That rule redirects from http to https. It does nothing to redirect back to http from https.

You need two rules, one to redirect secure pages from http to https, and one to redirect non-secure pages from https to http. And note that I said "pages," as neither rule should affect requests for images or for JavaScript, CSS, or "template" files that are shared between your HTTP and HTTPS pages.

If you invoke redirection on requests for those shared resources, then you will get "Mixed secure/insecure content" warnings in the browser, and this will scare off your visitors...

Here is an example that you can modify to suit your site:

# Redirect HTTP requests for secure pages to HTTPS
RewriteCond %{SERVER_PORT} !=8443
RewriteRule ^/(login\.do|receipt\.do|checkout\.do|user)$ https://localhost:8443/$1 [R=301,L] 
#
# Redirect HTTPS requests for non-secure pages to HTTP, excluding shared objects
RewriteCond %{SERVER_PORT} =8443
RewriteCond $1 !\.(gif|jpg|png|ico|css|js)$
RewriteCond $1 !^(login\.do|receipt\.do|checkout\.do|user)$
RewriteRule ^/(.*)$ http://localhost/$1 [R=301,L] 

Jim

Thanks for the response Jim. I tried that but it did not work. I have several other rules in the file, so I placed this right at the beginning, but still did not work. What other areas should I look at ?
Thanks in advance.

In what way did it not work?

What was the test URL (use example.com here)?

What was the actual result?

What was the expected result?

Did you flush your browser cache before testing?

It might be that some of the other rules interfere with these. Do any of those force the protocol in any way?

I cleared the browser cache and it did not work. So when I click on say "login" it takes me to "https://localhost:8443/context name/folder1/folder2/login.do" which is correct. But when I click on "logout" it brings me back to a logout page and that page is "https:// ... ". That is not wanted and from there on clicking on any link will keep the user with "https:// ...". I checked the other rules, they are "RewriteRule ..".

I saw something like this b4 the virtual host entry:
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

There are some of these but I don't they are causing any problem:

RewriteCond %{QUERY_STRING} trk_src_ss=([0-9a-zA-z]+)|([^/]+)
RewriteRule ^/$ /home.do?promoCode=%1 [R=301,L,NE]

RewriteCond %{QUERY_STRING} T1=([^/]+)trk_src_ss=([0-9a-zA-z]+)|([^/]+)
RewriteRule ^/example.asp /detail/%1promoCode=%2? [R=301,L,NE]

Then there are these right at the end:

RewriteCond %{request_uri} !^/contextName.*?
RewriteCond %{request_uri} !^/$
RewriteRule ^(.+?)$ [localhost:8080...] [NE,P,L]

RewriteCond %{request_uri} ^/$
RewriteRule ^/$ [localhost:8080...] [NE,P,L]

I am an absolute novice at this. Thanks for all the help.

Make sure that if you have separate vHosts for the SSL and non-SSL servers, that each 'piece' of code above is placed into the proper vHost. The HTTP-to-HTTPS redirect has to be in the HTTP server, and the HTTPS-to-HTTP redirect has to be in the HTTPS server...

Be sure to put these redirects ahead of the other redirects and reverse-proxy through-puts you show above.

Jim

Thank you so much for the input. The problem is resolved. The problem was my local apache was not set up correctly. Thanks again.

Can you describe what the problem was, and how it was fixed? ...for the next person with the same problem.

My local is still not set up correctly so I could not see the effect of the changes made to an logout.xhtml file. The logout.xhtml had a <meta http-equiv="Refresh" tag and it would refresh to login.xhtml. I made it point to home.xhtml and now it does not have that https. Having it refresh to login.xhtml was triggering it to go to https. Hope that explanation helps.