CODEWITHSUNDEEP
apachemod-rewritessl
tmrhmdv
tmrhmdv

Reputation: 172

Apache force SSL

I am trying to redirect incoming requests to https://www.domain.com/ and all https://www.domain.com/{all pages} and having little trouble. Methods I tried:

  1. Adding this line: Redirect permanent / https://www.domain.com/ to my httpd.conf is causing too many redirect

  2. Using .htaccess to redirect with mod_rewrite is ending in 302 Moved page with a broken link.

What I want is:

  1. Redirect all requests to https://www.domain.com/, including http://www.domain.com/signup and pages like that to https version

I've searched many threads on this but they don't seem to apply to my setup. How should I approach this?

Upvotes: 0

Views: 2343

Answers (3)

Vicente Plata
Vicente Plata

Reputation: 3380

It goes like:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Source: http://systembash.com/content/force-https-ssl-access-url-apache/

Upvotes: 1

Geoff
Geoff

Reputation: 417

RewriteEngine On
RewriteCond     %{HTTPS}   Off
RewriteRule     ^(.*)$     https://%{HTTP_HOST}$1 [R,L]

Notice the $1 which appends the path information

Upvotes: 0

synthesizerpatel
synthesizerpatel

Reputation: 28036

There's a distinct problem with this approach - if you do a automatic non-SSL redirect to an SSL webpage, you lose the security that SSL should provide. i.e. If someone can MITM your non-SSL web server, they can redirect to their own valid SSL server (with a real certificate), and the browser won't know the difference.

i.e. http://www.example.com redirects to https://www.example.com, can be subverted by a man in the middle attack where fake http://www.example.com redirects to https://i-will-steal-your-credit-card.com, and as long as i-will-steal-your-creditcard.com has a valid certificate, the browser won't alert the user that anything is awry, the user will see the little lock icon and think everything's cool and start putting in credit card numbers.

It's a better practice to have a page that explains that what they really want is the SSL version of the URL and a clickable link. Of course, bad-guy could do the same exact thing, but paranoid people always verify the link they're clicking actually links to what it says.

Granted, most people aren't paranoid and will be grumpy about the extra step - so if you have any marketing people making decisions about this upstream from you - odds are you'll end up doing it http->https automatic redirect. This is because Marketing and customers usually don't understand SSL.

Upvotes: 4

Related Questions