5

Here are some questions I have about SSL.

RewriteEngine On
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} somefolder 
RewriteRule ^(.*)$ https://www.domain.com/somefolder/$1 [R,L]

  1. Above is code to force everything to go to SSL via HTAccess. Is there a way I can restrict this code to a specific IP Address. I want to force SSL for just my IP address so that I can test the site thoroughly using the new SSL links, and see (make sure) everything is working before taking it live to the live site. Testing with just my IP would be a lot easier.

  2. Is SSL going to interfere with any get/posts? Meaning...if I use that code above, and someone is on a page..and they submit a form, it's going to force them into SSL, is that going to be considered a redirect and clear out any post/get variables? I just want to try to find out ahead of time if it's going to mess up anything I have running.

  3. Have any of you had any situations where you forced SSL then had a lot of issues with the site not working right?

Ninjakreborn
  • 219
  • 2
  • 15
  • 1
    1) Use one more RewriteCond line and `%{REMOTE_ADDR}` variable to match IP address; 2) It's redirect -- it will mess with POST data (but not with GET); 3) It's all about how you design your site -- if you all did OK on your side (used HTTPS links where required) but somebody still trying to manually use HTTP (especially when using POST -- e.g. submitting forms), then just throw an error (he does it on purpose, so it's his own problems). – LazyOne Apr 10 '12 at 15:00
  • BTW -- depending on where this site will be deployed etc -- you can use `RewriteCond %{HTTPS} =off [NC]` instead of checking port number, as you can put easily website on different non-standard port (e.g. 8080 etc). – LazyOne Apr 10 '12 at 15:02

2 Answers2

2

If you want to make sure your site works well with HTTPS, turn off plain HTTP (assuming it's for whole server), or use Apache Httpd directives (in .htaccess or in the main configuration) that make the pages that need to be served over HTTPS return an error (e.g. 404) when they're accessed over plain HTTP. You could achieve this for a specific IP address by using Deny from xxxxxxx.

Don't rely on mod_rewrite or similar to redirect plain HTTP requests to their HTTPS equivalent. This will at best hide problems and cause a false sense of security.

The reason for this is that, even with a redirect, the initial requests are made in clear before being redirected: make sure all the references use https:// URIs before making use of them. You can find more details in this answer.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Very nice, thank you. I finally got it all working by simply changing the core URL's to https. Once in HTTPS they stayed in that protocol. So on Login, I Just made sure that the form was pointed to HTTPS, and they stayed that way throughout the rest of the site. This was an admin panel so there was no need to force HTTP off...but the way that you explained it worked well. Thanks. – Ninjakreborn Apr 23 '12 at 01:19
1

Navigate to: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#relative

How can I switch between HTTP and HTTPS in relative hyperlinks?

Zach Lysobey
  • 14,959
  • 20
  • 95
  • 149
Joberror
  • 5,860
  • 3
  • 20
  • 15