HTTPS Re-direct issue - apache

I'm currently trying to re-direct my users to a https version of the site but only during the booking process and wp-admin sections.
This is the code i'm using courtesy of the answer to this post
RewriteEngine On
# force HTTPS
RewriteCond %{HTTPS} =off
RewriteRule ^(book-on-line|wp-admin) https://test.mysite.com%{REQUEST_URI} [L,R=301]
# force HTTP
RewriteCond %{HTTPS} =on
RewriteRule !^(book-on-line|wp-admin) http://test.mysite.com%{REQUEST_URI} [L,R=301]
The re-direct works fine if I use the first statement ONLY but doesn't work and just redirects to the homepage if i use the second statement.
The reason for the second statement is that when I go to a secure page, then click a link to move back to a non-secure page, the website still retains the HTTPS when it shouldn't.
Any ideas?

Related

Connection is not private while redirecting HTTPS to HTTP [duplicate]

I'm trying to redirect https://www.example.com to http://www.example.com. I tried the following code in the .htaccess file
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
This code successfully redirects https://example.com to http://www.example.com. However when I type in https://www.example.com then it gives me a "web page not available" error in the browser.
I have also tried the following 2 codes without success
Attempt 1
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*):NOSSL$ http://www.example.com/$1 [R=301,L]
Attempt 2
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
Both above attempts failed. Any suggestions?
Attempt 2 was close to perfect. Just modify it slightly:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
UPDATE:
Above solution works from a technical point of view. BUT:
Since a few years now the user will receive a huge warning indicating that the connection is not private. That is to be expected: none of today's browsers will silently switch from an encrypted to a not encrypted connection, for obvious reasons ... You cannot get around that behavior of standard browsers. That however has nothing to do with the redirection itself. It is how the web works today, how users are protected from criminal intents.
However, if your website does not have a security certificate, it's on a shared hosting environment, and you don't want to get the "warning" when your website is being requested through https, you can't redirect it using htaccess. The reason is that the warning message gets triggered before the request even goes through to the htaccess file, so you have to fix it on the server. Go to /etc/httpd/conf.d/ssl.conf and comment out the part about the virtual server 443. But the odds are that your hosting provider won't give you that much control. So you would have to either move to a different host or buy the SSL just so the warning does not trigger before your htaccess has a chance to redirect.
You can use the following rule to redirect from https to http :
RewriteEngine On
RewriteCond %{HTTPS} ^on$
RewriteRule ^(.*)$ http://example.com/$1 [NC,L,R]
Explanation :
RewriteCond %{HTTPS} ^on$
Checks if the HTTPS is on (Request is made using https)
Then
RewriteRule ^(.*)$ http://example.com/$1 [NC,L,R]
Redirect any request (https://example.com/foo)
to http://example.com/foo .
$1 is part of the regex in RewriteRule pattern, it contains whatever value was captured in (.+) , in this case ,it captures the full request_uri everything after the domain name.
[NC,L,R] are the flags, NC makes the uri case senstive, you can use both uppercase or lowercase letters in the request.
L flag tells the server to stop proccessing other rules if the currunt rule has matched, it is important to use the L flag to avoid rule confliction when you have more then on rules in a block.
R flag is used to make an external redirection.
RewriteEngine On
RewriteCond %{SERVER_PORT} 443
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
The difference between http and https is that https requests are sent over an ssl-encrypted connection. The ssl-encrypted connection must be established between the browser and the server before the browser sends the http request.
Https requests are in fact http requests that are sent over an ssl encrypted connection. If the server rejects to establish an ssl encrypted connection then the browser will have no connection to send the request over. The browser and the server will have no way of talking to each other. The browser will not be able to send the url that it wants to access and the server will not be able to respond with a redirect to another url.
So this is not possible. If you want to respond to https links, then you need an ssl certificate.
RewriteCond %{HTTP:X-Forwarded-Proto} =https
Your code is correct. Just put them inside the <VirtualHost *:443>
Example:
<VirtualHost *:443>
SSLEnable
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

Rewrite Rule working fine for https when directly accessed but not when redirected first from http to https

Below rule is working fine when domain (https://sitename.com) is accessed. It shows the 'en' page.
RewriteRule ^/$ /content/sitename/us/en.html [PT]
But when http to https rule is introduced first to forcefully redirect all http requests to https via below rule:
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{REQUEST_URI} !^/dispatcher/invalidate.cache
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
Then the request gets redirected as below:
(http://sitename.com) gets converted to (https://sitename.com/content/sitename/us/en.html)
Ideally it should be only getting converted w.r.t protocol.
(http://sitename.com) should be converted to (https://sitename.com) & subsequently
https://sitename.com will serve the home page as mentioned in first point, without showing the /content URL in the browser to end user.
Please suggest some pointers here.

Why is the htaccess in my subdomain folder overriding aspects of the htaccess in my main domain?

Let me explain my setup here, I have two domains, for the sake of naming them lets call them domain1.com and domain2.com. I have shared hosting that runs cPanel.
Domain1.com is my main domain, and is what I have my hosting account setup using. I have a website hosted at that domain. Domain2.com is set as an add-on domain, and directs to a folder inside of the main domains root. That has it's own website (a Ghost blog).
That all works fine. However the websites hosted at the two domains are quite different and I did not want the subdomain to work, but as far as I can tell add-on domains in cPanel have to have a subdomain in order to be added to the account. The redirect options for the subdomains in cPanel aren't good enough for me, as I wanted anyone accessing say domain1.com/domain2 to get a 404 error as if it didn't exist. So I set up the .htaccess file for domain1.com to look like this:
RewriteEngine On
#301 (permenant) redirects all HTTP requests to HTTPS (SSL)
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#404 redirects all domain.com/subdomain requests
RewriteCond %{HTTP_HOST} ^(www.)?domain1.com$ [NC]
RewriteCond %{REQUEST_URI} ^/domain2/(.*)$
RewriteRule ^(.*)$ - [L,R=404]
#404 redirects all subdomain.domain.com & www.subdomain.domain.com requests
RewriteCond %{HTTP_HOST} ^domain2.domain1.co.uk$ [OR]
RewriteCond %{HTTP_HOST} ^www.domain2.domain1.co.uk$ [OR]
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ - [L,R=404]
This worked perfectly, anyone tryting to access domain2 via domain1 would get a 404 error. But that was before I installed Ghost on domain2 After getting Ghost installed I created an .htaccess file in the domain2 folder inside of domain1's root.I had to put this in it in order for Ghost for to run, as it uses NodeJS:
RewriteEngine on
RewriteRule ^(.*)$ http://127.0.0.1:55555555/$1 [P,L]
This also works perfectly except for one aspect. Now all requests to the domain using domain1.com have started working again. For example if I type domain2.domain1.com it will now show me the Ghost blog where as before it was correctly displaying a 404 Not Found error. Why is this and how do I go about rectifying this issue?
As a side note, I also started trying to have all http requests redirect to https. I added the following to the domain1.com htaccess file as I wanted all requests on both domains to redirect to https and I assumed this was necessary:
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Now this kind of works. All requests, whatever they are (with or without www for instance), redirect to https, and when I visit it in my browser I get a green the icon indicating it's secured with SSL. Again even with this the previous issue of the domain redirect still doesn't work. But I have another odd issue here.
If I type in my browser simply "domain1.com" (ie without https:// or www. or a combination of the two), it will show just "domain1.com" in the address bar but with the green icon and say it is secured. If however I type in "domain2.com" (again with no https:// or www etc.) it does the same thing except it states it is not secure, suggesting it requested http.
And yet if I type in www.domain2.com or http://domain2.com, that works and I get the secured icon. It is highly puzzling. It seems that the https redirect works on every request except for just "domain2.com" while any other variation (www.domain2.com, http://domain2.com etc) works fine. Any clues? I mean clearly I've done something wrong with the htaccess files but I don't know what, I got most of what I'd put in them from searching sites like Stackexchange, but personally I don't really know anything about them or how they work.
I think I have fixed my own problem here.
I corrected the main htaccess so the https redirect acts like this;
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
From what I can tell it's better to do it this way than the way I had it previously. This in itself didn't fix the problems. What fixed it for me is editing the domain2.com htaccess to look like this:
RewriteEngine on
#Force WWW if it isn't in the request
RewriteCond %{HTTP_HOST} !^www\. [NC,OR]
#Or include WWW even if it is in the request
RewriteCond %{HTTP_HOST} ^www\. [NC]
#Then Force it to use https
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#Defines this domain so main htaccess rules for subdomains work
RewriteCond %{HTTP_HOST} ^(.*)?domain2.com$ [NC]
#Proxy for Ghost
RewriteRule ^(.*)$ http://127.0.0.1:55555555/$1 [P,L]
Now everything works. All requests are redirected to https. All requests to the subdomain from the main domain fail with a 404. domain2.com now redirects to https://www.domain2.com or https://domain2.com so it is now always secured by SSL. I'm a novice at htaccess as is probably evident and I've no doubt some or all of this could have unnecessary elements removed or simplified so if anyone wants to correct my syntax so it's less messy I'd appreciate it.

Problems using .htaccess to make some pages secure and some unsecure

I'm using .htaccess to make the membership renewal pages on my Drupal site secure, but I'm having trouble switching back to regular http when the user navigates away from that page. The page that should be secure is:
www.example.com/renew
I want everything else to use http, and I'm trying the following redirects to achieve this:
# Renewal page should be secure. Redirect.
RewriteCond %{HTTPS} off
RewriteRule ^renew$ https://www.example.com/renew [R,L]
# If user leaves the Renewal page, make sure we're no longer secure. Redirect.
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^renew$
RewriteRule (.*) http://www.example.com%{REQUEST_URI} [R,L]
I got the first redirect working fine. When I added the second, unsecure redirect, it breaks the first redirect -- Firefox says there's a redirect loop.
Can you tell me what I'm doing wrong here? Thanks in advance.
%{REQUEST_URI} is a variable that always starts with a /. Due to this, the second condition of the second rule will always be true, as %{REQUEST_URI} will never be equal to ^renew$. To fix this, change that condition to:
RewriteCond %{REQUEST_URI} !^/renew$

https on 2 forms only, all others force back to http

Google has been indexing duped content. SEO nightmare...
I have two forms which need SSL.
/single
/joint
I'd like everything else to be redirected back to non ssl (http://)
I've tried various different things from the forums here, numerous times...
How do I enable https only on certain pages with htaccess?
The first part always works, that is, https redirects to http but the /single & /joint will redirect to index.php or the "home page"
Thanks in advance for any advice.
Try to be more clear...
With Jon's code added to the .htaccess file
https .com/other-page
redirects to http .com/other-page
But the ones that matter
https .com/single & .com/joint
Both redirect to
http .com/index.php
Here is a link to the standard Joomla .htaccess file
http://docs.joomla.org/Preconfigured_htaccess
In addition I am using rewrite rules to redirect www to non www
RewriteCond %{HTTP_HOST} !^website.com
RewriteRule (.*) http://website.com/$1 [R=301,L]
Add these rules to the htaccess file in your document root:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(single|joint) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTPS} on
RewriteRule !^(single|joint) http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
as long as the form is submitted as a GET request. The request body in a POST submission may not be included after a redirect.