Force HTTPS on all apart from certain folders/subfolders - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Force HTTPS on all apart from certain folders/subfolders

.htaccess force HTTPS exclude folders

RobH

1:09 pm on Feb 26, 2015 (gmt 0)

10+ Year Member

Hi

I currently force HTTPS on my application but want to exclude 3 folders & their subfolders so they use HTTP.

I have this set in my apache conf file:

<Location />
SSLRequireSSL
</Location>

So currently everything is working correctly for HTTPS, any request being made on HTTP is redirected to HTTPS across the whole application.

I want to exclude these paths/folders and their sub folders from HTTPS and force HTTP:

www.example.com/lists
www.example.com/campaigns
www.example.com/frontend

My .htaccess file is currently this:

# BEGIN rewrite rules
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /

# BACKEND APP
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteCond %{REQUEST_URI} ^/backend(/.*)?$
RewriteRule backend/.* backend/index.php

# CUSTOMER APP
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteCond %{REQUEST_URI} ^/customer(/.*)?$
RewriteRule customer/.* customer/index.php

# API APP
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteCond %{REQUEST_URI} ^/api(/.*)?$
RewriteRule api/.* api/index.php

# FRONTEND APP
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteRule . index.php
</IfModule>
# END rewrite rules

What do I need to do to achieve my goal?

Hopefully I have explained properly what I need to achieve!

Many Thanks

Rob

lucy24

8:22 pm on Feb 26, 2015 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteCond %{REQUEST_URI} ^/backend(/.*)?$
RewriteRule backend/.* backend/index.php

Oh, ouch. Oh, ouch. At an absolute minimum, if you change nothing else, put those server-intensive !f and !d tests after the filename tests. And why all the separate rules? That's what the $1 capture is for.

But that wasn't what you asked.

Isn't there a !SSLRequireSSL or similar command that would un-set the directive? I can't find one, but where there's an "on" you'd normally expect an "off". The alternative is to abandon this rule and instead redirect all HTTP requests to HTTPS, using the mod_rewrite that you've already got running. Then you can make a Condition to exclude the specified directories.

phranque

12:15 am on Feb 27, 2015 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

welcome to WebmasterWorld, Rob!

SSLRequireSSL
...
any request being made on HTTP is redirected to HTTPS

how is the HTTP->HTTPS redirect happening?
iirc SSLRequireSSL requires a secure connection or access is forbidden, so you should get 403 response instead of a 301.

if you change nothing else, put those server-intensive !f and !d tests after the filename tests. And why all the separate rules? That's what the $1 capture is for.

more than that, you also should add some anchors to some regular expressions.
try something like this:

# BACKEND/CUSTOMER/API APPS
RewriteCond %{REQUEST_URI} !\.(ico|gif|jpg|jpeg|png|js|css)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(backend|customer|api)/ $1/index.php [L]

and then:

# FRONTEND APP 
RewriteCond %{REQUEST_URI} !\.(ico|gif|jpg|jpeg|png|js|css)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php[L]

lucy24

3:55 am on Feb 27, 2015 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

RewriteRule ^(backend|customer|api)/ $1/index.php [L]

I got the impression-- possibly mistaken-- that the rule is lying loose in the config file. If so, there might be stuff before the (backend|customer|api) part which ideally you'd spell out-- but not capture-- in the body of the rule. If not, you could eliminate the REQUEST_URI condition (because the physical directory would then correspond to the domain root). In any case you need a / at the front of the target. Safer than relying on a RewriteBase.

RobH

10:17 am on Feb 27, 2015 (gmt 0)

10+ Year Member

Hi Guys

Thanks for your responses. I have to admit I understand about 5% of what you have said :)

I've been reading this [corz.org...] but again with no luck trying to get to where I would like to be.

Maybe I should expand on the what and why and that will help getting there!

I have an app that requires SSL for data protection (EU law and all that)

The app is an email marketing app and provides for emails to have a corresponding web version which I don't want to be SSL because I also use tracking domains which are simply CNAMES pointed to the main domain app.example.com. If I were to have the web version under SSL I would require that each tracking domain have its own SSL cert which just isn't feasible (and is too costly). There are also other forms/pages which use the tracking domain but don't require SSL.

Hence the need to exclude certain folders/paths from SSL.

If you were starting from scratch, blank canvass, how would you achieve that?

I can scrap anything I currently have as the app isn't live yet.

I look forward to understanding more :)

Cheers

Rob

RobH

10:41 am on Feb 27, 2015 (gmt 0)

10+ Year Member

Hi

I've done as you suggested with this:

# BACKEND/CUSTOMER/API APPS
RewriteCond %{REQUEST_URI} !\.(ico|gif|jpg|jpeg|png|js|css)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(backend|customer|api)/ $1/index.php [L]

and then:
# FRONTEND APP
RewriteCond %{REQUEST_URI} !\.(ico|gif|jpg|jpeg|png|js|css)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php[L]

All seems to work perfectly, thanks very much.