Redirecting site for HTTPS

Question

I am trying to redirect my site to always open in HTTPS. I am using CloudFlare and they have a setting to "Always use HTTPS". But there is a page on my website where I do not want to use HTTPS as it opens other websites under an iFrame. And if that page also loads in HTTPS then under iFrame any website whose URL hasn't been mentioned with HTTPS doesn't open. Therefore, for that particular page I want to keep the website to be opened under HTTP.

Things I am doing:

1. In CloudFlare Crypto settings "Always Use HTTPS" is ON.

2. Then in my page where I want it to opened under HTTP say surf.php

I am using the following PHP code:

if($_SERVER['HTTP_HOST'] != 'localhost'){
  if(isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'on'){
    if(!headers_sent()){
      header("Status: 301 Moved Permanently");
      header(sprintf('Location: http://%s%s',$_SERVER['HTTP_HOST'],$_SERVER['REQUEST_URI']));
      exit();
    }
  }
}

Now the page doesn't open and says "The page isn’t redirecting properly". What should I do? Is there any other method to accomplish this? I want to use HTTPS in whole website so "Always use HTTPS" settings in cloudflare should be ON except just surf.php. What should be the best method here?

Answer 1

It sounds like you are in a redirect loop. Where you have a .htaccess file that forces HTTPS, and then you redirect to HTTP using PHP. Then that new request has all the same rules applied to it so that it gets redirected by .htaccess again to HTTPS, and so on (to infinity)

So I would first make sure your not forcing HTTPS in your .htaccess file. If so you can add a RewriteCond to exclude your URL:

#RewriteEngine On  #-- if not included elsewhere

#if HTTPS is not on (then continue)
RewriteCond %{HTTPS} !=on

#add this rule in  (if not our page, then redirect to HTTPS)
RewriteCond %{REQUEST_URI} !^/surf\.php$

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

When mod rewrite hits a Rewrite condition if it fails (is false) it will disregard the next rewrite rule. So with this in place your PHP code could do it's job, but you can also do this in htaccess alone. Because you will have dependence on the URL in there anyway, I don't see an issue doing it all in the .htaccess file.

This would basically be the opposite of the above except you know the url. Something like this:

#if HTTPS is not on (then continue)
RewriteCond %{HTTPS} !=on
#add this rule in  (if not our page, then redirect to HTTPS)
RewriteCond %{REQUEST_URI} !^/surf\.php$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

#if HTTPS is not off (then continue)
RewriteCond %{HTTPS}!=off
#  (if is our page, then redirect to HTTP)
RewriteCond %{REQUEST_URI} ^/surf\.php$
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I can't really test this though, but that's the general idea. If HTTPS is no off, and the %{REQUEST_URI} is our page !^/surf.php$ redirect to HTTP... Basically you have to punch a hole through the HTTPS rule and then force http.

I am pretty sure with %{REQUEST_URI} you only have to check if it starts with your URL (minus the host and protocal).

I'll admit I'm a bit rusty with complex HTACCESS rules, spoiled by MVC routers, so this may very well not be 100% correct. But the general idea is sound.

Anyway hope it helps.