1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 6:01 am May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

direct https to http

         

braedsjaa

11:29 am on Apr 21, 2010 (gmt 0)

10+ Year Member



I need to ensure that some pages are delivered over https but most are not. I tried the following code in .htaccess; the first part of this works, the second part doesn't. 


# if https is OFF and request is for page which should be secure, 
# redirect to https
RewriteCond %{HTTPS} off 
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /(contact|order)\.php
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

# if https is ON and request is NOT for page which should be secure, 
# redirect to http
RewriteCond %{HTTPS} on
RewriteCond %{THE_REQUEST} !^[A-Z]+\ /(contact|order)\.php
RewriteRule ^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]


The result: click on contact.php and the page is delivered over https as expected; on this page if you click on index.php it should be delivered over normal http but actually stays on https :-(

Sorry this is an old question - I've found answers all over the place, the best on this forum, but still not got there...

[edited by: jdMorgan at 3:14 pm (utc) on Apr 21, 2010]
[edit reason] De-linked URLs in code. [/edit]

jdMorgan

3:32 pm on Apr 21, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The first thing I'd suggest is to delete your browser cache before testing any new code.

You also need to be sure that this .htaccess file is invoked for HTTPs requests. On many servers, SSL and non-SSL requests resolve to different virtual hosts and/or different areas in the filesystem.

Your code is a bit more complex than it needs to be, but that has nothing to do with the problem you're seeing. For reference, though, you don't need to examine THE_REQUEST in either rule: 

# if https is OFF and request is for page which should be secure,
# redirect to https
RewriteCond %{HTTPS} =off [NC]
RewriteRule ^(contact|order)\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#
# if https is ON and request is for a page, but NOT for page which
# should be secure, redirect to http
RewriteCond %{HTTPS} !^(off)?$ [NC]
RewriteCond $1 !^(contact|order)\.php$
RewriteRule \.(php[0-9]*|html?)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

On some server, you may need to test %{SERVER_PORT} for "=443" and "!=443" instead of checking the %{HTTPS} variable. This latter variable is not a 'core' server variable, and so may not be set in all contexts. I have allowed for "%{HTTPS}" to be blank without causing an 'infinite' redirection loop in the code above. This provision would not be required if %{SERVER_PORT} were tested instead.

Note that it's important not to force non-page requests from HTTPS to HTTP. If you do this, then requests for images, css files, and scripts, etc. that are included on HTTPS pages will be forced to HTTP, resulting in "mixed secure/insecure content" warnings in the visitor's browser.

I have shown one method, which is to redirect only .php, .php4, .php5, etc. and htm or html page URLs above. You could also code this by excluding included-object filetypes from the rule using an additional negative-match RewriteCond. Either way will work, but one might have a practical maintenance advantage over the other on your site.

Jim

braedsjaa

2:56 pm on Apr 22, 2010 (gmt 0)

10+ Year Member



Thanks Jim.
I'm still not getting it to work and can't really afford more time - I'll stick with my PHP workarounds for now (which are less efficient but have worked for years) and get back to this another day. I have certainly learned a lot from reading your posts on apache.
Thanks again,
Alan
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 6:01 am May 2, 2026