Rewrite from https to http

Fix it!!

Rewrite from https to http

Postby markthien » Thu Sep 17, 2009 7:55 pm

Hello guys,

I put all my php file under root and there are like 20 of them for which only 3 php page need to be in https and the rest dont need. Hence I wrote my rewrite rules as follow:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^twitext.com [NC]
RewriteRule ^(.*)$ http://www.twitext.com$1 [L,R=301]

# pages that need SSL
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.signup.php)$ https://www.twitext.com$1 [R,L]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.login.php)$ https://www.twitext.com$1 [R,L]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.account-setting.php)$ https://www.twitext.com$1 [R,L]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.home.php)$ https://www.twitext.com$1 [R,L]

# pages that need no SSL
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.gateway.php)$ http://www.twitext.com$1 [R,L]
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.help.php)$ http://www.twitext.com$1 [R,L]
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.contact.php)$ http://www.twitext.com$1 [R,L]

is there anyway we can shorten this up? Appreciate any comment please.

Yours faithfully,
Mark Thien
markthien
 
Posts: 7
Joined: Mon Sep 08, 2008 11:28 pm
Location: Singapore

Postby richardk » Fri Sep 18, 2009 9:16 am

Where are you putting th mod_rewrite?

You can use ! (not) to match the files that should not be on port 80.

Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^/(account-setting|home|login|signup)\.php$ https://www.example.com%{REQUEST_URI} [R=301,L]

RewriteCond %{SERVER_PORT} ^433$
# If it's not the files that need HTTPS redirect to HTTP.
RewriteRule !^/(account-setting|home|login|signup)\.php$ http://www.example.com%{REQUEST_URI} [R=301,L]


You will probably also need to add your CSS, javascript and images to the last rule, eg.
Code: Select all
# If it's not the files that need HTTPS or a request to /images, /css or /js redirect to HTTP.
!^((account-setting|home|login|signup)\.php|(css|images|js)(/.*)?)$
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby markthien » Sat Sep 19, 2009 7:30 pm

hi richardk,

Thanks for the solution. However, the second line is not working:

RewriteCond %{SERVER_PORT} ^433$
# If it's not the files that need HTTPS redirect to HTTP.
RewriteRule !^/(account-setting|home|login|signup)\.php$ http://www.example.com%{REQUEST_URI} [R=301,L]

that's mean when visiting pages other than account-setting, home, login, signup.php, if the previous page is on https, it will also be https.

in addition to that, those https pages like login also come with css and javascript file. Is it possible to not encrypt those css and javascript file but only the login.php?
markthien
 
Posts: 7
Joined: Mon Sep 08, 2008 11:28 pm
Location: Singapore

Postby richardk » Sun Sep 20, 2009 5:33 am

that's mean when visiting pages other than account-setting, home, login, signup.php, if the previous page is on https, it will also be https.

It does not. It means if the current request is on port 443 (ie. is HTTPS) and the current request is not (!) for /account-setting.php /home.php /login.php or /signup.php, redirect to HTTP.

in addition to that, those https pages like login also come with css and javascript file. Is it possible to not encrypt those css and javascript file but only the login.php?

That's why i said
You will probably also need to add your CSS, javascript and images to the last rule, eg.
Code: Select all
# If it's not the files that need HTTPS or a request to /images, /css or /js redirect to HTTP.
!^((account-setting|home|login|signup)\.php|(css|images|js)(/.*)?)$

Adding the exceptions will allow them to be encrypted and stop the warnings. The above is based on directories, but you could do it based on file extensions or specific files.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: Google [Bot] and 2 guests

cron