We've got a shopping site which we're hosting on a shared host (Mediatemple Gridserver). Some parts of the site need to use HTTPS (checkout etc) but the rest should be using HTTP.
Does anyone know how we can always force the correct use of HTTP/HTTPS for particular URLs? We've had it working in various states but we can't get a request for a page that should be on HTTP but is requested with HTTPS to switch back correctly.
I've had a look around SO but couldn't find a suitable answer to this.
I use something similar to this for my admin folder in wordpress:
#redirect all https traffic to http, unless it is pointed at /checkout
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/checkout/?.*$
RewriteRule ^(.*)$ http://mydomain.com/$1 [R=301,L]
The RewriteCond %{HTTPS} on portion may not work for all web servers. My webhost requires RewriteCond %{HTTP:X-Forwarded-SSL} on, for instance.
If you want to force the reverse, try:
#redirect all http traffic to https, if it is pointed at /checkout
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/checkout/?.*$
RewriteRule ^(.*)$ https://mydomain.com/$1 [R=301,L]
If you want some alternate ways to do it, check out askapache.
This should work in pretty much every scenario and should work in your actual vhost or .htaccess:
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}/%{REQUEST_URI} [R=301,L]
(do not forget the slash before %{REQUEST_URI} as this may allow passing a portnumber, which is dangerous)
RewriteEngine on
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{SERVER_NAME}/%{REQUEST_URI} [R=301,L]
I had some problem being behind a loadballancer. This how i fixed it.
As detailed in this answer, fix your application to use https:// links when needed. Don't rely on automatic redirections, this could lead you to a false sense of security if you haven't made your links/forms served over https:// go to https:// URLs too. Using mod_rewrite automatically makes it harder to detect such mistakes (which can also be vulnerabilities).
For me worked this (I used it for wordpress site and redirecting to HTTPS). You have to add the condition and rule lines just behind RewriteEngine and RewriteBase lines:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# I added these two lines for redirect to HTTPS
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R=301,L]
# (end of custom modifications)
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress`
Have a look to condition RewriteCond %{HTTP:X-Forwarded-Proto} !https - only this worked for my server hosting.
(I tried RewriteCond %{SERVER_PORT} !^443$ or RewriteCond %{HTTPS} off as well, but without success.
I think it should be:
RewriteCond %{HTTPS} =on
^/checkout(.*) http://shoppingsite.com/checkout$1 [R]
See the mod_rewrite documentation.
Related
I am using WordPress. I need to force all pages to use HTTPS, expect one specific page that has an iframe with insecure content that cannot be replaced.
I have tried many different configurations in my .htaccess file. Some of them have worked better than other, but none of them have worked completely.
The problem I'm running into is that the navigation menus on the site use relative links. I've found some options that have allowed me to force HTTP on the iframe page, but then any navigation links clicked on that page (outside of the iframe) do not redirect back to the HTTPS version of those pages.
Here is one example I've come across that doesn't quite work.
<IfModule mod_rewrite.c>
RewriteEngine On
# Go to https if not on /iframe/
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} !^/iframe/$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
# Go to http if you are on /iframe/
RewriteCond %{SERVER_PORT} !80
RewriteCond %{REQUEST_URI} ^/iframe/$ [NC]
RewriteRule ^(.*)$ https//www.example.com/$1 [R=301,L]
</IfModule>
You can use the following rules in your .htaccess file to achieve that. What this does is first check if HTTPs is not on, if not, then it will forward everything to HTTPs except for the directory /iframe/. The second rule checks if HTTPs is on, if so then it will redirect /frame/ back to HTTP.
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{REQUEST_URI} !^\/(iframe)
RewriteRule (.*) https://%{HTTP_HOST}/$1 [L,R=301]
RewriteCond %{HTTP:X-Forwarded-SSL} =on
RewriteCond %{REQUEST_URI} ^\/(iframe)
RewriteRule (.*) http://%{HTTP_HOST}/$1 [L,R=301]
Make sure you clear your cache before testing this.
EDIT:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{THE_REQUEST} !/iframe/ [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} on
RewriteCond %{THE_REQUEST} ^/iframe/ [NC]
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
I'm having some issues with some .htaccess redirects only working in certain situations.
The code I have is
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
And here are the results of my tests
https://www.example.com redirects to http://example.com
https://example.com does nothing
https://www.example.com/page-name redirects to http://example.com/page-name
https://example.com/page-name does nothing
This is a WordPress site and the .htaccess code sits above the WordPress code. I have also tried it below too and I get the same results
It looks like the site didnt have an SSL attatched to it so the
RewriteCond %{HTTPS} on
rule was not working correctly.
Because of this I went down this method to fix the redirects and make it work in all of the test cases that I mentioned in the question.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]
Use this in your .htaccess instead:
RewriteCond %{HTTPS} =on
RewriteRule ^(.*)$ http://example.com%{REQUEST_URI} [R,L]
I'm assuming that you want www forced to not show, since you did not include it in the URL. If that is the case, include this extra condition to force it to not show:
RewriteCond %{HTTP_HOST} ^www\. [NC,OR]
RewriteCond %{HTTPS} =on
RewriteRule ^(.*)$ http://example.com%{REQUEST_URI} [R,L]
Make sure you clear your cache before testing this.
I'm trying to figure out how I can exclude one specific sub-domain of my WordPress site from being forced to HTTPS.
Here is my .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# HTTPS by default
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
This code perfectly works to enforce HTTPS. Now, I want my download.domain.com to stay in plain HTTP, not encrypted. I've tried many many things, and I didn't manage to get something which works.
Thanks.
# HTTPS by default except for download.domain.com
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !=download.domain.com
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This should do the trick.
When you are testing, be aware that browsers cache 301 redirects - so you might reject working solutions because your browser fools you. Make sure to open browser dev tools and disable request cache.
I've Wordpress site with WPML installed. I've done 2 things recently:
Move HTTP only to HTTPS only
Move http://domain.pl to https://domain.xyz (English)
Move http://domain.pl/pl to https://domain.pl (Polish)
This is done to improve SEO. However while I got that working without much problem using:
# BEGIN HTTPS
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
#RewriteCond %{HTTPS} !^on$
#RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
</IfModule>
# END HTTPS
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
In apache.conf file ServerName domain.xyz, ServerAlias domain.pl www.domain.pl and so on. I'm having problems with most of my old blog posts that are around the internet in different forms. For example:
This little entry http://domain.pl/email-address-policy/ redirects properly to https://domain.xyz/email-address-policy/
This little entry http://domain.pl/powershell-write-host doesn't. It simply goes to https://domain.pl/powershell-write-host which is 404 and that's it.
It seems that last / is making huge difference.
I've planned to add all redirects in even direct form 1 to 1 to new domain but since it's partially working, partially not I'm kind of lost... and I am not sure how I could translate them correctly.
EDIT:
I've tried multiple options, even one that supposedly rewrites all links to end with / and it still fails.
# BEGIN HTTPS
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
#RewriteCond %{SERVER_PORT} ^80$
#RewriteCond %{HTTPS} !^on$
#RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
#RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
#RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
#RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} !^on$
#RewriteRule (.*) https://evotec.xyz/$1 [R=301,L]
#RewriteRule (.*) https://%{SERVER_NAME%}/$1 [R=301,L]
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_URI} !(.*)/$
#RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1/ [L,R=301]
#RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteCond %{REQUEST_FILENAME} !\.(gif|jpg|png|jpeg|css|js)$ [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1/ [L,R=301]
</IfModule>
# END HTTPS
Another update:
https://domain.xyz/url-is-here - works correctly
https://domain.xyz/url-is-here/ - works correctly
https://domain.pl/url-is-here - doesn't work, isn't convered to https://domain.xyz/url-is-here/
https://domain.pl/url-is-here/ - convers correctly to https://domain.xyz/url-is-here/
So it's not entirely not working for all slash vs non-slash. It's more about translation of some sort that doesn't happen if it points to old domain.
I've tried using Redirect Checker to see how it works (on proper example) but I can't make any meaning from it.
Check of http://evotec.pl/hub/scripts/office365-addbulkemailaddressses-ps1
http://evotec.pl/hub/scripts/office365-addbulkemailaddressses-ps1 301
Moved Permanently
https://evotec.pl/hub/scripts/office365-addbulkemailaddressses-ps1/
301 Moved Permanently
https://evotec.xyz/hub/scripts/office365-addbulkemailaddressses-ps1/
200 OK
Check of http://evotec.pl/hub/scripts/office365-addbulkemailaddressses-ps1/
http://evotec.pl/hub/scripts/office365-addbulkemailaddressses-ps1/ 301
Moved Permanently
https://evotec.xyz/hub/scripts/office365-addbulkemailaddressses-ps1/
200 OK
Check of https://evotec.pl/hub/scripts/office365-addbulkemailaddressses-ps1
https://evotec.pl/hub/scripts/office365-addbulkemailaddressses-ps1
404 Not Found
The more options I try the weirder it gets. While the RedirectChecker seems to be showing one thing ... browser is behaving a bit different and doesn't work for the first entry anyways causing 404 straight away
Edit:
If I leave only "Wordpress" data following is true:
http://evotec.pl/hub/scripts/office365-addbulkemailaddressses-ps1
gets 404 http://evotec.pl/hub/scripts/office365-addbulkemailaddressses-ps1 exactly as is
http://evotec.pl/hub/scripts/office365-addbulkemailaddressses-ps1/ gets https://evotec.xyz/hub/scripts/office365-addbulkemailaddressses-ps1/
https://evotec.pl/hub/scripts/office365-addbulkemailaddressses-ps1 gets 404 exactly as is
It only works properly if i use the correct/new domain then all works properly:
https://evotec.xyz/hub/scripts/office365-addbulkemailaddressses-ps1
https://evotec.xyz/hub/scripts/office365-addbulkemailaddressses-ps1
http://evotec.xyz/hub/scripts/office365-addbulkemailaddressses-ps1
http://evotec.xyz/hub/scripts/office365-addbulkemailaddressses-ps1/
I guess if I can't redirect it, i will leave it as it is and just give up.
I've actually solved it by using SEO Redirection Premium plugin for Wordpress.
It's able to redirect broken links without /. In this case I've done it manually but I'm working on a way to do it in more global way with Regex. Just need to find proper one.
Create a .htaccess file with the below code, it will ensure that all your directories and pages of your old domain will get correctly redirected to your new domain.
The .htaccess file needs to be placed in the root directory of your old website (i.e the same directory where your index file is placed)
Options +FollowSymLinks
RewriteEngine on
RewriteRule (.*) https://www.newdomain.com/$1 [R=301,L]
Please REPLACE www.newdomain.com in the above code with your actual domain name.
In addition to the redirect I would suggest that you contact every backlinking site to modify their backlink to point to your new website(For SEO).
Note* This .htaccess method of redirection works ONLY on Linux servers having the Apache Mod-Rewrite moduled enabled.
And Then for http to https :
RewriteCond %{HTTP_HOST} ^domain\.com.au$ [OR]
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://www.domain.com.au/$1 [R,L]
And additionally you also can add the below code in wp-config.php
define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST']);
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST']);
Note*: This may not work for you not tried, but you should try once and let me know.
I'm working on a wordpress site. And just installed SSL. It has been installed correctly but I want to redirect visitors to the https url for certain pages only. I also want to force browser to use http for other pages.
I know this can be done with .htaccess and tried several things as well. But unable to get this as I need. I'm a novice at handling .haccess rewrite rules and can't find the docs that can guide me.
For example, I need to force browser to use https for this two urls:
http://www.example.com/sells/payment/
http://www.example.com/customer/login/
and for all other urls to just use normal http forcefully. What kind of rules I need to write?
Update 1
I also have a rule that redirects non-www url to a www url, and that might be conflicting with these rules. Here is how I redirect all non-www urls to www urls.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
The issue I'm facing is, after applying https rules, it is redirected to https://www.www.example.com/sells/payment/ which is a wrong url.
Any idea for fixing this?
Enable mod_rewrite and .htaccess through httpd.conf and then put this code in your .htaccess under DOCUMENT_ROOT directory:
Options +FollowSymLinks -MultiViews
# Turn mod_rewrite on
RewriteEngine On
RewriteBase /
RewriteRule ^(sells/payment|customer/login)/ - [E=MY_URL:1]
RewriteCond %{HTTPS} off
RewriteCond %{ENV:MY_URL} 1
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
RewriteCond %{HTTPS} on
RewriteCond %{ENV:MY_URL} !=1
RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
UPDATE:
Options +FollowSymLinks -MultiViews
# Turn mod_rewrite on
RewriteEngine On
RewriteBase /
RewriteRule ^(sells/payment|customer/login)/ - [E=MY_URL:1]
RewriteCond %{HTTPS} off
RewriteCond %{ENV:MY_URL} 1
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
RewriteCond %{HTTPS} on
RewriteCond %{ENV:MY_URL} !=1
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
This what I've used consistently across my projects where I have similar use-cases as yourself:
RewriteCond %{SERVER_PORT}s ^(443(s)|[0-9]+s)$
RewriteRule ^(.+)$ - [env=askapache:%2]
# redirect urls with index.html to folder
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+/)*index\.html\ HTTP/
RewriteRule ^(([^/]+/)*)index\.html$ http%{ENV:askapache}://%{HTTP_HOST}/$1 [R=301,L]
# change // to /
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)//(.*)\ HTTP/ [NC]
RewriteRule ^.*$ http%{ENV:askapache}://%{HTTP_HOST}/%1/%2 [R=301,L]
This is an excerpt from a site where I found the solution, so I can't take credit for it:
Smart HTTP and HTTPS .htaccess Rewrite
I haven't tried it, but can you handle it the same way you do cononcial URLs?
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example.com/your-page
RewriteRule (.*) https://www.example.com/your-page [R=301,L]