-1

I'm trying to check to see if the address accessed is using a secure connection when accessing a certain page, or not. If not, I want to redirect the traffic to the proper https:// address.

I have tried doing this in several ways in the .htaccess file.

I was able to rewrite http://foosite.com/contact.shtml and http://www.foosite.com/contact.shtml addresses as https://www.foosite.com/contact.shtml with:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} (contact.*)
RewriteRule (.*) https ://www.foosite.com%{REQUEST_URI}

...but this only rewrites the URL, it does not reload the page, therefore there is no encryption and there is a warning/caution sign next to the HTTPS in the address bar (as there should be).

I need to reload that page so that the encryption is enforced.

Based on what I am looking at I was thinking something like:

RedirectCond %{HTTPS} off
RedirectCond %{REQUEST_URI} (contact.*)
Redirect 301 https ://www.foosite.com/contact.shtml

...but this is based purely on conjecture after looking at some posts in here and imagining what might work. Conjecture is not a good thing to count on, anyway. I don't even know if there is a RedirectCond tag.

So, as I am not familiar with .htaccess at all, just looking to secure a single form, what would work to redirect a page to the HTTPS address of it when it isn't loaded securely?

rink.attendant.6
  • 135
  • 8
SiteDesignMaster
  • 1
  • 2

1 Answers1

2

Here's what I used to redirect HTTP to HTTPS using a ".htaccess" file:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
EmpathicSage
  • 176
  • 4
  • I know this sounds stupid, but I have tried the rewrite technique before and it resulted in the padlock having a caution/warning sign on it because the page wasn't actually reloaded and the SSL Cert was not initiated. I thought it could be done with redirect where I could be sure that the page would reload, securing the transaction. – SiteDesignMaster Sep 24 '13 at 04:35
  • The redirect directive is recommended in favor of mod_rewrite by the apache devs – Daniel Widrick Sep 24 '13 at 06:35
  • @lVlint67 That depends on if you want to hide the redirect from the client or not. I suppose, as usual, these sort of details are implementation specific. – EmpathicSage Sep 24 '13 at 07:46
  • @Zahnon one cannot hide an http -> https redirect from the client. The recommended way to handle these specific redirects is to setup two virtual hosts and set a redirect in one to always reload to the other. It is a slightly different story when it is not straight http -> https – Daniel Widrick Sep 24 '13 at 08:17
  • @lVlint67 I like how you made that up. :-) http://httpd.apache.org/docs/2.2/rewrite/remapping.html "In this example, as contrasted to the internal example above, we can simply use the Redirect directive. mod_rewrite was used in that earlier example in order to hide the redirect from the client:" – EmpathicSage Sep 24 '13 at 15:23
  • @Zahnon We must be mis-understanding each other. The only way I know of to move an http to https without forcing a redirect in the client browser is to proxy from the server(http) to the server(https) but the stream from server to client will still be unencrypted and on the http protocol [NOT encapsulated by SSL/TLS]. mod_rewrite doesn't have the power to communicate back to the client "Hey this is going to be an https connection" without forcing a redirect to https and causing the whole SSL handshake, etc business. -- can happily rewrite to new locations on same protocol but not new protocols – Daniel Widrick Sep 24 '13 at 15:43
  • @lVlint67 Ahh, you're right. I do see your point now about protocol switching. That is valid as long as you are not running SSL on port 80. Of course, I've never heard of that. I wonder what the implications of doing that would be. – EmpathicSage Sep 24 '13 at 18:15
  • @Zahnon running ssl on port 80 would mean manually typing https:// and specifying port :80 for each request. browsers are setup to do plain http over port 80 by default and https over port 443 – Daniel Widrick Sep 24 '13 at 18:51
  • @lVlint67 Ok, I see you would still need the initial redirect to "https://" and ":80" in that case which would defeat the purpose. I am willing to wager most users simply Google the site name or type in the bare minimum into the address bar. What you want ideally is some sort of DNS-based redirect so the browser doesn't have to. Client browser looks up server entry. Server record indicates HTTPS. Browser automatically connects to secure port and begins SSL handshake. Until this is possible, I can live with the one redirect at the start of every secure site. – EmpathicSage Sep 25 '13 at 01:10