PDA

View Full Version : How To Force SSL



nventurella
07-08-2008, 06:52 PM
You can force your website to be accessed securely (i.e., require https://) by creating an .htaccess file in the appropriate location (e.g., create this as /var/www/html/.htaccess) including the following mod_rewrite rules:


If you have your own SSL certificate:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]Important note: yourdomain.com must match the domain name on your SSL certificate exactly. If your SSL certificate was issued to www.yourdomain.com, for example, then you will need to use www.yourdomain.com in the RewriteRule. If you have a wildcard SSL certificate, you may use %{SERVER_NAME} in the RewriteRule in place of the domain name.


If you are using WestHost's Shared SSL:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Host} !^ssl4.westserver.net$
RewriteRule ^(.*)$ https://ssl4.westserver.net/yourdomain.com/$1 [R=301,L]

RMD
11-20-2008, 11:18 PM
You can force your website (or a portion of your website) to be accessed securely (i.e., require https://) by creating an .htaccess file in the appropriate location that includes the following mod_rewrite rules:
<snip>
If you are using WestHost's Shared SSL:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Host} !^ssl4.westserver.net$
RewriteRule ^(.*)$ https://ssl4.westserver.net/yourdomain.com/$1 [R=301,L]
So there is no way to force individual pages, you have to redirect your entire site to SSL?

wildjokerdesign
11-21-2008, 12:00 PM
You could exclude or include individual pages depending on the location you placed the .htaccess page or by useing RewritCond. The RewriteCond above is set so that all request for the direcotry this .htaccess if placed in gets redirected to SSL.

RMD
11-21-2008, 12:11 PM
Thanks wildjoker! I should have included that I tried individual pages and it didn't work. Was trying to only redirect non-ssl PayPal pages to the ssl pages so no one could accidentally type in the non-ssl page and use it. It's not a big concern, but will try other variations. And try this again to make sure I didn't make any errors. :)

wildjokerdesign
11-22-2008, 07:21 AM
Can you place your pages you want this behavior for in a sub directory by themselfs? If so you could handle it that way and then place the .htaccess file in that directory.

You could also use REQUEST_URI for your condition.

RewriteCond %{REQUEST_URI} (/page1\.html|/page2\.html) [NC]
RewriteCond %{HTTP:X-Forwarded-Host} !^ssl4.westserver.net$
RewriteRule ^(.*)$ https://ssl4.westserver.net/yourdomain.com/$1 [R=301,L]

I think I have the above correct. It checks to see if the REQUEST_URI is page1.html or page2.html if it is then it continues on the the second RewriteCond and then to the Rewrite Rule.

RMD
11-22-2008, 05:55 PM
It works a charm! Thanx mucho, WildJoker! :D

Just had to add /directoryname before the page.html and after the domain in the RewriteRule. Have to redo all the links, but it's worth it.

P.S. - I tried only one page when I wrote the above and when I added the others with the " | " separator, it didn't work. I had to duplicate the 3 lines for each page and enter only one page at a time. Then the charm came back.

taju
01-24-2009, 11:03 PM
The above procedure worked like charm for me. Now I have one Q.

.htaccess in one of the password protected dir looks like this


AuthName "Password Protected Area"
AuthType Basic
AuthUserFile /usr/local/webpassword/wp004.dat
Require valid-user
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.mydomain.com/dir1/$1 [R=301,L]


Will the browser accessing this dir (dir1) send the password encrypted or plain (base 64) ?

I want the passwords to be encrypted ? Do I need to do any thing else ?


Thanks in advance.

nventurella
01-25-2009, 05:15 AM
taju, if you switch the order of the code in the .htaccess file, then the password will be sent over the encrypted connection. You need to place the three Rewrite lines above everything else in the file. Order matters here.