I am trying to make the web server to redirect all users from http to https. This is the code I am using:
RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_HTTPS} !=on
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=301,L]
However, I've realized that when users send a request with information to http initially, after that this rewrite rule has executed, the POST data seems to be lost.
Is there any way to, when rewriting to HTTPS, make sure that all POST data is sent as well.
There are two HTTP status codes 307 (temporary) and 308 (permanent), which you might use for such a case. These status codes do the same as 302 and 301 redirect codes, but keep the method (GET/POST) intact
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R=308,L]
Although, you should test with 307 until everything works as expected. See this answer Tips for debugging .htaccess rewrite rules for details.
Related
Below rule is working fine when domain (https://sitename.com) is accessed. It shows the 'en' page.
RewriteRule ^/$ /content/sitename/us/en.html [PT]
But when http to https rule is introduced first to forcefully redirect all http requests to https via below rule:
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{REQUEST_URI} !^/dispatcher/invalidate.cache
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
Then the request gets redirected as below:
(http://sitename.com) gets converted to (https://sitename.com/content/sitename/us/en.html)
Ideally it should be only getting converted w.r.t protocol.
(http://sitename.com) should be converted to (https://sitename.com) & subsequently
https://sitename.com will serve the home page as mentioned in first point, without showing the /content URL in the browser to end user.
Please suggest some pointers here.
I have an e-commerce site that resides in:
http://dev.gworks.mobi/
When a customer clicks on the signin link, the browser gets redirected to another domain, in order for authentication:
http://frock.gworks.mobi:8080/openam/XUI/#login/&goto=http%3A%2F%2Fdev.gworks.mobi%3A80%2Fcustomer%2Faccount%2Flogin%2Freferer%2FaHR0cDovL2Rldi5nd29ya3MubW9iaS8%2C%2F
I'm trying to rewrite http://dev.gworks.mobi/* to http://frock.gworks.mobi:8080/openam/*, without redirection.
I've tried this in the .htaccess of the dev.gworks.mobi site:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/openam(.*)$ [NC]
RewriteRule ^(.*)$ http://frock.gworks.mobi:8080/$1 [P,L]
</IfModule>
But when I access http://dev.gworks.mobi/openam, it shows a 404 page not found page.
Can anyone help me to achieve my use case?
Try this:
RewriteEngine on
RewriteBase /
# Make sure it's not an actual file being accessed
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Match the host
RewriteCond %{HTTP_HOST} ^dev\.gworks\.mobi
# Rewrite the request if it starts with "openam"
RewriteRule ^openam(.*)$ http://frock.gworks.mobi:8080/$1 [L,QSA]
This will rewrite all the requests to dev.gworks.mobi/openam to frock.gworks.mobi:8080.
If you want to mask the URI in a way that it's not visible to the visitor that she's visiting the authentication app, you need to add a P flag. Please note that it needs Apache's mod_proxy module in place:
RewriteRule ^openam(.*)$ http://frock.gworks.mobi:8080/$1 [P,L,QSA]
Feel free to drop the L flag, if it's not the last rewrite rule. See RewriteRule Flags for more information.
The 404
If it's all in place and you're still getting a 404 error, make sure that the target URL is not throwing 404 errors in the first place.
Second, check if you're still getting the error with the correct referrer URI set. It might be designed in a way to throw a 404, if the referrer is not correctly set. If that's the case, which I suspect, you need to use the R flag and redirect instead of proxying the request.
Last thing that comes to my mind, some webapps are not built in a way to figure out the URI address. The host, as well as the port number, might be hard-coded somewhere in the config files. Make sure that the authentication app is able to be run from another URL without the need to edit the configs.
Test
You can test the rewriterule online:
I'm currently trying to re-direct my users to a https version of the site but only during the booking process and wp-admin sections.
This is the code i'm using courtesy of the answer to this post
RewriteEngine On
# force HTTPS
RewriteCond %{HTTPS} =off
RewriteRule ^(book-on-line|wp-admin) https://test.mysite.com%{REQUEST_URI} [L,R=301]
# force HTTP
RewriteCond %{HTTPS} =on
RewriteRule !^(book-on-line|wp-admin) http://test.mysite.com%{REQUEST_URI} [L,R=301]
The re-direct works fine if I use the first statement ONLY but doesn't work and just redirects to the homepage if i use the second statement.
The reason for the second statement is that when I go to a secure page, then click a link to move back to a non-secure page, the website still retains the HTTPS when it shouldn't.
Any ideas?
I've found 2 different code snippets to force https on my website:
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
and
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
I'm sure that they both work (one's from Httpd Wiki and the other's from SSL shopper). Would someone be able to explain the differences in how they perform the redirect?
They just use different Apache variables to make up the URL for redirect.
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
This first rule takes the filename if one is entered such as myfile.php and appends the redirect with it replacing $1 in the redirect so that you get https://somesite.com/myfile.php
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
The 2nd one using %{HTTP_HOST} will grab the information from the http headers instead to make up the URL used to redirect so entering the same url http://somesite.com/myfile.php will be redirected to https://somesite.com/myfile.php
It's just a matter of telling apache what to use for redirection. Either use the server internal name or use the one sent by the browser.
%{SERVER_NAME}
That is a server internal variable in apache and is defined in the server config.
%{HTTP_HOST}
This is the what is sent by the browser in the HTTP request headers. This is client side while the SERVER_NAME if from the server config.
%{REQUEST_URI}
REQUEST_URI is the path component of the requested URI, such as "/index.html". This is a special Apache variable.
There a many ways that have been done to redirect to https and both should work. Your choice.
To maintain consistency across my app, I need all requests to include www so I use .htaccess file like this:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^(www\.) [NC]
RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,NC,L]
</IfModule>
It works just fine. HOWEVER, when POST requests are sent without the www the form data gets stripped out. Is this expected? Is there a way to correct this?
A Redirect response with status such as 301,302, or 303 is always handled as a GET in every browser I've encountered. Hence, a POST request redirected will be seen by the client browser and it will issue a GET request to the URL provided in the redirect response. See my answer to the following question and the comments others added for details how you might work around this gracefully:
Apache 301 Redirect and preserving post data