HTTPS / htaccess

revlimiter · August 19, 2011, 7:15am

Hey everyone,

I’m trying to make it so anytime someone hits my shopping cart directory they are forced to hit HTTPS if they aren’t already. But if the customer is trying to hit any other directory I want it to remove “https”… Is that possible with .htaccess?

If so, please advise.
Thank you!

rpkamp · August 19, 2011, 7:39am

You sure can, Zaggs recently posted about this here.


RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} ^/(checkout|login|myaccount)\\.php
RewriteRule .? https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/(checkout|login|myaccount)\\.php
RewriteCond %{REQUEST_FILENAME} !\\.(gif|png|jpg|jpeg|css|js)$ [NC]
RewriteRule .? http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Where checkout|login|myaccount are the URLs that should be secured (i.e. /checkout, /login, and /myaccount) and everything else shouldn’t be.

wh33t · August 19, 2011, 10:08pm

rpkamp:

You sure can, Zaggs recently posted about this here.
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} ^/(checkout|login|myaccount)\\.php
RewriteRule .? https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/(checkout|login|myaccount)\\.php
RewriteCond %{REQUEST_FILENAME} !\\.(gif|png|jpg|jpeg|css|js)$ [NC]
RewriteRule .? http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Where checkout|login|myaccount are the URLs that should be secured (i.e. /checkout, /login, and /myaccount) and everything else shouldn’t be.

I notice that it says .php after the second rewrite condition. Does that mean I have to specify which files I want to trigger the rewrite condition? Or do I just put directories in there?

Also, where do I put this .htaccess file? Do I put it in the web root? The shopping cart directory? Every directory? Please advise and thank you for your help already.

dklynn · August 19, 2011, 11:26pm

Regards,

DK

wh33t · August 19, 2011, 11:33pm

Ok, so just to ensure I understand what you are saying. I can ‘erase’ .php from the rewrite rule and just put / instead. I don’t want to force HTTPS for various files, but various directories instead, namely the cms diretory and the basket directory, both which are found at /cms and /basket respectively.

If I put these rules into a .htaccess file in the web root I presume it will still be triggered in the sub directories such as /basket and /cms? I think the terminology might be sub directory inheritance or cascading?

rpkamp · August 20, 2011, 12:34am

^ The answer to all those questions is ‘Yes, that is correct’

dklynn · August 21, 2011, 8:20am

wh33t:

Ok, so just to ensure I understand what you are saying. I can ‘erase’ .php from the rewrite rule and just put / instead. I don’t want to force HTTPS for various files, but various directories instead, namely the cms diretory and the basket directory, both which are found at /cms and /basket respectively.

Correct.

If I put these rules into a .htaccess file in the web root I presume it will still be triggered in the sub directories such as /basket and /cms? I think the terminology might be sub directory inheritance or cascading?

Not quite! The .htaccess in the DocumentRoot will be read before the .htaccess in any subdirectory is read (it’s heirarchical with the DocumentRoot’s being handled before any succeeding subdirectory in the path). Since it’s easier to “sort” your subdirectories in the DocumentRoot, that’s where you do the redirection.

Regards,

DK

wh33t · August 22, 2011, 3:06am

I’m still having a bit of trouble getting this to work correctly. I first test stuff like this out on the dev. subdomain. Would that prevent it from working as expected? It manages to turn on HTTP when visiting the shopping cart, but it doesn’t remove the https when out of the shopping cart.

dklynn · August 22, 2011, 9:26am

wh33t,

You need to show what your .htaccess is (that you’re having trouble with), you need to let us know what files/directories that must be secure (by default, everything else must not be secure) and you need to let us know what shopping cart you’re using.

Other comments:

ZenCart (IMHO, the premier open source shopping cart) controls what’s secure and what’s not secure via its two config files. Trying to circumvent those will only cause problems.
If you’re using PHP, only redirect the PHP files, not all files, because relative links when using the secure server should also be https://{secure} (to prevent an endless series of warnings).

From my signature’s tutorial Article:

http://datakoncepts.com/seo:

Selective Enforce Secure Server
(where the secure and unsecure domains share the DocumentRoot)

This requires a RewriteCond statement to check whether the secure server port is being used and, if not AND the requested script is one in the list requiring a secure server, redirect.

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(page1|page2|page3|page4|page5)$ https://www.example.com/%1 [R=301,L]

And, to redirect pages not requiring a secure server,

RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteRule !^(page1|page2|page3|page4|page5)$ http://www.example.com%{REQUEST_URI} [R=301,L]

will force the http ({SERVER_PORT}=80) mode.

WARNING: Mixing these two (force HTTPS and HTTP at the same time) will force non-script files to be served in HTTP protocol, i.e., not encrypted. The result WILL BE a warning that some content has NOT been authenticated.

To avoid the “mixing” problem of the force non-secure pages, target the scripts rather than all files:

RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{REQUEST_URI} \.(php|html) # where php or html is your scripts’ extension
RewriteRule !^(page1|page2|page3|page4|page5)$ http://www.example.com%{REQUEST_URI} [R=301,L]

Regards,

DK

wh33t · August 22, 2011, 6:52pm

I’m not using Zencart, this Shopping cart was written by me in PHP.

This is my current .htaccess on my dev subdomain. It does indeed turn on HTTPS when visiting the basket directory, but it doesn’t remove it when viewing any other directory.

ErrorDocument 404 /404.php

Options +FollowSymLinks
Options +Indexes
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^domain\\.com$
RewriteRule ^(.*)$ http://dev.domain.com/$1 [R=301,L]

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} ^/(basket)\\/
RewriteRule .? https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/(basket)\\/
RewriteCond %{REQUEST_FILENAME} !\\.(gif|png|jpg|jpeg|css|js)$ [NC]
RewriteRule .? http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

dklynn · August 22, 2011, 11:31pm

wh33t,

Comments on your code:

ErrorDocument 404 /404.php

[COLOR="Pink"]Options +FollowSymLinks
Options +Indexes
# both of those should be accomplished in the httpd.conf but okay here, too[/COLOR]
RewriteEngine On
# Used for testing - remove for production?
[COLOR="Red"]RewriteBase /
# What mod_alias redirect is this being used to correct?  DELETE[/COLOR]
RewriteCond %{HTTP_HOST} [COLOR="Red"]^[/COLOR]domain\\.com$
[COLOR="Red"]# will not redirect www.domain.com - remove ^[/COLOR]
RewriteRule ^(.*)$ http://dev.domain.com/$1 [R=301,L]

[COLOR="Red"]RewriteEngine On
# No need to duplicate from above[/COLOR]
RewriteCond %{HTTPS} !on
# You're not having a problem with {HTTPS} is either NULL or undefined when it's not "on"
# I would use RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} ^[COLOR="Gray"]/[/COLOR][COLOR="Magenta"]([/COLOR]basket[COLOR="Magenta"])[/COLOR][COLOR="Red"]\\[/COLOR]/
# Not sure about the [COLOR="Gray"]/[/COLOR] but [COLOR="Red"]\\[/COLOR] is not needed (inappropriate)
# Why create an Apache variable with [COLOR="Magenta"]([/COLOR]basket[COLOR="Magenta"])[/COLOR]
RewriteRule .? https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^[COLOR="Gray"]/[/COLOR][COLOR="Magenta"]([/COLOR]basket[COLOR="Magenta"])[/COLOR][COLOR="Red"]\\[/COLOR]/
# Ditto
# This is ANDed with the 'not support file' following RewriteCond
RewriteCond %{REQUEST_FILENAME} !\\.(gif|png|jpg|jpeg|css|js)$ [NC]
RewriteRule .? http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Frankly, if your enforce secure server for basket is working, I don’t see anything which would prevent the enforce non-secure for non-basket requests. That said, I would have used slightly different code:

# .htaccess in DocumentRoot using Apache 2.x server

ErrorDocument 404 /404.php
RewriteEngine on

# test - comment out as the dev subdomain may not be available via https
# RewriteCond %{HTTP_HOST} ^domain\\.com$
# RewriteRule ^(.*)$ http://dev.domain.com/$1 [R=301,L]

# Enforce HTTPS on basket/ FOR PHP SCRIPTS
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} ^basket/
RewriteRule \\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Enforce non-secure for non-basket/ scripts
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^basket/
RewriteRule \\.php$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301

If you only deal with the PHP scripts, the support files requested by those scripts will utilize the same protocol (http or https) as the script. Doing it this way will avoid the multiple security warnings when non-secure scripts are called from a secure script.

Regards,

DK

wh33t · August 23, 2011, 2:56am

dklynn:

wh33t,

Comments on your code:

ErrorDocument 404 /404.php

[COLOR="Pink"]Options +FollowSymLinks
Options +Indexes
# both of those should be accomplished in the httpd.conf but okay here, too[/COLOR]
RewriteEngine On
# Used for testing - remove for production?
[COLOR="Red"]RewriteBase /
# What mod_alias redirect is this being used to correct?  DELETE[/COLOR]
RewriteCond %{HTTP_HOST} [COLOR="Red"]^[/COLOR]domain\\.com$
[COLOR="Red"]# will not redirect www.domain.com - remove ^[/COLOR]
RewriteRule ^(.*)$ http://dev.domain.com/$1 [R=301,L]

[COLOR="Red"]RewriteEngine On
# No need to duplicate from above[/COLOR]
RewriteCond %{HTTPS} !on
# You're not having a problem with {HTTPS} is either NULL or undefined when it's not "on"
# I would use RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} ^[COLOR="Gray"]/[/COLOR][COLOR="Magenta"]([/COLOR]basket[COLOR="Magenta"])[/COLOR][COLOR="Red"]\\[/COLOR]/
# Not sure about the [COLOR="Gray"]/[/COLOR] but [COLOR="Red"]\\[/COLOR] is not needed (inappropriate)
# Why create an Apache variable with [COLOR="Magenta"]([/COLOR]basket[COLOR="Magenta"])[/COLOR]
RewriteRule .? https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^[COLOR="Gray"]/[/COLOR][COLOR="Magenta"]([/COLOR]basket[COLOR="Magenta"])[/COLOR][COLOR="Red"]\\[/COLOR]/
# Ditto
# This is ANDed with the 'not support file' following RewriteCond
RewriteCond %{REQUEST_FILENAME} !\\.(gif|png|jpg|jpeg|css|js)$ [NC]
RewriteRule .? http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Frankly, if your enforce secure server for basket is working, I don’t see anything which would prevent the enforce non-secure for non-basket requests. That said, I would have used slightly different code:

# .htaccess in DocumentRoot using Apache 2.x server

ErrorDocument 404 /404.php
RewriteEngine on

# test - comment out as the dev subdomain may not be available via https
# RewriteCond %{HTTP_HOST} ^domain\\.com$
# RewriteRule ^(.*)$ http://dev.domain.com/$1 [R=301,L]

# Enforce HTTPS on basket/ FOR PHP SCRIPTS
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} ^basket/
RewriteRule \\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Enforce non-secure for non-basket/ scripts
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^basket/
RewriteRule \\.php$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301

If you only deal with the PHP scripts, the support files requested by those scripts will utilize the same protocol (http or https) as the script. Doing it this way will avoid the multiple security warnings when non-secure scripts are called from a secure script.

Regards,

DK

Yes I only deal with php scripts.

The following:

# RewriteCond %{HTTP_HOST} ^domain\\.com$
# RewriteRule ^(.*)$ http://dev.domain.com/$1 [R=301,L]

Remember this is my development subdomain, located at dev.domain.com. For security reasons I’m not actually saying what domain I’m actually working on.

Now the re-write that is there was adapted from the “live” site, which forced the public using the site to use “www” versus just http://domain.com. I removed www from the rewrite rule and replaced it with .dev because I’m a novice with .htaccess and figured it needed to be replaced, but perhaps on the dev subdomain rewrite doesn’t need to be there at all…

Perhaps also, none of this will work on the dev subdomain period because the secure certificate is only meant to work with the original domain? Is that correct?

rpkamp · August 23, 2011, 6:43am

The certificate itself won’t work on another domain than it was bought for, no. But mod_rewrite doesn’t know this (or care about it for that matter) and will just redirect you all the same.

wh33t · August 23, 2011, 7:17am

Yes, but this particular .htaccess I have going does not remove the https correctly when leaving the basket directory. It does however manage to forward to https when visiting the basket dir.

rpkamp · August 23, 2011, 7:34am

Could you post the complete .htaccess you have now, please?

wh33t · August 23, 2011, 7:51am

ErrorDocument 404 /404.php

Options +FollowSymLinks
Options +Indexes
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^domain\\.com$
RewriteRule ^(.*)$ http://dev.domain.com/$1 [R=301,L]

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} ^/(basket)\\/
RewriteRule .? https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/(basket)\\/
RewriteCond %{REQUEST_FILENAME} !\\.(gif|png|jpg|jpeg|css|js)$ [NC]
RewriteRule .? http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Please keep in mind domain.com is not my actual domain and this is the .htaccess I run from the development subdomain. I am thinking I should give it a shot on the live domain, maybe at night right now because I know the traffic will be minimal.

rpkamp · August 23, 2011, 8:25am

Please take a look at the red comments in post #11 first and update your .htaccess accordingly. There are quite a few useful tips in there you seem to have just ignored …

Topic		Replies	Views
Force https using htaccess Server Config	15	1164	February 8, 2011
Please review my .htaccess file Server Config	10	909	October 8, 2014
Http to https rewrite woes Server Config	3	614	October 8, 2014
Force HTTPS/HTTP with .htaccess Server Config	17	14872	October 8, 2014
Help redirecting to HTTPS connection on certain urls Server Config	2	439	October 8, 2014

HTTPS / htaccess

Related topics