RewriteCond "except for directory" failing in complex rule set - apache

I need to force everything except IE8 to HTTPS and IE8 specifically to HTTP
(it's temporarily - hence the 302 - its stupid, but there are legit business reasons).
I want all of this to ignore the /api/ directory as the app that utilizes these sadly doesn't follow redirects.
The following is working, IE8 detection is working. Everything is except /api/whatever is still being redirected.
I'd really appreciate any advice or an explanation of why this is not working.
# make sure mod_rewrite is ON
RewriteEngine On
# force staging and live to SSL
RewriteCond %{HTTPS} !=on
# Unless its IE 8
RewriteCond %{HTTP_USER_AGENT} !compatible;\sMSIE\s8\.0 [NC]
RewriteCond %{HTTP_HOST} ^(www\.|staging\.)?example\.com [NC]
# Skip the API
RewriteCond %{REQUEST_URI} !^/api/.*
# 301 Permanent
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
# force IE8 to Non-SSL
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_USER_AGENT} compatible;\sMSIE\s8\.0 [NC]
RewriteCond %{HTTP_HOST} ^(www\.|staging\.)?example\.com [NC]
# Skip the API
RewriteCond %{REQUEST_URI} !^/api/.*
# 302 Temporary
RewriteRule .* http://%{SERVER_NAME}%{REQUEST_URI} [L,R=302]

Don't see anything wrong, though assuming that you've cleared your browser's cache, you could try a different approach and include an explicit pass-through at the top of your list of rules:
RewriteRule ^api/ - [L]
You can add that right under RewriteEngine On and get rid of the /api conditions.

The RewriteCond %{REQUEST_URI} !^/api/.* was working, the problem was a later rewrite routing everything through a front controller /index.php was causing the htaccess to reparse.
Changing the rule to RewriteCond %{REQUEST_URI} !^(/api/|/index.php) solved the problem. the front controller, index.php isn't callable directly anyway, so it's not an issue.

Related

.htaccess file not redirecting http://www. to https://www

I have made a .htaccess file to redirect all website traffic to https://www..
This is my complete .htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
The below redirects work exactly as expected:
http://example.com -> https://www.example.com
https://example.com -> https://www.example.com
https://www.example.com -> https://www.example.com
Except:
http://www.example.com -> http://www.example.com
As shown above, if you go to http://www. it doesn't redirect to the HTTPS version.
Can anyone help me understand why the other redirects are working fine, but that one is not?
Additional Notes: I have looked at a number of posts on StackOverflow, but most of their solutions end in redirect loop errors.
After contacting 123-Reg (my hosting provider), they submitted this solution, which works perfectly:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]
RewriteCond %{ENV:HTTPS} !=on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Basically they have set the script to do two tasks: Change domain to WWW, if it isn't already, THEN change to HTTPS. Also, they used ENV:HTTPS, which is different to what was found in their documentation (ENV:SSL).
Glad to have to this sorted, and maybe this will help out others using 123-Reg Hosting.
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
As you have found, this won't redirect when requesting the canonical hostname (ie. www.example.com) regardless of whether it is HTTP or HTTPS.
You need to change this to something like:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\.example\.com
RewriteRule (.*) https://www.example.com/$1 [R=301,L]
This will trigger a redirect to the canonical URL if HTTPS is "off" or it's not the canonical hostname.
...but most of their solutions end in redirect loop errors.
If you are behind a proxy (eg. CloudFlare) that is managing your SSL cert then this could still result in a redirect loop because the connection between you and the proxy might be HTTP, not HTTPS. This would mean that your server only serves content over HTTP, not HTTPS. If this is the case then there are additional headers that can be checked on the request (eg. X-Forwarded-Proto) or set a "page rule" in the case of CloudFlare (Flexible SSL - free service).
UPDATE#1: 123-Reg provide a help document regarding SSL. It seems they set an SSL environment variable when "the connection is SSL-secured". This would mean that you could potentially do something like the following instead:
RewriteCond %{ENV:SSL} ^$ [OR]
RewriteCond %{HTTP_HOST} !^www\.example\.com
RewriteRule (.*) https://www.example.com/$1 [R=301,L]
This is, however, non-standard and "unique" to 123-Reg. (Aside: The PHP code suggestion in the 123-Reg linked document is not the recommended way to check the environment variable, as this would result in an E_NOTICE if the variable is not set!?)
You should also ensure your browser cache is cleared before testing.
UPDATE#2: To help with debugging... to find out what values are being returned, you could assign some Apache values to environment variables and check the values of these in your server-side script (eg. PHP?). For example:
RewriteCond %{HTTPS} (.*)
RewriteRule ^ - [E=APACHE_HTTPS:%1]
# You don't really need this, but for completeness...
RewriteCond %{ENV:SSL} (.*)
RewriteRule ^ - [E=APACHE_SSL:%1]
RewriteCond %{HTTP:X-Forwarded-Proto} (.*)
RewriteRule ^ - [E=APACHE_PROTO:%1]
Then check the environment variables APACHE_HTTPS, APACHE_SSL and APACHE_PROTO in your server-side script. (eg. in PHP, use the getenv() function.)
After lots of issues with 123 Reg and redirecting all versions of pages to single relevant https page with Wordpress, this is what has worked for me across multiple sites now and has proven effective in terms of SEO. Hope it helps!
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{ENV:HTTPS} !=on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Https to http with variant exceptions

Our site is going to be switched to SSL soon but we're not ready for it. As such we are going to redirect all https URLs to http in htaccess. I've got that working but as an added complication we've got a few URLs that have to be exceptions to the redirect. These URLs are:
somebody.dev.www.example.com
example.com/top_deal
example.com/watches
I have the redirect working like so:
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=302]
but can't get the exceptions to work. I've tried literally every solution online that I can find.
You can use rule as your very first rule:
RewriteEngine On
RewriteCond %{HTTP_HOST} !=somebody.dev.www.example.com
RewriteCond %{THE_REQUEST} !\s/+(?:top_deal|watches)/?[?\s] [NC]
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
# rest of your rules go here
Make sure to clear your browser cache before testing.
First, do you want it to be a temporary rewrite (=302) or should the browser save it as permanent und thus get 301? Just asking, both works, but if you want to go for temporary, you should read this
Excerpt: HTTP/1.1 (RFC 2616) added the new status codes 303 and 307
So in your case a 307 would probably be better.
If you want to have permanent rewrite instead, use [R=301] to make the browser cache the rewrite-target instead of rewriting each time.
Now to the WRONG solution (but there is a good reason I leave in there, see here) - DON'T use that !!!
#logic is: 1 OR (2 AND 3) --> NO, it isn't, see the link right above!
#1 being hostname: somebody.dev.www.example.com
#2 being hostname: example.com
#3 being REQUEST_URI = !^/(top_deal|watches)
RewriteCond %{HTTP_HOST} ^somebody.dev.www.example.com$ [OR]
RewriteCond %{HTTP_HOST} ^example.com$
RewriteCond %{REQUEST_URI} !^/(top_deal|watches)$
RewriteRule .? - [END]
##[END] makes the rewrite-evaluation STOP, completely, not only for this turn!
#same rule as before, just changed 302 -> 307 (RFC 2616) and ^(.*)$ to .? cuz I like it better^^
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule .? http://%{HTTP_HOST}%{REQUEST_URI} [L,R=307]
Update
Here is, what really should be put into your config:
# Don't rewrite HOST 'somebody.dev.www.example.com'
RewriteCond %{HTTP_HOST} ^somebody.dev.www.example.com$
RewriteRule ^ - [END]
# Don't rewrite HOST 'example.com', if URI 'top_deal' OR 'watches'
RewriteCond %{HTTP_HOST} ^example.com$
RewriteCond %{REQUEST_URI} ^/(top_deal|watches)$
RewriteRule ^ - [END]
RewriteCond %{HTTPS} on
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=307]
That should definitely do the job :)
If it doesn't, for some reason, search for your LogLevel and add the rewrite:traceX to that line. So if your LogLevel is error it should look like this:
LogLevel error rewrite:trace2
Then restart/reload your server and test again. Error.log will now show the results of the attempted rewrites. Use tail -f error_log|fgrep '[rewrite:' to find them. If they are unclear, let us know, maybe we can help :)
What I finally did that ended up working was the following:
RewriteCond %{HTTP_HOST} !^(.*).dev.www.example.com
RewriteCond %{REQUEST_FILENAME} ! top_deal(.*)
RewriteCond %{REQUEST_FILENAME} ! watches(.*)
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule .? http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

How to stop htaccess rewrite rule updating browser URL

I've read through many of the similar requests such as:
Apache rewrite rule - prevent rewritten URL appearing in browser URL bar
But I can't figure out what I'm doing wrong, any help would be much appreciated.
I'm using codeigniter 3 and it's root is at the following location:
https://example.com/api/v1.0
I've set up a basic route and all is working fine with Codeigniter E.g. If I navigate to:
/api/v1.0/index.php/pages/view/about
the appropriate page appears so all seams well. What I really want is for the URL to get rewritten so that when I enter:
/api/v1.0/pages/view/about
it goes to the same page. I've added a htaccess file that rewrites the rule and all works as expected:
Options +FollowSymlinks
RewriteEngine on
RewriteBase /api/v1.0/
RewriteCond $1 !^(index.php|resources|robots.txt)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L,QSA]
The problem is, when I enter the the url:
/api/v1.0/pages/view/about
it goes to the correct page, but the browser URL gets updated to:
/api/v1.0/index.php/pages/view/about
My question is, how can I stop the browser URL from being updated?
Update - my web servers site behind an AWS ELB that acts as the https end point. I have the following in the httpd.conf to ensure that any non 'www' prefixed URLS and any http calls are redirected to https://www
<VirtualHost *:80>
RequestHeader set X-Forwarded-Proto "http"
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{REQUEST_URI} !^/_hostmanager/
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} !^test\. [NC]
RewriteCond %{HTTP_HOST} !^signup\. [NC]
RewriteCond %{REQUEST_URI} !^/_hostmanager/
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
I don't think this rule is causing an issue as its not being invoked, I'm providing the correct prefix and protocol.
Many thanks in advance,
Rob
Check that index.php isn't set for $config['index_page'].
If it is change it to:
$config['index_page'] = '';
OK, after much testing it would appear that my virtual host settings in httpd.conf were causing the issue. If I removed these rules and then the local .htaccess rules worked exactly as expected.
I've removed the local .htaccess rules and added the following to rule to httpd.conf:
RewriteRule ^/api/v1\.0/([A-Za-z0-9-/]+)/?$ /api/v1.0/index\.php/$1 [NC,L,QSA] # Process API Call
My Virtual Host section now looks like this:
RequestHeader set X-Forwarded-Proto "http"
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{REQUEST_URI} !^/_hostmanager/
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} !^test\. [NC]
RewriteCond %{HTTP_HOST} !^signup\. [NC]
RewriteCond %{REQUEST_URI} !^/_hostmanager/
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteRule ^/api/v1\.0/([A-Za-z0-9-/]+)/?$ /api/v1.0/index\.php/$1 [NC,L,QSA] # Process API Call
So now calls to:
/api/v1.0/some/directory
Will get rewritten to this:
/api/v1.0/index.php/some/directory
And this happens without redirecting the browser or affecting the browser URL. What I don't understand is why this is not entering into an infinite loop as I have no rewrite precondition to check for calls to the /api/v1.0/index.php/*
Anybody know why this is no entering into an infinite loop?

htaccess from https to http

I have these vales in my htacces file it all works fine except when i try to go back to http from https i have tried swapping the rules around with no success, any help would be awsome
I have tried all the sujestion with still no suucess so maybe i need to show you guys the entire thing.
Still not going back to http from https, here is the whole thing
Have i got the rules in the wrong order? im lost
<ifModule mod_rewrite.c>
RewriteEngine on
# For Sales:
RewriteRule ^shop/sales/?$ sales.php
# For the primary categories:
RewriteRule ^shop/([A-Z-Aa-z\+]+)/?$ shop.php?type=$1
# For specific products:
RewriteRule ^browse/([A-Za-z\+]+)/([A-Za-z\+\-]+)/([0-9]+)$ browse.php?type=$1&category=$2&id=$3
#For https pages:
#RewriteCond %{HTTPS} on
#RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L=301]
#RewriteCond %{HTTPS} off
#RewriteRule ^(checkout\.php|final\.php|admin/(.*))$ https://{HTTP_HOST}/$1[R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?$1 [L,QSA]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,}\s(.*)/index\.php [NC]
RewriteRule ^ /%1 [R=301,L]
</ifModule>
I am not able to test the rules, but I think you need to change the following:
In the first rule your flag is attached to the 2nd argument. This should create an internal error. Your second rule would rewrite all url's to their http equivalent, making an infinite loop. You need to make sure it doesn't match url's that you want to be in https. You can do this with %{REQUEST_URI} and a negation (!). As far as I am aware, L=301 is an invalid flag too. You probably meant to make it R=301.
RewriteCond %{HTTPS} off
RewriteRule ^(checkout\.php|final\.php|admin/(.*))$ https://{HTTP_HOST}/$1 [R,L]
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !/(checkout\.php|final\.php|admin/(.*))$
RewriteRule ^http://%{HTTP_HOST}%{REQUEST_URI} [R,L]
Last but not least an word of advice. Don't test your .htaccess with permanent redirects until everything works as expected. The browser will cache permanent redirects, not picking up further tries to make your .htaccess work as you want.

How do i force www subdomain on both https and http

For whatever reason I can't seem to get this right, I've looked at many examples on here and apache's website. I'm trying to force www.domain.com instead of domain.com on EITHER http or https but I am not trying to force https over http.
the following code seems to work for all https connections but http will not redirect to www.
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.domain\.com$ [NC]
RewriteRule ^ https://www.domain.com%{REQUEST_URI} [R=301]
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\.domain\.com$ [NC]
RewriteRule ^ http://www.domain.com%{REQUEST_URI} [R=301]
You don't need the second RewriteEngine directive. That may or may not be causing a parse issue making the second set of rules not work. To test whether this is the case, try switching the order of the two blocks you have.
It's good practice to use L to modify requests that are definitely the last. So, change [R=301] to [R=301,L] both times it appears.
Largely as a matter of style, I would consider changing the RewriteRule directives to something like (using http or https as appropriate):
RewriteRule ^(.*)$ http://www.domain.com$1 [R=301,L,QSA]
Your rules seem to be fine. You can combine them as follows:
RewriteCond %{HTTP_HOST} !^www\.example\.com$
RewriteCond %{HTTPS}s on(s)|
RewriteRule ^ http%1://www.example.com%{REQUEST_URI} [L,R=301]
Also note the additional L flag to stop the rewriting process after this rule has been applied.
In case anyone still need an answer to this. Use another .htaccess. Get guide from here, I found it and it looks good: http://www.farinspace.com/codeigniter-htaccess-file/
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
### Canonicalize codeigniter URLs
# If your default controller is something other than
# "welcome" you should probably change this
RewriteRule ^(welcome(/index)?|index(\.php)?)/?$ / [L,R=301]
RewriteRule ^(.*)/index/?$ $1 [L,R=301]
# Removes trailing slashes (prevents SEO duplicate content issues)
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)/$ $1 [L,R=301]
# Enforce www
# If you have subdomains, you can add them to
# the list using the "|" (OR) regex operator
RewriteCond %{HTTP_HOST} !^(www|subdomain) [NC]
RewriteRule ^(.*)$ http://www.domain.tld/$1 [L,R=301]
# Enforce NO www
#RewriteCond %{HTTP_HOST} ^www [NC]
#RewriteRule ^(.*)$ http://domain.tld/$1 [L,R=301]
###
# Removes access to the system folder by users.
# Additionally this will allow you to create a System.php controller,
# previously this would not have been possible.
# 'system' can be replaced if you have renamed your system folder.
RewriteCond %{REQUEST_URI} ^system.*
RewriteRule ^(.*)$ /index.php/$1 [L]
# Checks to see if the user is attempting to access a valid file,
# such as an image or css document, if this isn't true it sends the
# request to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]
</IfModule>
<IfModule !mod_rewrite.c>
# Without mod_rewrite, route 404's to the front controller
ErrorDocument 404 /index.php
</IfModule>
Remember, once you have your CodeIgniter htaccess file setup, you will want to go into your “/system/application/config/config.php”, find the following:
$config['index_page'] = "index.php";
and change it to:
$config['index_page'] = "";