Currently I am using the following at the beginning of my root's .htaccess file. Is there a safe way to exclude index.html? Is this even necessary?
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Everything on the site should be secured except the initial index.html page. The site is a very simple service with one landing page, 3 registration pages (requiring ssl), and logged in mode (again requiring ssl). Other than a few UI graphics, there is no major downloading of files. The service is mostly textual once logged in.
The only reason I ask is that many threads on here suggest that having SSL enabled on the entire site is not a good idea. It seems that since I only have one "landing page" and everything else needs to be secured, I may have the exception to this rule? Any potential issues just leaving SSL for the index as well?
Thanks for any thoughts
Add another condition:
RewriteCond %{REQUEST_URI} !^/(index\.html)?$
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Related
This might sound like a stupid question to some, but I've only just noticed it while trying to implement an SSL certificate to my site.
There's a default value in the 'out of the box' .htaccess file:
# Rewrite "www.example.com -> example.com"
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
Am I right in thinking this code forces the removal of the www. part of the canonical links on my website?
If so - is this really best practice? Is that why the base_url example in the Config/App.php is http://example.com?
Secondly, as I mentioned, I'm trying to add this code to the .htaccess file to implement the SSL certificate and force https for every URL - but it's causing an error if I use www. (whereas it didn't cause an error before) and my speed tests are indicating redirects galore which is slowing everything down:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Is anyone able to point me in the right direction with the correct canonical link structure for the base_url in the Config/App.php file, whether I need to alter (or scrap) the first snippet of code, and how I can force https to work with my SSL certificate (and www. in my URLs).
I would much rather my URLs had the structure of https://www.example.com as opposed to https://example.com
Am I right in thinking this code forces the removal of the www.
Yes, but only for HTTP (not HTTPS) requests, as governed by the first condition %{HTTPS} !=on.
If you are implementing HTTPS then you should remove the first condition and change the RewriteRule substitution string to redirect to https://.... But if you are wanting to redirect to www then you'll need to reverse the logic also:
# Redirect "example.com -> www.example.com"
# (In fact, redirect hostname that does not start "www.")
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Although, this particular method (as I've implied in the comment) will not necessarily work if you have other subdomains, unless you want all subdomains to have www sub-subdomains?!
Note that this is an external "redirect", not an internal "rewrite" as you'd stated in the comment.
If so - is this really best practice?
In terms of SEO or from a technical perspective? In terms of SEO there is no difference. Using a www subdomain can arguably have some technical benefits (isolating cookies and staging sites, etc.) - although this is mostly a matter of opinion and depends on your environment. It is really up to you. For some domain names, using a www subdomain just looks cumbersome.
But what is important is that you choose one or the other and redirect to the canonical URL in order to avoid potential duplicate content issues.
Using the domain apex (ie. no www subdomain) is simply CodeIgniters default.
force https for every URL - but it's causing an error if I use www.
To clarify, the SSL cert you implement must include both the domain apex, ie. exmaple.com and the www subdomain, ie. www.example.com. Otherwise, you will naturally get browser security warnings when requesting the "other" (non-SSL) hostname.
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This code is generally OK to force HTTP to HTTPS (providing the SSL cert is installed on your application server, ie. you're not using a front-end SSL proxy or non-standard implementation). However, the order you put this rule in relation to the rule above will depend on whether you intend to implement HSTS or not.
If you are intending to implement HSTS then you will need to redirect to HTTPS on the same host first, before the redirect to www. This will result in an unavoidable double redirect when requesting the non-canonical http://example.com/ (but that is not "bad").
For example:
# 1. Redirect to HTTPS on the same host
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# 2. Redirect to non-www to www
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
If, however, you are not intending to implement HSTS then you can reverse the two rules above and get at most one redirect for any non-canonical URL request.
You need to update the CodeIgniter base_url to match your preference of www or not.
I have a single PHP file which handles credit card processing. It starts as a form to input the credit card number, then becomes a "confirm" screen (showing the credit card number) then once more to process and display the results. All three loads will be done with PHP submits (I realize the confirm might be better as Javascript, but I didn't write it). It is the only file in the directory which handles credit cards, and therefore it is the only one which needs httpS connection.
I have tried forcing this with the $_SERVER array, looking up the protocol used to connect from the prefix of the SCRIPT_URI (or other entry), but none had the prefix.
Is there a simple way to do this...i want ssl on 5 pages homepage, login, register, contact page and if user visit other page then he should be on non ssl version
Sorry for the questions, but my searches thus far here haven't uncovered a working solution, and I'm afraid I don't know what the best practice is.
Use this code on php pages you want:
if($_SERVER["HTTPS"] != "on")
{
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
exit();
}
You should investigate $_SERVER['HTTPS']. This will have a non empty value if https is used and an empty value otherwise.
If you detect a non https connection you can redirect the user, e.g. using php header() method.
Another way to achieve this would be to use .htaccess configuration (if you're running on apache web server):
RewriteCond %{HTTPS} !=on
RewriteRule ^creditcard\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
Using https for the whole website is a really good option, too.
Suppose you want to redirect 4 specific pages to https,
page1.php
page2.php
page3.php
page4.php
then you would do something like this:
Create a .htaccess file in your root directory and add the following lines to it.
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
#redirect www.yourdomain.com to yourdomain.com (or any other subdomain)
RewriteCond %{HTTP_HOST} !^yourdomain.com$ [NC]
RewriteRule ^(.*)$ http://yourdomain.com/$1 [L,R=301]
#force https for certain pages
RewriteCond %{HTTPS} !=on
RewriteRule ^(page1\.php|page2\.php|page3\.php|page4\.php)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
My objective is apply an EV SSL to redirect using htaccess all the .HTML pages on my site to https, however, I created the site in DW CS6 and the majority (over 1,000) of the pages are .php and cannot be https, since they are all syndicated content feeds from EMC, VMware, etc. I also built dozens of deep links for all the .php pages.
Extensive searching through all the pages here provided what seemed like the best and most logical solution.
Step 1. Redirect the entire site first to https
Options +FollowSymLinks -MultiViews
# Turn mod_rewrite on
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} Off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_HOST} !^\.php$ [NC]
RewriteCond %{HTTPS} Off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Then
Step 2.
RewriteCond %{HTTP_HOST} !^\.php$ [NC]
RewriteCond %{HTTPS} Off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
The problem is I never got to test step 2 because step 1 did not work, the site remains http://www.erpsaa.com/ but of course if you simply add the "s" https://www.erpsaa.com/ which was my objective, it works perfectly, and if you hit any of the deep link .php pages, it also works and goes directly back to http. However, that then kicks the entire site back to http. I have what I believe to be a partial solution for step 2.The parent.php links are effected, because with an entire site redirect (manual) the 4 .php parents are destroyed, SSL gives the "mixed content issue". I could set it up so that none of the links are the parent .php, but make all the links deep links and achieve the same purpose. However, I am still left with the problem of what I found here to be confirmed by more than one person was the exact way to redirect one's entire site from http to https. Perhaps in my case overall, is a 301 code for the entire site better, with the bandaid for the .php pages, whose deep links always force https to http.
Thank you in advance for any help.
You cannot match php extension using %{HTTP_HOST} variable (that is used for matching domains only).
You can use:
Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteCond %{HTTPS} Off
RewriteRule !\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,NE,NC,L]
User clicks link (from their email): http://www.site.com/edit/wih293f73y
Browser window opens and gets them to the correct page.
But now the browser's address bar shows: http://www.site.com/editor.php?editCode=wih293f73y
Extra info:
My rewrite rule is:RewriteRule ^edit/([A-Za-z0-9-]+)/?$ editor.php?editCode=$1 [NC,L]
This problem ONLY occurs when the user has clicked a link. It works perfectly when you just type the pretty url into the address bar.
This problem ONLY occurs for links that include the www. - the link http://site.com/edit/wih293f73y works like a charm.
My .htaccess file includes the following code (from HTML5 boilerplate, which I wasn't aware of previously):
# Rewrite www.example.com → example.com
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
</IfModule>
If it's important, this occurs after my other rewrite rules.
I just took a look and it is apparent that your www rules is causing this. Question is do you want it be fixed? If you do then move this rule on top of all other rules and your problem should be fixed.
Move this to top of all other rules
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
You can use use the redirect directive
redirect 301 ^edit/([A-Za-z0-9-]+)/?$ editor.php?editCode=$1
There are some pros and cons to this strategy. The pros being;
It's super fast. You don't even need to load up your application for this to work.
It's minimal code.
Redirects are an intrinsic part of Apache (or any http server) and aren't going anywhere soon.
The cons being;
It's not part of your application proper. Should you decide to change logic or URLs, you'll have to change this, too.
It's slower, as you need to invoke php, as opposed to just having Apache issue the redirect.
I want to run few pages on https while all others pages run on http
I wrote below code in .htaccess and on config.inc.php file
.htaccess
RewriteEngine on
Options +FollowSymLinks
RewriteBase /
RewriteRule ^login/?$ login.php [NC]
# Rewrite non www to www.charityrummage.com
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
# Rewrite to https
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} /login [OR]
RewriteCond %{REQUEST_URI} /do_login.php [OR]
RewriteCond %{REQUEST_URI} /payment/?.*$
RewriteRule ^(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]
# traffic to http://, except login.php and payment.php
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !(/login|/do_login.php|/payment)
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]
also made some changes in config.inc.php which is required and first file of the website
config.inc.php
$ssl_page = array('login.php','do_login.php','payment.php');
// Note: do_login.php is intermediate page
if(in_array(trim($_SERVER['SCRIPT_NAME'],'/'),$ssl_page)){
define('PROTOCOL','https://');
}else{
define('PROTOCOL','http://');
}
define('DS','/');
define('URL',PROTOCOL.$_SERVER['HTTP_HOST'].DS);
// based on URL i made CSS and JS Path
here is the website link :
http://www.charityrummage.com.
login page is ssl enabled :
https://www.charityrummage.com/login
BUT
when I run the website, it gives different errors on different browsers and its really annoying. below are the error description on different browsers
IE8
it always prompt for security error and
if i click on Yes then display everything fine except left panel
if i click on NO then certificate error near web address but website works fine.
Chrome ( v :20.0.1132.8 )
display multiple warning about css and js ( see in console ) in below format:
The page at https://www.charityrummage.com/login ran insecure content
from http://www.charityrummage.com/css/reset.css
but if you view source of login page then you can see that every
css and js running with https://
Firefox (v 16.0)
it display lock sign ( secure ) just for few seconds and then gone away
( i m surprised it never prompt security alert for https )
but when we go with page info -> media then many of images are coming from http://
Will you please examine and tell me what is exact problem?
One more thing i want to know.
if https:// pages are not displaying properly then which one is responsible
Operating system OR
Browser OR
server OR
Programming issue OR
SSL certificate issue
and at the end what is the solution of this problem?
Thanks
Try with this rule:
# Force files ending in X to use same protocol as initial request
RewriteRule \.(gif|jpe?g|png|ico|css|js)$ - [S=1]
or this one:
# don't do anything for images/css/js (leave protocol as is)
RewriteRule \.(gif|jpe?g|png|ico|css|js)$ - [NC,L]
Before the # traffic to http://
I got round this problem before by setting the base href on the page like so
<base href="<?php echo HTTPS_BASE_REF; ?>"></base>
This meant that all links derived from this and resolved correctly.
The constant of HTTPS_BASE_REF was set in my config.inc.php file.