2

              I created domain as http://www.example.com/ Now I bought a SSL for it. When I type https://www.example.com in address bar, it show my site in secure https. On other times, it didn't show https on my site.
               Now I want to redirect to https from http. I searched on google. But someone say redirecting from http to https automatically is not a good idea. Someone says, you can redirect it like facebook, gmail. Now I'm confused.
               Now I've more question on redirection,
        1. May I redirect from http to https?
        2. Is it safe or not?
        3. have I face any problems in future for this redirect?
        4. what is the secure way to redirect http to https?
My .htaccess file:

  RewriteEngine On
  RewriteCond %(REQUEST_FILENAME) !-d
  RewriteCond %(REQUEST_FILENAME) !-f
  RewriteCond %(REQUEST_FILENAME) !-l]
  RewriteRule ^(.*)$ index.php?url=$1 [QSA,L]

Updated
I add following to my .htaccess. It redirect well and working fine. But now I get new problem. I can't access inseure content in my page. My .htaccess file is:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !POST
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
RewriteCond %(REQUEST_FILENAME) !-d
RewriteCond %(REQUEST_FILENAME) !-f
RewriteCond %(REQUEST_FILENAME) !-l
RewriteRule ^(.*)$ index.php?url=$1 [QSA,L]

It display errors " [blocked] The page at 'https://www.example.com/red-ball-4-game' was loaded over HTTPS, but ran insecure content from 'http://www.sample.net/img/olume.jpg': this content should also be loaded over HTTPS.

"
How to solve this?

2 Answers2

1

Place this code in your DOCUMENT_ROOT/.htaccess file:

RewriteEngine On

RewriteCond %{REQUEST_METHOD} !POST
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]

RewriteCond %(REQUEST_FILENAME) !-d
RewriteCond %(REQUEST_FILENAME) !-f
RewriteCond %(REQUEST_FILENAME) !-l
RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]

This will force all pages of your website to always open in https.

anubhava
  • 761,203
  • 64
  • 569
  • 643
  • It give error Internal server error. This is the error I got " Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, webmaster@example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request " –  May 05 '14 at 10:19
  • Can you check your Apache error.log to see what is the exact error. – anubhava May 05 '14 at 10:20
  • I just copy pasted above code entirely into my .htaccess and it worked fine. – anubhava May 05 '14 at 10:21
  • That is what your browser shows but Apache error.log will show you exact reason of this error – anubhava May 05 '14 at 10:23
  • how can I find apache error.log file on my server –  May 05 '14 at 10:27
  • Actually that varies server to server. Usually it is in `/var/log/httpd` but can be anywhere as per Apache installation. Rule syntax is fine now. – anubhava May 05 '14 at 10:29
  • It gives 500 Internal Server Error. Is need any other changes? –  May 05 '14 at 10:31
  • You're probably not reading my comments properly. I repeated more than once that rules are all correct and actual reason of 500 is available in your Apache server log. – anubhava May 05 '14 at 10:34
  • sorry I can't find my apache error log file on my server? –  May 05 '14 at 10:35
  • You will need to take help from your server admin, it is difficult to guess from here. – anubhava May 05 '14 at 10:36
  • It working fine. But insecure contents is blocked. It is not displayed on my page. it gives error "[blocked] The page at 'https://www.example.com/red-ball-4-game' was loaded over HTTPS, but ran insecure content from 'http://www.sample.net/it/an.jpg': this content should also be loaded over HTTPS." –  May 06 '14 at 08:26
  • Above rule will only impact the web server where it is residing. So `sample.net` cannot not be controlled with above rewrite rule. – anubhava May 06 '14 at 08:35
  • k then how can I access insecure content in my site? I want to display insecure(http) content in https page. how to do this? –  May 06 '14 at 08:56
  • You can't mix http content with https as the page URL otherwise this warning will show up. – anubhava May 06 '14 at 09:36
  • Is anyother way to display insecure content in https? –  May 06 '14 at 09:47
  • You cannot avoid that since that is browser security model no web browser would allow that without warning. – anubhava May 06 '14 at 09:54
  • Then there is no chance to display insecure iframes in secure page? –  May 06 '14 at 11:02
  • iframe will probably work but I haven't used them (I am not a UI developer actually) – anubhava May 06 '14 at 11:22
  • I searched about that, I got if iframe src is http, then it doesn't display on https –  May 06 '14 at 12:20
  • I still think it will be lot easier to keep those links as https also. – anubhava May 06 '14 at 13:36
  • But those file is in http only. If I change it to https, it will be same. There is no change on my page. –  May 07 '14 at 03:35
0

1: May I redirect from http to https?

  • Yes, you can redirect http to https.

2: Is it safe or not?

  • Obviously it's safe, the s in https stands for secure which itself means safe.

3: Have I face any problems in future for this redirect?

  • Make sure all of your url's are now https and there is not mixture of http and https in your site. This will be not an issue if you have a relative urls throught your site.

4: What is the secure way to redirect http to https ?

  • What you mean by secure here ? But you can right rewrite rule in your htaccess file to redirect all of your url from http to https.

Rule:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Note: I will suggest you to use https only on the required pages. You can read this post for a better idea by what I mean.

Community
  • 1
  • 1
Rikesh
  • 26,156
  • 14
  • 79
  • 87
  • My domain is 2 years old. So loss any backlinks for this redirection? –  May 05 '14 at 10:12
  • I hardly think so, but still I will recommend to redirect to https only pages which contain sensitive information and to redirect the complete site. – Rikesh May 05 '14 at 10:22
  • Rikesh forgot `R` flag to redirect urls correctly. The answer is now updated and should work for you – Justin Iurman May 05 '14 at 11:20