Forum Moderators: phranque
I've got a site with SSL on a shared host. My SSL cert only covers domain.com and www.domain.com (not any other subdomains).
I'd like all visitors to the site to be forced into SSL. However, I've got two subdomains (support and office) that aren't covered by the SSL cert, so I want to force them to non-SSL.
This is the .htaccess file I've written:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com$
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301]
RewriteCond %{SERVER_PORT} 80
RewriteCond %{HTTP_HOST} ^www.example.com$
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
RewriteCond %{SERVER_PORT} 443
RewriteCond %{HTTP_HOST} ^office.example.com$
RewriteRule ^(.*)$ http://office.example.com/$1 [R,L]
RewriteCond %{SERVER_PORT} 443
RewriteCond %{HTTP_HOST} ^support.example.com$
RewriteRule ^(.*)$ http://support.example.com/$1 [R,L]
section 1 redirects http://example.com to [example.com...]
section 2 redirects http://www.example.com to [example.com...]
section 3 redirects https://office.example.com to http://office.example.com
section 4 redirects https://support.example.com to http://support.example.com
I have a hunch that there's a better way to do this.
Here's my question: am I doing this correctly? Is this the best way to do what I'm trying to do?
[edited by: jdMorgan at 5:24 pm (utc) on May 12, 2009]
[edit reason] example.com [/edit]
RewriteEngine on
#
RewriteCond %{HTTP_HOST} ^example\.com [OR]
RewriteCond %{SERVER_PORT}>%{HTTP_HOST} ^80>www\.example\.com
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
#
RewriteCond %{SERVER_PORT} =443
RewriteCond %{HTTP_HOST} ^(office¦support)\.example\.com
RewriteRule ^(.*)$ http://%1.example.com/$1 [R=302,L]
The character ">" in the second RewriteCond is arbitrary. While it intentionally implies concatenation, it has no function other that to serve as an unambiguous and literal delimiter between the two values matched by the pattern.
The end-anchors on the (sub)domain patterns have been intentionally omitted. This is to prevent your rules being bypassed if an FQDN is requested and/or a port number is appended. For example, consider the the following perfectly-valid, but non-canonical values for the HTTP_HOST header:
example.com.
www.example.com:8080
office.example.com.:4430
Each could break one of your original first three rules in one or more ways -- in some cases matching when they should not, and in other cases, not matching when they should.
You've left open the question about what to do with subdomains other than www, office, or support. I'd suggest adding a third rule or incorporating logic into the existing rules to redirect them to the desired domain using the correct protocol. While you may not be currently using additional domains, consider the opportunity here to recover traffic which comes to undefined subdomains because of type-in URL errors or mis-typed links on other sites.
You might also consider whether you truly need all pages on example.com and www.example.com to be served using HTTPS. Because SSL requires additional computing resources on both the client- and server-side, it is more usual to do HTTP/HTTPS selection based on particular page or resource URL-paths, rather than making an entire (sub)domain secure. However, only those familiar with the site can make that decision.
Jim
Jim
