I've found 2 different code snippets to force https on my website:
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
and
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
I'm sure that they both work (one's from Httpd Wiki and the other's from SSL shopper). Would someone be able to explain the differences in how they perform the redirect?
They just use different Apache variables to make up the URL for redirect.
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
This first rule takes the filename if one is entered such as myfile.php and appends the redirect with it replacing $1 in the redirect so that you get https://somesite.com/myfile.php
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
The 2nd one using %{HTTP_HOST} will grab the information from the http headers instead to make up the URL used to redirect so entering the same url http://somesite.com/myfile.php will be redirected to https://somesite.com/myfile.php
It's just a matter of telling apache what to use for redirection. Either use the server internal name or use the one sent by the browser.
%{SERVER_NAME}
That is a server internal variable in apache and is defined in the server config.
%{HTTP_HOST}
This is the what is sent by the browser in the HTTP request headers. This is client side while the SERVER_NAME if from the server config.
%{REQUEST_URI}
REQUEST_URI is the path component of the requested URI, such as "/index.html". This is a special Apache variable.
There a many ways that have been done to redirect to https and both should work. Your choice.
Related
I'm trying to redirect https://www.example.com to http://www.example.com. I tried the following code in the .htaccess file
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
This code successfully redirects https://example.com to http://www.example.com. However when I type in https://www.example.com then it gives me a "web page not available" error in the browser.
I have also tried the following 2 codes without success
Attempt 1
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*):NOSSL$ http://www.example.com/$1 [R=301,L]
Attempt 2
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
Both above attempts failed. Any suggestions?
Attempt 2 was close to perfect. Just modify it slightly:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
UPDATE:
Above solution works from a technical point of view. BUT:
Since a few years now the user will receive a huge warning indicating that the connection is not private. That is to be expected: none of today's browsers will silently switch from an encrypted to a not encrypted connection, for obvious reasons ... You cannot get around that behavior of standard browsers. That however has nothing to do with the redirection itself. It is how the web works today, how users are protected from criminal intents.
However, if your website does not have a security certificate, it's on a shared hosting environment, and you don't want to get the "warning" when your website is being requested through https, you can't redirect it using htaccess. The reason is that the warning message gets triggered before the request even goes through to the htaccess file, so you have to fix it on the server. Go to /etc/httpd/conf.d/ssl.conf and comment out the part about the virtual server 443. But the odds are that your hosting provider won't give you that much control. So you would have to either move to a different host or buy the SSL just so the warning does not trigger before your htaccess has a chance to redirect.
You can use the following rule to redirect from https to http :
RewriteEngine On
RewriteCond %{HTTPS} ^on$
RewriteRule ^(.*)$ http://example.com/$1 [NC,L,R]
Explanation :
RewriteCond %{HTTPS} ^on$
Checks if the HTTPS is on (Request is made using https)
Then
RewriteRule ^(.*)$ http://example.com/$1 [NC,L,R]
Redirect any request (https://example.com/foo)
to http://example.com/foo .
$1 is part of the regex in RewriteRule pattern, it contains whatever value was captured in (.+) , in this case ,it captures the full request_uri everything after the domain name.
[NC,L,R] are the flags, NC makes the uri case senstive, you can use both uppercase or lowercase letters in the request.
L flag tells the server to stop proccessing other rules if the currunt rule has matched, it is important to use the L flag to avoid rule confliction when you have more then on rules in a block.
R flag is used to make an external redirection.
RewriteEngine On
RewriteCond %{SERVER_PORT} 443
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
The difference between http and https is that https requests are sent over an ssl-encrypted connection. The ssl-encrypted connection must be established between the browser and the server before the browser sends the http request.
Https requests are in fact http requests that are sent over an ssl encrypted connection. If the server rejects to establish an ssl encrypted connection then the browser will have no connection to send the request over. The browser and the server will have no way of talking to each other. The browser will not be able to send the url that it wants to access and the server will not be able to respond with a redirect to another url.
So this is not possible. If you want to respond to https links, then you need an ssl certificate.
RewriteCond %{HTTP:X-Forwarded-Proto} =https
Your code is correct. Just put them inside the <VirtualHost *:443>
Example:
<VirtualHost *:443>
SSLEnable
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
Below rule is working fine when domain (https://sitename.com) is accessed. It shows the 'en' page.
RewriteRule ^/$ /content/sitename/us/en.html [PT]
But when http to https rule is introduced first to forcefully redirect all http requests to https via below rule:
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{REQUEST_URI} !^/dispatcher/invalidate.cache
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
Then the request gets redirected as below:
(http://sitename.com) gets converted to (https://sitename.com/content/sitename/us/en.html)
Ideally it should be only getting converted w.r.t protocol.
(http://sitename.com) should be converted to (https://sitename.com) & subsequently
https://sitename.com will serve the home page as mentioned in first point, without showing the /content URL in the browser to end user.
Please suggest some pointers here.
I know this question has been asked a thousand times, but I cannot seem to find the answer.
We have a website hosted by 123-reg's shared web hosting package (no access to http config files). I have added ssl to the site, and the certificate works when directly requesting using https.
The problem arises when I try to redirect everything from http to https using the .htaccess file.
First I tried the SERVER_PORT variable in the condition:
RewriteEngine On
RewriteBase /
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.co.uk/$1/ [R=301,L]
This does not work as the https redirect request uses port 80 also (I am querying this with 123-reg at the moment). The condition is always met and causes a redirect loop.
Next I tried the HTTPS variable:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://example.co.uk/$1/ [R=301,L]
This condition is always met as the variable is never set to on (and causes a redirect loop). I wonder if this is to do with the port no = 80 for https.
I found two server variables, SSL and HTTP_X_FORWARDED_SSL, which do change from "" to 1, but only when I delete the .htaccess file and directly request http or https.
If I try and use the SSL or HTTP_X_FORWARDED_SSL variables in the RewriteCond condition, it causes a redirect loop.
I cannot see the variables while the redirect loop is happening, so I do not know if they are being changed during the re-direct.
edit:
I have found the answer. I was using:
RewriteCond %{SSL} !1
which should be:
RewriteCond %{ENV:SSL} !1
I have the following rules on my .htaccess file
# to redirect http to https
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.example.com/$1 [R=301,L]
# to redirect urls with index.php to /
RewriteCond %{THE_REQUEST} ^.*/index.php
RewriteRule ^(.*)index.php$ /$1 [R=301,L]
# to redirect non www requests to www url
RewriteCond %{HTTP_HOST} !^www\.example\.com
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
When I am trying to access the website, it turns into a Redirect Loop. How to fix this issue and redirect properly?
Just in case somebody have redirect loop when using Apache http->https rewrite behind load balancer, here's solution that worked for me.
I had the same problem when used RewriteCond %{HTTPS} off for Apache behind load balancer, when load balancer does SSL stuff.
If https version of the site is not configured via Apache ModSSL it doesn't set %{HTTPS} variable to "on" and keeps redirecting infinitely.
The simplest solution to fix it is to target all https traffic to another Apache VirtualHost (when SSL is handled by load balancer) that is the copy of main one, but has different port (lets say 81). And in .htaccess do mod_rewrite for everything that is not on port 81:
ReWriteCond %{SERVER_PORT} !^81$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
The second way to do this is to send X-Forwarded-Proto header from load balancer to Apache and use it in rewrite condition:
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
I've seen a lot of people suffering redirect loops when trying to use .htaccess files to move from http to https. And there are a LOT of different answers to how to solve this issue. Some people say:
ReWriteCond %{SERVER_PORT} 80
OR
RewriteCond %{HTTPS} off
OR
RewriteCond %{HTTPS} !on
OR (as above)
RewriteCond %{HTTP:X-Forwarded-Proto} !https
OR EVEN
RewriteCond %{HTTP:X-Forwarded-SSL} =off
but none of these worked for me. I eventually discovered the underlying truth, that the different servers out there are configured in different ways, and they're all providing different server variables.
If none of the above work for you, then the trick is to use PHP to find out what env variables your particular server is sending you when you access an http page, and what env variables it sends you when you access an https page, and then you can use that variable to do the redirect. Just make a PHP file (such as showphpvars.php) on your server with this code:
<?php phpinfo() ?>
and then view it with a browser. Find the section of variables with _SERVER["HTTP_HOST" (etc)] in it, and have a scout around for one that changes for http versus https. Mine turned out to be a variable called SSL that was set to 1 when using https, and not set at all when using http.
I used that variable to redirect to https with PHP, which is so much nicer than using htaccess, but I think that any of the _SERVER variables can also be accessed using htaccess, if you're keen to continue to use that. Just use the name inside the quotes, without the _SERVER[""] bit that PHP adds.
For your information, it really depends on your hosting provider. It may be using a Load Balancer, as stated by Konstantin in another answer.
In my case (Infomaniak), nothing above actually worked and I got infinite redirect loop.
The right way to do this is actually explained in their support site:
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://your-domain.com/$1 [R=301,L]
So, always check with your hosting provider. Hopefully they have an article explaining how to do this. Otherwise, just ask the support.
If you get a redirect loop no matter what you do in htaccess, do the redirect in PHP instead.
I used phpinfo(), like #z-m suggests, to find the variable that changes when I'm on SSL. In my case it was $_SERVER['HTTP_X_PROTO'] == "https". When not on SSL, this variable is not set.
This is the code I use to redirect from HTTP to HTTPS:
if ($_SERVER['HTTP_X_PROTO'] != "https") {
header("HTTP/1.1 301 Moved Permanently");
$location = "https://" . $_SERVER[HTTP_HOST] . $_SERVER[REQUEST_URI];
header("Location: $location");
exit;
}
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{
In my case it was:
if ($_SERVER['HTTPS'] != "on")
I'm trying to set up a rewrite rule which will force all requests coming in on port 80 to use HTTPS by force.
I'm only getting my head around mod_rewrite but this is what i currently have;
RewriteCond ${lowercase:%{REQUEST_URI}} /securePath$
RewriteRule ^(.*)$ https://www.mydomain.com/$1
In the RewriteCond securePath is the requested path (not including my domain).The full URI would be www.mydoamin.com/securePath
In the ReWriteRule $1 is supposed to be the output from ${lowercase:%{REQUEST_URI}} in the RewriteCond
However when i restart my IHS server and attempt to hit the URL it isint forcing access through HTTPS. Any suggestions on what is wrong with these two lines?
Thanks
RewriteRule ^securePath/(.*)$ https://www.mydomain.com/$1 [NC,R=301,L]
Probably it's just you example being broken, but you are explicitly lowercasing the incoming request path and try to match that to "/securePath" which includes a capital letter. -That is never going to match.