This is a common question here in the forum.

Check recent posts for examples of useful code.

You need something that redirects any https request to http with www.

Be aware that any redirect must get from requested URL to final correct canonical URL in just one hop. You must avoid a redirection chain.

I tried this:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

That redirects [example.com...] to http://www.example.com
BUT it also redirects all of my intended secure pages to
non-secure versions. Thanks for the help!

[edited by: jdMorgan at 3:15 am (utc) on Aug. 23, 2009]
[edit reason] example.com [/edit]

You are going to have to explicitly define "my intended secure pages" and then do the following:

1) If the request is HTTP, redirect "intended secure pages" to HTTPS
2) If the request is HTTPS, redirect "intended non-secure pages" to HTTP
3) By modifying your existing rule, redirect http://example.com/<anything> to http://www.example.com/<anything>, and redirect [example.com...] to [example.com...]

And note that I said "pages" in step 1 & 2 above, as you likely don't want to impede "sharing" of included images, CSS, and external JavaScript files between HTTP and HTTPS.

As to how you "define" secure and non-secure pages, you'll need to look for commonalities. For example, specific secure and/or non-secure subdirectories, common filename 'path-parts', or an explicit (and complete) list either of all secure or of all non-secure pages will be needed.

Defining secure and non-secure page URLs correctly and completely is the hard part. After that, the code's usually easy.

Jim

For example, if all of your secure 'pages' and resources are located in a single directory-path starting with "/secure-directory/," then steps 1, 2, and 3 above could be coded as:

Options All -Indexes -MultiViews
RewriteEngine on
#
# Externally redirect all HTTPS requests for non-secure resources to HTTP
RewriteCond %{SERVER_PORT} =443
RewriteCond $1 !^secure-directory/
RewriteRule ^([^/]+/.*)$ http://www.example.com/$1 [R=301,L]
#
# Externally redirect all HTTP requests for secure resources to HTTPS
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(secure-directory/.*)$ https://www.example.com/$1 [R=301,L]
#
# Externally redirect all requests for non-blank non-canonical hostnames to
# the canonical domain, preserving the original request's HTTP/HTTPS protocol
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteCond %{SERVER_PORT}>s ^(443>(s)¦[0-9]+>s)$
RewriteRule ^(.*)$ http%2://www.example.com/$1 [R=301,L]

Important: Replace the broken pipe "¦" character in the second RewriteCond of the last rule with a solid pipe character before use; Posting on this forum modifies the pipe characters.

These three rules should go in the order shown, at or near the beginning of your mod_rewrite code, following "RewriteEngine on". The only mod_rewrite code that should precede these rules would be code dealing with access control -- i.e. code that returns 403-Forbidden responses to unwelcome requests. To clarify that reasoning, there's no use in wasting server resources redirecting unwelcome requests, so you would simply 403 them and be done with it.

I modified the Options directive, since "All" encompasses "FollowSymLinks." You should carefully review the definition of "All" in the Apache core Options directive documentation [httpd.apache.org], since there are some potential risks associated with setting "All" if you don't really need to enable all options. Look for example, at ExecCGI.

I also recommend that you disable MultiViews unless your site actually requires content-negotiation to function, as mod_negotiation is a server-resource-intensive module and can interact/interfere with mod_rewrite operation, causing unexpected results and failures to rewrite.

Jim

Now check all combinations of http and https both with and without www and make sure the redirect gets you to the final destination in just one hop.

I tried this but it did not work. [mysite.com...] still does not redirect. Am I doing something wrong?

RewriteEngine on
RewriteCond %{SERVER_PORT} =443
RewriteCond $1 !^secure/
RewriteRule ^([^/]+/.*)$
http://www.example.com/$1 [R=301,L]

RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(secure/.*)$
[example.com...] [R=301,L]

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteCond %{SERVER_PORT}>s ^(443>(s)¦[0-9]+>s)$
RewriteRule ^(.*)$ http%2://www.example.com/$1 [R=301,L]

Thanks again...

[edited by: jdMorgan at 3:26 pm (utc) on Aug. 25, 2009]
[edit reason] example.com [/edit]

When you request SSL content, does the "/secure-directory" path-part appear in the URL in your browser's address bar?

If not, then it's likely that your SSL requests are mapped to the /secure directory by the server configuration, and not by any rewriting.

In this case, mod_rewrite won't be able to 'see' the "/secure-directory" path-part, and you will need to break up the rules above, and put some in the example.com/.htaccess file and some in the example.com/secure/.htaccess file. This is nasty, because in this case, the secure subdirectory also won't be able to 'see' the files in the 'top-level' directory, which makes things more complicated.

In example.com/.htaccess :

Options All -Indexes -MultiViews
RewriteEngine on
#
# Externally redirect all HTTP requests for secure resources to HTTPS:
# If the requested URL-path does not resolve to an existing file or directory in the HTTP filespace
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
# but does resolve to an existing file or directory in the HTTPS filespace
RewriteCond %{DOCUMENT_ROOT}%/secure-directory/$1 -d [OR]
RewriteCond %{DOCUMENT_ROOT}%/secure-directory/$1 -f
# Externally redirect to HTTPS
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
#
# Externally redirect all requests for non-blank non-canonical hostnames to
# the canonical domain
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

In example.com/secure-directory/.htaccess :

Options All -Indexes -MultiViews
RewriteEngine on
#
# Externally redirect all HTTPS requests for non-secure resources to HTTP:
# If the requested URL-path does not resolve to an existing file or directory in the HTTPS filespace
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
# Externally redirect to HTTP
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
#
# Externally redirect all requests for non-blank non-canonical hostnames to
# the canonical domain
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

I don't like using file-exists and directory-exists checks, because they are very resource-intensive (using more CPU and having to go check the disk slows things down). They can also be quite difficult to debug, requiring access to the server error log file to resolve in many cases.

An alternative if you have only a very few files in your /secure-directory is to list them out individually in one or more RewriteConds and make the HTTP/HTTPS decision based on those filenames instead of "exists checks." However, this requires that all HTTPS files have unique names -- names that won't be duplicated in the files intended for use via HTTP.

Jim

I tried the above and it is not working...

[example.com...] still does not redirect

and my [example.com...] goes to
a 404 page: [example.com...] --- no securedirectory/ included in the url

I don't know the significance of "https://example.com/securedirectory/example.htm"
Does that page exist, or not?

Also, what does this mean?
[example.com...] still does not redirect
(As-shown, that domain is canonical, so as far as I know that URL should not redirect wehn requested)

Please be very specific in what URL you requested, what the expected result was, what the actual result was, and how the actual results differed from your expectations.

Also, for the sake of getting your originally-reported problem fixed fast, we probably should concentrate of the code in example.com/securedirectory/.htaccess and remove or comment out the code in example.com/.htaccess until the former is working as expected. (Divide and conquer, and get MSN fixed soonest)

Jim

Yes, I need to get my initial issue resolved. I am not really all the concerned about adding an .htaccess to the secure folder.

'https://www.example.com still does not redirect'

[example.com...] should redirect to http://www.example.com. That is the issue I am having with MSN. There was one site that was linking to https. I assume that that is where the issue is from b/c the https version of my homepage ranks in the top 10 for the term they link to me from. The terms we were ranking with the http version before this issue have disappeared. The https version is ranking in the 200-300s.

I appreciate your help Jim.

After some off-line consulting, the simplified and more-efficient solution turned out to be like this, with all code in the root .htaccess file:

# Externally redirect all HTTP or HTTPS direct client requests
# for index.htm or index.html pages to HTTP home page "/"
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /index\.html?(\?[^\ ]*)?\ HTTP/
RewriteRule ^index\.html?$ http://www.example.com/ [R=301,L] 
#
# Externally redirect all HTTPS requests for non-secure resources to HTTP
# except for js, css, and image files shared between SSL and non-SSL
RewriteCond %{SERVER_PORT} =443
RewriteCond $1 !^secure-directory/
RewriteCond $1 !\.(js¦css¦gif¦jpe?g)$
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
#
# Externally redirect all HTTP requests for secure resources (files in
# the /secure-directory subdirectory) to HTTPS, except for the index 
# page at /secure-directory/
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(secure-directory/.+)$ https://www.example.com/$1 [R=301,L]
#
# Externally redirect all requests for non-blank, non-canonical hostnames to
# the canonical domain, preserving the original request's HTTP/HTTPS protocol
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteCond %{SERVER_PORT}>s ^(443>(s)¦[0-9]+>s)$
RewriteRule ^(.*)$ http%2://www.example.com/$1 [R=301,L]

Replace all broken pipe "¦" characters with solid pipes before use; Posting on this forum modifies the pipe characters.

Jim