mod_rewrite, https and an MVC framework.

Fix it!!

mod_rewrite, https and an MVC framework.

Postby NU7BBR » Wed Oct 07, 2009 8:35 am

I have been setting up a server and need to have a couple of pages off of a particular controller SSL/HTTPS protected. I have been working on this issue on and off for about a week now and cannot figure it out.

Getting to HTTPS is not the issue but getting back to HTTP after the checkout process.

Code: Select all
RewriteEngine On

RewriteCond %{HTTPS} off
RewriteRule ^purchase/.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !purchase/.*$
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteRule !\.(js|ico|gif|jpg|png|css)$ index.php [L]


What I cannot understand is how to always make sure that index.php is the file that is hit upon the rewrite rule as that is the way the MVC frameworks typically work.

I basically want every page but the pages served by the "purchase" controller to be HTTP and all "purchase" pages to be HTTPS. Any guidance would be greatly appreciated. I have tried 5-10 examples outlined in various posts on this site.
Last edited by NU7BBR on Wed Oct 07, 2009 10:04 am, edited 1 time in total.
NU7BBR
 
Posts: 5
Joined: Wed Oct 07, 2009 8:26 am

Getting redirect loop now.

Postby NU7BBR » Wed Oct 07, 2009 9:05 am

Ok I changed to the following.

Code: Select all
RewriteEngine On

RewriteCond %{HTTPS} on
RewriteRule ^.*$ http://%{SERVER_NAME}%{REQUEST_URI} [R,L]

RewriteCond %{HTTPS} off
RewriteRule ^purchase/.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

RewriteRule !\.(js|ico|gif|jpg|png|css)$ index.php


Now, I am getting a redirect loop.
NU7BBR
 
Posts: 5
Joined: Wed Oct 07, 2009 8:26 am

Postby richardk » Wed Oct 07, 2009 11:31 am

Try
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{SERVER_PORT} !^80$
RewriteRule !^purchase(/.*)?$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^purchase(/.*)?$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteRule !.\.(js|ico|gif|jpg|png|css)$ /index.php [QSA,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby NU7BBR » Wed Oct 07, 2009 11:45 am

richardk wrote:Try
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{SERVER_PORT} !^80$
RewriteRule !^purchase(/.*)?$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^purchase(/.*)?$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteRule !.\.(js|ico|gif|jpg|png|css)$ /index.php [QSA,L]


Thanks richard, but this seems to give me a 500 error. Commenting out the final line seems to rid me of the 500. Further investigation show that the '/' before the index.php seems to be causing the problem,
NU7BBR
 
Posts: 5
Joined: Wed Oct 07, 2009 8:26 am

Postby richardk » Wed Oct 07, 2009 11:54 am

Try adding
Code: Select all
# Don't match internal sub requests.
RewriteCond %{ENV:REDIRECT_STATUS} ^$

before
Code: Select all
RewriteCond %{SERVER_PORT} !^443$

The internal request for /index.php is probably matching that redirect.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby NU7BBR » Wed Oct 07, 2009 12:02 pm

richardk wrote:Try adding
Code: Select all
# Don't match internal sub requests.
RewriteCond %{ENV:REDIRECT_STATUS} ^$

before
Code: Select all
RewriteCond %{SERVER_PORT} !^443$

The internal request for /index.php is probably matching that redirect.


This is what I have now:

Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{SERVER_PORT} !^80$
RewriteRule !^purchase(/.*)?$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Don't match internal sub requests.
RewriteCond %{ENV:REDIRECT_STATUS} ^$

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^purchase(/.*)?$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteRule !.\.(js|ico|gif|jpg|png|css)$ /index.php [QSA,L]


The .htaccess contents above give me a 500. If I remove the '/' before the index.php the 500 goes away. However, when I navigate to one of the 'purchase' pages I get redirected to index.php/home and the url in the address bar get oddly formatted: (http://domain.com/index.php/home) as opposed to (http://domain.com/purchase/).
NU7BBR
 
Posts: 5
Joined: Wed Oct 07, 2009 8:26 am

Postby richardk » Wed Oct 07, 2009 2:12 pm

However, when I navigate to one of the 'purchase' pages

Are you visiting a http or a https URL initially?

Is there a redirect done by PHP? If there is, what URL does it redirect to?
Does the mod_rewrite work with a really simple index.php?
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby NU7BBR » Wed Oct 07, 2009 2:41 pm

richardk wrote:
However, when I navigate to one of the 'purchase' pages

Are you visiting a http or a https URL initially?


Initially the url is http://domain.com/foo/bar within the page a form is populated then submitted (POST). The POST handling script performs some action(s) and if successful redirects via PHP to http://domain.com/purchase/.../... (this is where I would like mod_rewrite to switch over to https://.

richardk wrote:Does the mod_rewrite work with a really simple index.php?


Not exactly sure what you mean here. But currently, by adding/removing portions of the .htaccess I get one of the following: 1.) http to https but unable to get back to http without editing the browser address bar. 2.) http and no https or the opposite 3.) All http until I hit a "purchase" page then it redirects to the "home" controller; if that makes any sense.

I am beginning to think it might just be easier to throw a switch in at the controller level to swap between SSL and non.
NU7BBR
 
Posts: 5
Joined: Wed Oct 07, 2009 8:26 am

Postby richardk » Thu Oct 08, 2009 10:44 am

Initially the url is http://domain.com/foo/bar within the page a form is populated then submitted (POST). The POST handling script performs some action(s) and if successful redirects via PHP to http://domain.com/purchase/.../... (this is where I would like mod_rewrite to switch over to https://.

What is the <form>'s action=""? You can't redirect POST requests.

Not exactly sure what you mean here.

Replace your current index.php with a really simple index.php that would output the $_GET array and test some links. That would show if it was the mod_rewrite, the PHP or a mod_rewrite PHP combination.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 6 guests

cron