.htaccess for SSL? - regex

I have:
RewriteCond %{HTTP_HOST} ^MYDOMAIN\.com$ [NC]
RewriteRule ^(.*)$ http://www.MYDOMAIN.com/$1 [L,R=301]
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} ^/(user|admin|cart)
RewriteRule ^(.*)$ https://www.MYDOMAIN.com/$1 [R=301,L]
This effectively routes all /user and /admin and /cart paths to use SSL. My problem is the inverse. I need a rule that states that if you are NOT on those pages, that it redirects you to HTTP (no SSL).
How do I do that?


First thing clear your browser cache completely and restart your browser. Then replace your .htaccess with this:
Options +FollowSymLinks -MultiViews
# Turn mod_rewrite on
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^MYDOMAIN\.com$ [NC]
RewriteRule ^ http://www.MYDOMAIN.com%{REQUEST_URI} [L,R]
RewriteCond %{HTTPS} !=on
RewriteRule ^(user|admin|cart)(/.*|)$ https://www.MYDOMAIN.com%{REQUEST_URI} [R,L,NC]
RewriteCond %{HTTPS} =on
RewriteRule (?!^(user|admin|cart)(/.*|)$)^.*$ http://www.MYDOMAIN.com%{REQUEST_URI} [R,L,NC]


Just invert the condition!
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^/(user|admin|cart)
RewriteRule ^(.*)$ http://www.MYDOMAIN.com/$1 [R=301,L]


Does this work? I realize it might not, since the SETENV does not always get processed before the ReWriteRule, but hypothetically, this should handle all of your scenarios:
# Set Correct protocol var based on request:
## Default to http
SetEnv correct_protocol http
## Overwrite to https if secure area
RewriteCond %{REQUEST_URI} ^/(user|admin|cart) [env=correct_protocol:https]
# Set Current (Actual) Protocol Env Variable:
## Again, default to http
SetEnv current_protocol http
## Overwrite with https if %{HTTPS} = on
RewriteCond %{HTTPS} = on [env=current_protocol:https]
# If current <> correct
RewriteCond %{ENV:current_protocol} != %{ENV:correct_protocol}
# rewrite URL using correct:
RewriteRule .* %{ENV:correct_protocol}://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

Related

How to redirect non www to www for angular (example.com to www.example.com) [duplicate]

I have the following htaccess code:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond !{HTTPS} off
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
I want my site to be redirected to https://www. with HTTPS, and enforcing the www. subdomain,
but when I access http://www. (without HTTPS), it does not redirect me to https://www with HTTPS.

To first force HTTPS, you must check the correct environment variable %{HTTPS} off, but your rule above then prepends the www. Since you have a second rule to enforce www., don't use it in the first rule.
RewriteEngine On
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
# [NC] is a case-insensitive match
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
About proxying
When behind some forms of proxying, whereby the client is connecting via HTTPS to a proxy, load balancer, Passenger application, etc., the %{HTTPS} variable may never be on and cause a rewrite loop. This is because your application is actually receiving plain HTTP traffic even though the client and the proxy/load balancer are using HTTPS. In these cases, check the X-Forwarded-Proto header instead of the %{HTTPS} variable. This answer shows the appropriate process

Michals answer worked for me, albeit with one small modification:
Problem:
when you have a single site security certificate, a browser that tries to access your page without https:// www. (or whichever domain your certificate covers) will display an ugly red warning screen before it even gets to receive the redirect to the safe and correct https page.
Solution
First use the redirect to the www (or whichever domain is covered by your certificate) and only then do the https redirect. This will ensure that your users are not confronted with any error because your browser sees a certificate that doesn't cover the current url.
#First rewrite any request to the wrong domain to use the correct one (here www.)
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#Now, rewrite to HTTPS:
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

If you are using CloudFlare or a similar CDN you will get an infinite loop error with the %{HTTPS} solutions provided here. If you're a CloudFlare user you'll need to use this:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

BAD SOLUTION AND WHY!
Don't ever use the solution below because when you are using their code that is something like:
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.example.com%{REQUEST_URI} [L,R=301]
The browser goes to:
http://example.com
Then redirects to:
https://example.com
Then redirects to:
https://www.example.com
This is too much request to the server.
Most of the answers even accepted one has this problem.
BEST SOLUTION AND THE ANSWER
This code has an [OR] condition to prevent dual changes at url!
RewriteEngine on
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule (.*) https://www.example.com%{REQUEST_URI} [R=301,L]

This is the best way I found for Proxy and not proxy users
RewriteEngine On
### START WWW & HTTPS
# ensure www.
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# ensure https
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
### END WWW & HTTPS

There are a lot of solutions out there. Here is a link to the apache wiki which deals with this issue directly.
http://wiki.apache.org/httpd/RewriteHTTPToHTTPS
RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e. http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context

To redirect http:// or https:// to https://www you can use the following rule on all versions of apache :
RewriteEngine on
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.example.com%{REQUEST_URI} [NE,L,R]
Apache 2.4
RewriteEngine on
RewriteCond %{REQUEST_SCHEME} http [OR]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.example.com%{REQUEST_URI} [NE,L,R]
Note that The %{REQUEST_SCHEME} variable is available for use since apache 2.4 .

If you are on CloudFlare, make sure you use something like this.
# BEGIN SSL Redirect
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END SSL Redirect
This will save you from the redirect loop and will redirect your site to SSL safely.
P.S. It is a good idea to if check the mod_rewrite.c!

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
Notes: Make sure you have done the following steps
sudo a2enmod rewrite
sudo service apache2 restart
Add Following in your vhost file, located at /etc/apache2/sites-available/000-default.conf
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
Now your .htaccess will
work and your site will redirect to http:// to https://www

Similar to Amir Forsati's solution htaccess redirect to https://www but for variable domain name, I suggest:
RewriteEngine on
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%2%{REQUEST_URI} [R=301,L]

Set in your .htaccess file
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I used the below code from this website, it works great https://www.freecodecamp.org/news/how-to-redirect-http-to-https-using-htaccess/
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
Hope it helps

I try first answer and it doesnt work...
This work:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:HTTPS} !=on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Using HTTP_HOST in .htaccess file

I'm currently using this to force https and www via htaccess:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.example.com%{REQUEST_URI} [L,R=302]
Now I want to change the R=302 in R=301, and ditch the domain name itself. The reason why I don't want example.com to be in there is because it might be that for some countries the domain name will be different in the future.
So I was thinking
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
... but that would redirect www.example.com to www.www.example.com right?
How to do this properly in this specific case? I still want to force www and https in one single redirect.

I still want to force www and https in one single redirect.
You need to use this redirect rule like this to avoid hardcoding:
# add www and turn on https in same rule
RewriteCond %{HTTP_HOST} !^www\. [NC,OR]
RewriteCond %{HTTPS} !on
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [R=301,L,NE]

force single site to use https, all other http (wordpress)

I found several related questions, but non of theme seem to work, so I have to ask again:
I'm using a wordpress site and I want a single site to use https (/kontakt/). All other sites have to use the http (due to duplicate content and such).
I tried a plugin called Wordpress HTTPS which should do exactly that, but the plugin is outdated (3 years not updated) and also doesn't work as expected.
For this case, I thought about using the .htaccess. These is my htaccess-file:
My URL looks exactly like this: http://www.example.com/kontakt/
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
RewriteCond %{HTTPS} off
RewriteRule ^kontakt/$ https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L,NE,NC]
# change kontaktform
RewriteCond %{HTTPS} off
RewriteRule ^/kontakt https://www.example.com/kontakt/ [R=301,L,QSA]
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/kontakt/
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L,QSA]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
This attempt was taken from here:
force one page to use HTTPS and the others to use HTTP with .htaccess
but that didn't do the trick. My problem now is:
a) the site is not redirected to https (I can confirm the htaccess is working, since i can produce 500's on demand)
b) once it is on https://, all other sides stay on that protocol (already in the link-preview)
What I actually want:
IF the site = /kontakt/ --> use https
ELSE use HTTP

Try these rules:
RewriteEngine On
RewriteBase /
# add www if missing in domain name
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=302,NE,L]
# if http and /kontakt/ then make it https
RewriteCond %{HTTPS} off
RewriteCond %{THE_REQUEST} /kontakt/ [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L,NE,NC]
# if https and NOT /kontakt/ then make it http
RewriteCond %{HTTPS} on
RewriteCond %{THE_REQUEST} !/kontakt/ [NC]
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [R=302,L,NE,NC]
# default WP rules
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
I used %{THE_REQUEST} variable for this. THE_REQUEST variable represents original request received by Apache from your browser and it doesn't get overwritten after execution of some rewrite rules unlike %{REQUEST_URI} variable.
Clear your browser cache before testing it and also test in Chrome dev tool with caching disabled.

Apache Redirect setting https to http and matching & not matching

I am confusing about redirect setting by apache. It looks simple but I can’t figure out…
Under http access
if carts/ and events/* need to redirect to https
I am adding this setting in sites-enabled/default-http.conf
<ifModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/carts/ [OR]
RewriteCond %{REQUEST_URI} ^/events/*
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</ifModule>
Under https access
if not carts/ and events/* need to redirect to http
I am adding this setting in sites-enabled/default-https.conf
<ifModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !(^/carts/) [OR]
RewriteCond %{REQUEST_URI} !(^/events/*)
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</ifModule>
The problem is this
http is working well however https does not work.
https://test.com/test should redirect to http://test.com/test

First of all to avoid restart of Apache enable .htaccess (if not enabled already) then use these rules in site root .htaccess:
RewriteEngine On
RewriteCond %{THE_REQUEST} /(carts|events)/ [NC]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,NE,R=302]
RewriteCond %{THE_REQUEST} !/(carts|events)/ [NC]
RewriteCond %{HTTPS} on
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [L,NE,R=302]
Test this in a new browser to avoid old browser cache. And preferable test in chrome dev tool to see what redirects you're getting.

htaccess redirect to HTTPS except a few urls

I am new to the htaccess redirect stuff but want to do smth special - and I dont know whats the recommend way and dont know if this is still possible or not.
I have this in my .htaccess file:
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Now every URL is redirected to the HTTPS version - this is fine and necessery. But now there are a few exceptions.
For example these urls HAS to be HTTP instead of HTTPS:
http://www.mywebsite.com/another/url/which/has/to/be/http
http://www.mywebsite.com/and_again?var=a
Is it possible to solve this with the htaccess and when its possible maybe you can send me a reference link or describe how to do this.
Edit
I now have this code:
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTPS} off
RewriteCond %{THE_REQUEST} !\s/+(/commerce_paypal/*)\s [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
The goal is that every (!) url gets redirected to HTTPS except ANY url which has commerce_paypal at the beginning.
For example:
mydomain.com/commerce_paypal <- http
mydomain.com/commerce_paypal/smth/else <- http
mydomain.com/what/ever <- https

You can have a RewriteCond to add exceptions in the http->http rule:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# force https:// for all except some selected URLs
RewriteCond %{HTTPS} off
RewriteCond %{THE_REQUEST} !/commerce_paypal/ [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# force http:// for selected URLs
RewriteCond %{HTTPS} on
RewriteCond %{THE_REQUEST} /commerce_paypal/ [NC]
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Reference: Apache mod_rewrite Introduction
Apache mod_rewrite Technical Details

RewriteCond %{THE_REQUEST} !/commerce_paypal/ [NC]
worked for me. I tried many similar condition rewrites without luck.