. I have recently installed a SSL Certificate on my site and in the process of creating 301 redirects via the .htaccess file for nearly 400 page urls (to keep Google happy). I thought of using;
redirect 301 /contact.php https://www.mydomainname.co.uk/contact.php
but it breaks the site. The only solution I have seen is;
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^contact\.php$ https://www.mydomainname.co.uk/contact.php [L,R=301]
The above seems a lot of code to use for each of the 400 pages! is there a quicker way with less code I can use in the .htaccess file?
Many thanks. Hope someone can advise.
There are two basic ways of redirecting pages with Apache: Redirect (of mod_alias) and RewriteRule etc. (of mod_rewrite).
Redirect is very simple: it will just redirect a single URL to another. It can be useful sometimes, but it's usefulness is limited to its simplicity: in the case of HTTP-to-HTTPS redirection, it can't differentiate between HTTP and HTTPS connections, so it will just try to redirect to HTTPS even if you're already on HTTPS (and thus you end up in an infinite redirect loop).
RewriteRule, on the other hand, is more advanced and flexible. You can use RewriteCond to conditionally redirect requests; in your case, you'd want to redirect requests only if they're on a HTTP connection.
As you mentioned, you want to redirect to HTTPS for many (I presume all) requests; you can easily do this with only a single rule:
# Enable rewrites
RewriteEngine on
# Only run next RewriteRule on HTTP connections (not HTTPS)
RewriteCond ${HTTPS} off
# Redirect any page to the same URL with https:// schema
RewriteRule (.*) https://${SERVER_NAME}/$1 [L,R=301]
(The ${SERVER_NAME} variable will automatically be equal to your domain name, so you can even use this on web servers with multiple domain names.)
I need to have https by default on my site, so I used this .htaccess code to redirect all http traffic to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Everything works great, except that website receives many POST requests coming to old http:// address, and POST data is lost when 301 is used. I can NOT stop POST requests from coming to old http:// address because they come from PHP-based scripts (installed on clients' servers), so my only possible options seem to be 307 or 308 redirects (because they keep POST data).
However, redirect 307 is considered as temporary, while I plan to use https permanently, so it doesn't seem to be the best choice? Of course, I can use 308, but this one seems to be "new" and isn't properly supported by all browsers (according to many comments I found on stackoverflow). Maybe someone knows a better rewrite rule to be used in .htaccess?
P.S. I know the best idea is to use 301 redirect and modify scripts to post data to https by default (and I did so already), but it may take a very long time while all clients will update scripts on their servers, that's why another workaround is needed too.
Keep the 301, change your conditions to these:
RewriteCond %{HTTPS} =off
RewriteCond %{REQUEST_METHOD} !=POST
If your clients' legacy scripts use any other method, you will have to change the second condition to include it, e.g.:
RewriteCond %{REQUEST_METHOD} !^(?:POST|PUT)$
Normal requests/crawling will always start with GET or HEAD thus be forced to use https, so subsequent requests will also use it. Make sure all the URLs in your site's content are relative or root-relative.
I have a purely personal website (Apache2 on Ubuntu), and to prvent outsiders from knowing there is a valid HTTP server at the specified domain, it uses with cryptic URLs. For example,
http://somesite.com
will, by design, return HTTP 404 error. But
http://somesite.com/RJv968sr0S860Iq1VfW2P28dqgCTqNUOm51AMuQL
might do something useful. I'm sure it is not a full proof method to deter interlopers, bots and hackers, but its there nevertheless.
Now, in addition to obscuring the URLs, I also use HTTPS for further protection, for which I have Apache rewrite HTTP requests to HTTPS.
RewriteEngine ON
RewriteCond %{REMOTE_ADDR} !192\.168\.
RewriteCond %{REMOTE_ADDR} !127\.0\.0\.1
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI}
And it works exactly as expected.
Unfortunately, it is not terribly sophisticated, and it also rewrites invalid URL requests. For example, the invalid URL http://somesite.com will get rewritten to the equally invalid URL https://somesite.com. But, this kind of rewrite would tip off someone that there is, indeed, some kind of HTTP server attached to the domain name.
I would like to fix my rewrite rules so that Apache will NOT rewrite any invalid URLs. Is this possible? If not with Apache, what about nginx or lighttpd? And if so, how do I make it happen?
My website URL till now was as per this pattern https://www.xyz.com, from which i served both static and dynamic contents. https://www.xyz.com defaults to home page, https://www.xyz.com/static/index.html, and dynamic contents are served from https://www.xyz.com/dyna/login.jsp.
Recently I added an additional webserver and got sub domain registered from which I plan to serve static content through http URL scheme instead of https, and only serve dynamic pages from https URL. So, if user types https://www.xyz.com, should redirect to http://static.abc.com.
Webserver: Apache 2.x
My Queries are:
a. How to configure apache to redirect request on https://www.xyz.com to http://static.abc.com while ensuring that request to https://www.xyz.com/dyna/login.jsp does not get redirected?
Will this have any noticeable performance overhead?
b. If redirection from http to https and also launching http screen from https page lead to any security warning in this case?
Note that I do not intend to submit any data from http to https and vice versa, it will be just URL redirection or links.
c. How to make the redirection cacheable?
use .htaccess to define https://www.example.com/static/index.html as https://www.example.com/index.html
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_HOST} ^domain/static/index.html [NC]
RewriteRule ^(.*)$ domain/index.html$1 [L,R=301]
I am trying to redirect incoming requests to https://www.domain.com/ and all https://www.domain.com/{all pages} and having little trouble. Methods I tried:
Adding this line: Redirect permanent / https://www.domain.com/ to my httpd.conf is causing too many redirect
Using .htaccess to redirect with mod_rewrite is ending in 302 Moved page with a broken link.
What I want is:
Redirect all requests to https://www.domain.com/, including http://www.domain.com/signup and pages like that to https version
I've searched many threads on this but they don't seem to apply to my setup. How should I approach this?
There's a distinct problem with this approach - if you do a automatic non-SSL redirect to an SSL webpage, you lose the security that SSL should provide. i.e. If someone can MITM your non-SSL web server, they can redirect to their own valid SSL server (with a real certificate), and the browser won't know the difference.
i.e. http://www.example.com redirects to https://www.example.com, can be subverted by a man in the middle attack where fake http://www.example.com redirects to https://i-will-steal-your-credit-card.com, and as long as i-will-steal-your-creditcard.com has a valid certificate, the browser won't alert the user that anything is awry, the user will see the little lock icon and think everything's cool and start putting in credit card numbers.
It's a better practice to have a page that explains that what they really want is the SSL version of the URL and a clickable link. Of course, bad-guy could do the same exact thing, but paranoid people always verify the link they're clicking actually links to what it says.
Granted, most people aren't paranoid and will be grumpy about the extra step - so if you have any marketing people making decisions about this upstream from you - odds are you'll end up doing it http->https automatic redirect. This is because Marketing and customers usually don't understand SSL.
It goes like:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Source: http://systembash.com/content/force-https-ssl-access-url-apache/
RewriteEngine On
RewriteCond %{HTTPS} Off
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]
Notice the $1 which appends the path information