I have the following code on my website in .htaccess to rewrite all requests to .https
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This generally works just fine. Now for the problem. If I submit a junk url, say domain.com/../../../../etc/psswd, modsecurity does its thing and issues a 403 error code. Also in the same .htaccess I have several ErrorDocument directives, including one for 403. The issue though is that, particularly when I use an iPad or iPhone but my laptop will do it too sometimes, the browser will display (for the above junk url), a 403 error and an additional statement that there was a 500 error while trying to use an ErrorDocument.
The apache error_log provides the following error: 'Request exceeded the limit of 10 internal redirects due to probable configuration error.'
If I comment out the above two RewriteRules in .htaccess the problem goes away, but then I am not redirecting to https. The frustrating bit is that this does not seem to happen all the time. I believe this is happening because my two rewrites to https are catching these junk urls in a recursion loop, I am just at a loss as to how to fix it and maintain my rewrites to https.
Have both of your rules like this with an additional condition:
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
And make sure these rules are right on top before all other rules.
New condition %{ENV:REDIRECT_STATUS} ^$ will skip these 2 rules after ErrorDocument directive has triggered.
Related
I'm really struggling to get this to work. I've cobbled together bits and pieces from all over the place and finally seem to have the redirect working, however, it seems to ignore the cookie check and just redirects whether the cookie is set or not.
I'm also struggling to find a resource that explains what all the htaccess variables mean. I've found plenty of places where they're listed. I can't even find an explanation for %{REQUEST_URI}, I'm assuming it means the domain.
I am to trying to redirect anyone trying to access any files in a specific directory to a login page unless they have a cookie set.
RewriteCond %{REQUEST_URI} /wp-content/uploads/my/directory/.*
RewriteCond %{HTTP_COOKIE} !my-cookie-name=1
RewriteRule . https://%{HTTP_HOST}/client-login/ [L]
You can try this rule in /wp-content/uploads/my/directory/.htaccess:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !my-cookie-name=1 [NC]
RewriteRule ^ /client-login/ [L,R]
For this rule to be used in root .htaccess:
Make sure to place it at top of your .htaccess.
RewriteEngine On
RewriteCond %{THE_REQUEST} /wp-content/uploads/my/directory/ [NC]
RewriteCond %{HTTP_COOKIE} !my-cookie-name=1 [NC]
RewriteRule ^ /client-login/ [L,R]
# rest of your rules go below this
I have this code:
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !\.(jpe?g|gif|bmp|png|ico|js|css)$ [NC]
RewriteRule !^billing(/.*)?$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NC,NE]
This currently redirects anything outside of the billing/ area to the http equivalent if they attempt to access it with https.
However I was wondering how I could go about adding additional pages to the "whitelist" of pages to be allowed to be loaded via https?
The two in question would be:
http://www.mysite.com.au/remote/get_breaks.php
http://www.mysite.com.au/thumbnail.php
However they both may have query parameters on the end.
Could someone explain how to add both the above as allowed to be accessed from https so I will know for next time I want to add something?
You don't need to worry about the query string, those get matched outside of the request URI. You can add additional conditions:
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !\.(jpe?g|gif|bmp|png|ico|js|css)$ [NC]
RewriteCond %{REQUEST_URI} !^/billing
RewriteCond %{REQUEST_URI} !^/remote/get_breaks\.php
RewriteCond %{REQUEST_URI} !^/thumbnail\.php
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NC,NE]
makes it a little easier to read.
My goal is to force HTTPS on the admin directory of my site. However, using the usual way give an unusual result. Here is the content of .htaccess:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} admin
RewriteRule ^(.*)$ https://www.domain.com/admin/$1 [R,L]
However, when I try to open http://www.domain.com/admin/home.php, instead of redirecting to https://www.domain.com/admin/home.php it sends me to https://www.domain.com/admin/admin/home.php.
So it sort of creates the admin/ part of the URL twice.
I tried changing the last line of .htaccess to RewriteRule ^(.*)$ https://www.domain.com/$1 [R,L] (which doesn't make sense to me, but tried it still) and it redirected to the same wrong URL, which confused me further.
I'm not sure if it should matter, but I've also tried replacing [R,L] with [L,R=301] as suggested elsewhere on SO, with no avail.
Why is this happening and what's the solution?
It is due to /admin/ in your target URL. Change your rule to this:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^admin(/.*)?$ https://www.domain.com%{REQUEST_URI} [R,L,NC]
Today I wrote the following rewrite rules:
RewriteCond %{HTTP_HOST} ^visionale\.book [NC]
RewriteRule ^\/([^/]+)\/$ $1.php [L]
RewriteCond %{HTTP_HOST} ^(www\.)?visionale\.se [NC]
RewriteRule ^(.*)/$ $1.php
The firs is for my laptop where I run Apache, the second rule for the web hotel.
Applying the first rewrite on the web hotel results in a 404 Not Found
Applying the second rule on my laptop mysteriously results in "pagename.php.php.php" not found.
Now the solution I provided works at both locations but I am baffled about what really is happening. My local machine runs Apache 2.4.6. The web hotel runs Litespeed. So this is an incompatibility of course, but exactly how.
My guess is that Litespeed misses the first rule because of missing functionality, but why does Apache not get the easier one, that I've used many times in the past?
Edit: Clarifying the questions.
This rule:
RewriteRule ^\/([^/]+)\/$ $1.php [L]
Is not picked on my web hotel running Litespeed. My guess is that this is because Litespeed has a flawed rewrite implementation. I'd like to get that hunch confirmed or another explanation privided.
This rule:
RewriteRule ^(.*)/$ $1.php
Does not work on my dev-machine any more but it has worked in the past. It seems simple enough. Anything ending with a trailing slash should instead get a ".php" extension. However, on my dev machine it adds three ".php" instead of one. The rule works as intended in the web hotel and it has worked for me locally in the past. This is puzzling and I would like an explanation.
Both rules are incorrect. Let me provide you correct code first:
Options +FollowSymLinks -MultiViews
# Turn mod_rewrite on
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^visionale\.book$ [NC]
# If the request is not for a valid file
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^/]+)/?$ $1.php [L]
RewriteCond %{HTTP_HOST} ^(www\.)?visionale\.se$ [NC]
# If the request is not for a valid file
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.+?)/?$ $1.php [L]
Now the problems in your code:
RewriteRule in .htaccess doesn't start matching with leading slash which is striped by mod_rewrite
You need to avoid rematching these rules using RewriteCond %{REQUEST_FILENAME} !-f otherwise mod_rewrite will keep adding .php in the URI.
First i have to say I found many answers for revise situation but not for this.
Apache to force certain URL for HTTP and all others go via https.
Would like to get expert knowledge on following. Thanks for all of your time and appreciate that.
We have apache fronting tomcat in our production environment and we would like to enable https for all the incoming except for few pages and would like help on writing solid apache rewrite rule to do this .
That is
All incoming connection go via https except for some pages (/abc, /def, /ghi) to force http.
Any help. I came up with this with help of google but its not working for http. All traffic goies to https
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/(/abc|/def|/ghi)
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} ^/(/abc|/def|/ghi)
RewriteRule ^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
You have too many slashes in your condition to check against the %{REQUEST_URI}. Remove the ones inside the parentheses:
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/(abc|def|ghi)
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} ^/(abc|def|ghi)
RewriteRule ^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]