Redirecting every request to HTTPS - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Redirecting every request to HTTPS

Changing HTTP to HTTPs requests

csherwood1234

3:28 pm on Oct 18, 2010 (gmt 0)

10+ Year Member

Our site is currently failing PCI compliance scans because the scans are reporting that 2 of our directories are using BASIC authentication and logins are not encrypted.

The suggested resolution by the scanning company is to "Make sure that HTTP authentication is transmitted over HTTPS."

Their test involves submitting requests like this one:

[mysite.com...]

AND

[mysite.com...]

Although in testing this myself I find that I can send almost any request like this:

[mysite.com...]

OR

[mysite.com...]

In reviewing directory1, I found an .htaccess file with the following:

AuthUserFile /none/
AuthGroupFile /none/
AuthName ByPassword
AuthType Basic
<Limit GET>
require valid-user
</Limit>

Since I could find a reason for this (it may have been placed there by the CMS during installation) as I don't even have the directory password protected, I simply deleted it and that solved the problem for that directory. I've test the CMS since the deletion and haven't noticed any adverse effects, but I still not sure this was the right thing to do.

In reviewing directory2 I found no .htaccess file but this is a directory I password protect using Plesk.

So, I'm not sure what to do here. Should I add a .htaccess file to this directory to rewrite http requests to https? Or maybe require AuthType Digest?

Is there a single approach using an .htaccess file that can be used by both directories? Something like either of these?

RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{SERVER_PORT} !^443$
RewriteRule .* [mysite.com...] [R=301,L]

OR

RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ [mysite.com...] [R=301,L]

Any help would be appreciated. I can code, but am completely unfamilar with RewriteRule.

csherwood1234

2:40 am on Oct 19, 2010 (gmt 0)

10+ Year Member

Maybe I posted too much information. I see questions posted long after mine have been answered. I was just trying to "do the right thing" in addition to "doing the thing right".

So, forget whether it's the right thing . . . will something like this work to redirect all requests submitted via http to https?

RewriteCond %{SERVER_PORT} !^443$
RewriteRule .* [mysite.com...] [R=301,L]

jdMorgan

1:46 pm on Oct 19, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Auth problems are always difficult, and threads here tend to be answered only by those who feel confident at providing a good answer. Sometimes, that person has a busy day, and defers a response... :)

> Any help would be appreciated. I can code, but am completely unfamilar with RewriteRule.

Then the first step is to get familiar with mod_rewrite. Since it controls your server configuration, proceeding without knowledge can be quite dangerous to the health and reliability of your server, and to the search indexing and ranking of your site -- all potentially revenue-affecting. Our Apache Forum Charter has links to useful resources, and our Apache Forum Library has several general tutorials which may prove helpful.

Another issue is that "/directory1" and "/directory2" have little meaning to anyone else here, so questions related to their relationship to each other can only be guessed at.

SSL (using HTTPS) incurs a significant additional load on both the server and client. Therefore, you may wish to reconsider the idea of making *all* requests use SSL. Further, if you do decide to use SSL, make sure to purchase a "wild-card" SSL certificate. Otherwise, you will find yourself unable to correct (redirect) non-canonical SSL hostname requests to the canonical hostname.

You need to identify specifically which page or "directory path(s)" are part of the proposed secure login process, and then construct two rules: One to redirect insecure login-page requests to https and the other to redirect anything else back to http.

In addition, the URL-paths of any 'objects' (e.g. images, css, JavaScripts) shared between http and https pages should be excluded from this rule, in order to avoid "Mixed Secure/Insecure Content" warnings in the browser -- a sure way to lose visitors.

Get the first part working first, and then we can discuss the second. Here's a start:


RewriteCond %{SERVER_PORT} !=443$
RewriteCond !\.(gif|jpe?g|png|ico|css|js)$
RewriteRule ^(path-to-secure-pages-area(/.*)?)$ https://www.mysite.com/directory1/$1 [R=301,L]

The resources cited above can be used to take this code apart --character-by-character when necessary-- to determine how it works. The keys are to correctly identify and substitute the "path-to-secure-page-area" sub-string, and to identify and exclude all shared-object types from this redirect -- either by filetype (as shown here) or by URL-path(s).

Jim