Redirecting all pages except for a select few back to HTTP

Question

I'm using the rewrite rules below to redirect 2 php pages to https (to protect user data), but whenever I click on any links on those php pages they redirect with https enabled and the page does not display correctly.

The rules at the bottom were meant to redirect any other pages back to http, but they are not working. Any advice would be much appreciated!

    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteCond %{REQUEST_URI} ^/securepage1.php$ [NC]
    RewriteRule ^(.*)$ https://www.example.com$1 [L,R=301]

    RewriteCond %{HTTPS} off
    RewriteCond %{REQUEST_URI} ^/securepage2.php$ [NC]
    RewriteRule ^(.*)$ https://www.example.com$1 [L,R=301]

    RewriteCond %{HTTPS} on
    RewriteCond %{REQUEST_URI} !^/securepage1.php$ [NC]
    RewriteCond %{REQUEST_URI} !^/securepage2.php$ [NC]
    RewriteRule ^(.*)$ http://www.example.com$1 [L,R=301]

Answer 1

Try enabling logging to get a clear idea of what steps are failing:

RewriteLog /path/to/log
RewriteLogLevel 2

You can use values greater than 2 for the log level, but keep in mind that this will affect your server's performance, so be wary of running this on a heavy production instance.

Now, for some security thoughts. If you're worried enough to protect the data on specific pages (but not others), then the best question to ask is: is it worth making only 2 pages on your site trust-worthy? If I navigate to http://example.com and get intercepted in a Man In the Middle (MIM) attack, does your user really care if https://example.com/securepage1.php is secure when the MIM attack has me going to http://badpage.com/securepage1.php? In other words, if this is part of an interactive site, protecting the two secure pages does nothing because the user can't actually trust the site from the start.