You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wiki-changes@httpd.apache.org by Apache Wiki <wi...@apache.org> on 2008/12/31 04:11:24 UTC

[Httpd Wiki] Update of "RewriteSSL" by RichBowen

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The following page has been changed by RichBowen:
http://wiki.apache.org/httpd/RewriteSSL

New page:

Bunch of SSL recipes here, based on frequently asked questions about this. We'll start with the favorite:

= Force SSL for a certain URLs =

== Problem: ==

A certain part of the web site must always be served via SSL. So, if someone goes to that part of the site without SSL, we want to redirect them.

== Recipe: ==

To force the entire site into SSL:

{{{
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
}}}

Or, in a .htaccess or <Directory> block, you'd need to remove that leading slash:

{{{
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]
}}}

Or, if you wanted to have a particular subdirectory forced into https:

{{{
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/secure(.*) https://%{SERVER_NAME}/secure$1 [R,L]
}}}

== Discussion: ==

While this can be done rather effectively with a Redirect, if you're not careful, it can loop. Also, the recipe provided here will work for any number of hostnames, and preserve that hostname.

The [R] flag means that this is a Redirect, not a rewrite. That is necessary so that the browser is requesting the content via https, not via http.

If you're running Apache 2, you should also look at the [http://httpd.apache.org/docs-2.2/mod/mod_ssl.html#sslrequiressl SSLRequireSSL] directive, which may, at least in part, do what you wanted.

= SSL to the wrong hostname =

Due to the fact that you can only have one SSL host per IP address, if you're running several names on the same IP address, you can end up with https://false.example.com/ getting the wrong cert. Here's how you ensure that the "wrong" hostname doesn't go to the SSL vhost.

The following rules would go in your SSL vhost

{{{
RewriteCond %{HTTP_HOST} !=right.example.com
# checking for non-empty host header
RewriteCond %{HTTP_HOST} !=""
RewriteRule ^/(.*) http://right.example.com/$1 [R=301,L]
}}}