Securing certain URLs with HTTPS and forcing others to HTTP

Fix it!!

Securing certain URLs with HTTPS and forcing others to HTTP

Postby krisw » Tue Sep 15, 2009 5:57 am

I have areas of a website that I am trying to secure with SSL, which I have managed to achieve. Although I want to force the user back to standard HTTP when they navigate away from a secure page - This is the part I am having troubles with. My .htaccess file looks like this so far:

Code: Select all
RewriteEngine On
RewriteBase /
Options FollowSymLinks

RewriteCond %{HTTPS} =off
RewriteRule ^(client_area|logged_in|download)(.*) https://%{SERVER_NAME}/$1$2 [R=301,L]

#RewriteCond %{HTTPS} =on
#RewriteRule !^(images|css|js|client_area|logged_in|download)(.*) http://%{SERVER_NAME}/$1$2 [R=301,L]

RewriteRule ^$                                     index.php?page=home
RewriteRule ^logged_in/logout\.html$               index.php?cmd=logout [L]
RewriteRule ^download/([0-9]{8})$                  download.php?id=$1 [L]
RewriteRule ^([a-z0-9_-]+)\.html$                  index.php?page=$1 [QSA]
RewriteRule ^([a-z0-9_-]+)/([a-z0-9_-]+)\.html$    index.php?page=$1&sub=$2 [QSA]
RewriteRule ^external/([a-z0-9_-]+)\.html$         $1.php


When I uncomment my second block starting with RewriteCond, the addresses that I wanted to secure are rewritten to include query strings that I am trying to initially hide with mod_rewrite.

For example, if I were to navigate to http://www.foo.com/logged_in.html it gets rewritten to http://www.foo.com/?page=logged_in where as if I were to comment out that block, it correctly gets rewritten to https://www.foo.com/logged_in.html but the user stays under https for the rest of the visit.

Any ideas or suggestions would be most welcome.
krisw
 
Posts: 6
Joined: Wed Feb 25, 2009 9:13 am

Postby richardk » Tue Sep 15, 2009 5:46 pm

I think the second block may be matching the internal requests (after the last rules match). Also, you can't use backreferences/variables when you have ! (not) at the beginning of the regular expression.

Try
Code: Select all
Options FollowSymLinks

RewriteEngine On

RewriteCond %{HTTPS} =off
RewriteRule ^(client_area|logged_in|download)(/.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{HTTPS} =on
RewriteRule !^(images|css|js|client_area|logged_in|download)(/.*)?$ http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

RewriteRule ^$                                     /index.php?page=home      [QSA,L]
RewriteRule ^logged_in/logout\.html$               /index.php?cmd=logout     [QSA,L]
RewriteRule ^download/([0-9]{8})$                  /download.php?id=$1       [QSA,L]
RewriteRule ^([a-z0-9_-]+)\.html$                  /index.php?page=$1        [QSA,L]
RewriteRule ^([a-z0-9_-]+)/([a-z0-9_-]+)\.html$    /index.php?page=$1&sub=$2 [QSA,L]
RewriteRule ^external/([a-z0-9_-]+)\.html$         /$1.php                   [QSA,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby krisw » Wed Sep 16, 2009 2:32 am

Thank you for the suggestion rickardk, I made a slight amendment to it in that I took out the forward slashes in the RewriteRules under the RewriteConds - It now looks like this, but still doesn't work. I can browse from a http page to a https page fine and it detects and redirects, but I still can't then get back out of https on non-secure pages.

Code: Select all
RewriteEngine On
RewriteBase /
Options FollowSymLinks

RewriteCond %{HTTPS} =off
RewriteRule ^(client_area|logged_in|download)(.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{HTTPS} =on
RewriteRule !^(images|css|js|client_area|logged_in|download)(.*)?$ http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

RewriteRule ^$                                     index.php?page=home      [QSA,L]
RewriteRule ^logged_in/logout\.html$               index.php?cmd=logout     [QSA,L]
RewriteRule ^download/([0-9]{8})$                  download.php?id=$1       [QSA,L]
RewriteRule ^([a-z0-9_-]+)\.html$                  index.php?page=$1        [QSA,L]
RewriteRule ^([a-z0-9_-]+)/([a-z0-9_-]+)\.html$    index.php?page=$1&sub=$2 [QSA,L]
RewriteRule ^external/([a-z0-9_-]+)\.html$         $1.php                   [QSA,L]


Would it help if I switched on the rewrite logging to figure this out?
krisw
 
Posts: 6
Joined: Wed Feb 25, 2009 9:13 am

Postby richardk » Wed Sep 16, 2009 2:30 pm

I still can't then get back out of https on non-secure pages.

Does the query string get added?

Try
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(client_area|logged_in|download)(/.*)?$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{SERVER_PORT} ^443$
RewriteRule !^(images|css|js|client_area|logged_in|download)(/.*)?$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteRule ^$                                  index.php?page=home      [QSA,L]
RewriteRule ^logged_in/logout\.html$            index.php?cmd=logout     [QSA,L]
RewriteRule ^download/([0-9]{8})$               download.php?id=$1       [QSA,L]
RewriteRule ^([a-z0-9_-]+)\.html$               index.php?page=$1        [QSA,L]
RewriteRule ^([a-z0-9_-]+)/([a-z0-9_-]+)\.html$ index.php?page=$1&sub=$2 [QSA,L]
RewriteRule ^external/([a-z0-9_-]+)\.html$      $1.php                   [QSA,L]

I'd appreciate it if you tried exactly what i posted.

Would it help if I switched on the rewrite logging to figure this out?

You can if you want to, it might help.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby rover » Mon Oct 05, 2009 5:29 am

This is great, I've been a member of this forum for a while and I came here looking for help on this exact subject.

I have 1 directory that I would like to be secure (https), called 'members', all other directories and pages should revert back to standard (http). I'll read through what you've written above Richard and see if it works for me, thanks again.

Update

For me, all I need is ONLY /members to be https:// and then all other areas to be standard. Looking at code above it seems overly complicated for my needs, could you suggest anything better?
rover
 
Posts: 16
Joined: Mon Dec 18, 2006 7:24 pm

Postby richardk » Mon Oct 05, 2009 8:05 am

It's pretty close to what you need. Try
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^members(/.*)?$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{SERVER_PORT} ^443$
RewriteRule !^members(/.*)?$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby rover » Tue Oct 06, 2009 5:51 am

Many thanks Richard :)
rover
 
Posts: 16
Joined: Mon Dec 18, 2006 7:24 pm


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 4 guests

cron