system
April 8, 2006, 8:37pm
1
Hello,
I’d like to redirect all requests performed on a subdomain to his SSL subdomain.
Basicly all requests made for example on
http://secure.domain.com/
are redirected to
httpS://secure.domaine.com/
What is the best solution to do this ?
I’d like to prevent all accesses to a web page on this subdomain with http.
Thanks
Pascal
Justec
April 8, 2006, 9:33pm
2
Pascal,
I do this using PHP. I just create a php file and put it in the include path called something like forceSSL.php.
if($_SERVER['SERVER_PORT'] != "443" || $_SERVER['HTTP_HOST'] != "secure.domain.com") {
header("location: https://secure.domain.com".$_SERVER["PHP_SELF"]);
exit;
}
Then any page you want to be only SSL you can just include(‘forceSSL.php’);
Im sure there are other ways maybe using .htaccess or similar, but since I program in PHP this is a very quick and easy way to get this done.
system
April 8, 2006, 9:44pm
3
Thanks justec,
We’ve done it with a rewrite rule. It uses work but not sure it is the best bet.
RewriteCond %{HTTPS} !=on [NC]
RewriteCond %{HTTP_HOST} ^secure.carat-hosting.com [NC]
RewriteRule ^(.*) https://secure.carat-hosting.com/$1 [R,L]
We also know there is something like this
<Directory /home/.path/to/web/html/secure>
SSLRequireSSL
</Directory>
But not sure it does the redirection (we didn’t test it
We try t ofind the best method. Yours is ok but you have to add these lines in EVERY php script, isns’it ?
Is there better solutions ?
Pascal
system
April 8, 2006, 10:01pm
4
heu…
in fact it is
RewriteRule ^(.) https://secure.carat-hosting.com$1 [R,L]
and not
RewriteRule ^(. ) https://secure.carat-hosting.com / $1 [R,L]
this last one add every time one more slash at the end of https://secure.carat-hosting.com// then after https://secure.carat-hosting.com/// surely because this rule is defined just before the subdomain logic rules
Any way, somebody has a better rule ? a stronger/better soluce ?
Thanlks
Pascal
jimp
April 9, 2006, 12:48pm
5
Here is how I do it…
pascal,
In your non-SSL virtual host:
RewriteCond %{HTTP_HOST} ^secure\.carat-hosting\.com$ [NC]
RewriteRule ^(.*)$ https://secure.carat-hosting.com$1 [R,L]
In your SSL virtual host:
RewriteCond %{HTTP_HOST} !^secure\.carat-hosting\.com$ [NC]
RewriteRule ^(.*)$ https://secure.carat-hosting.com$1 [R,L]
I see no reason to check the HTTPS mod_rewrite variable, beause your virtual hosts will be non-SSL or SSL-enabled exclusively. (It should not hurt to have the extra check, though.)
[B] Justec,
[/B] When I need PHP to enforce SSL, I write it like this:
if (isset($_SERVER['HTTPS']) == FALSE ||
$_SERVER['HTTPS'] == '')
{
header("Location: https://secure.domain.com".$_SERVER["PHP_SELF"]);
exit(0);
}
jimp
April 9, 2006, 2:56pm
6
I have not written anything useful for my blog in a while, so I decided to turn my response above into a blog entry. I have been asked about this topic several times, so maybe this will help…
http://translocator.ws/2006/04/09/forcing-ssl-on-a-subdomain
Justec,
I’m sorry, but I got in a hurry and told you wrong. This is the correct code:
if
( ( $_SERVER['HTTP_HOST'] == 'secure.domain.com' &&
$_SERVER['HTTPS' ] == '' // (non-SSL)
)
||
( $_SERVER['HTTP_HOST'] != 'secure.domain.com' &&
$_SERVER['HTTPS' ] != '' // (SSL-enabled)
) )
{
// Redirect...
header('Location: https://secure.domain.com'.$_SERVER["PHP_SELF"]);
exit(0);
}