I'm flabbergasted! I've been trying for hours to redirect, via .htaccess, two specific pages to HTTPS, and force all other pages to always use HTTP. One of the URLs is dynamic, and that's where my problem lies. No example I've found has worked for me. Below is my present code. I finally did get the turning on part to work, so it's just turn开发者_开发百科ing off SSL I need help with. The only pages that should use SSL are login.php
and register.php?country=xx
where xx varies and is always lower-case letters.
Options +FollowSymLinks
RewriteEngine on
# Turn on ssl for specific pages
RewriteCond %{HTTPS} off
RewriteRule ^login\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} off
RewriteCond %{QUERY_STRING} ^country=([a-z]+)$
RewriteRule ^register.php https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Turn off ssl when not accessing specific pages
RewriteCond %{HTTPS} on
RewriteCond %{SCRIPT_FILENAME} !\/register.php\?country=([a-z]+)$ [NC]
RewriteCond %{SCRIPT_FILENAME} !\/login.php$ [NC]
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Redirect non-canonical hostname requests, preserving http/https
RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
RewriteRule ^(.*)$ http%2://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
You do not really need to check what country=xx
is -- it's a query string parameter and is not important. Redirect to HTTPS should occur on per page basis, not per query string parameter.
Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteBase /
# force https for /login.php and /register.php
RewriteCond %{HTTPS} =off
RewriteRule ^(login|register)\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# don't do anything for images/css/js (leave protocol as is)
RewriteRule \.(gif|jpe?g|png|css|js)$ - [NC,L]
# force http for all other URLs
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^/(login|register)\.php$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# your other rewrite rules below
These rules need to be placed in .htaccess in website root folder BEFORE any other rewrite rules (if such present). If placed elsewhere some small tweaking may be required.
They will
- force HTTPS for
/login.php
and/register.php
, - do nothing for images, css styles and JavaScript files (to be precise, for files with those extensions)
- and will force HTTP for all other URLs
- force HTTPS for
You can easily add other URLs to that list -- just edit existing rule by adding additional file name to the list (the same text in 2 places: 1) to force 2) to exclude)
File names are case-sensitive. So these rules will not work if
/LOGIN.php
is requested (Apache will not serve it either, as Linux is case-sensitive OS .. so no need to worry much here).Obvious thing: mod_rewrite should be enabled and .htaccess files needs to be processed by Apache (some website hosting companies disabling them for performance and security reasons).
IMPORTANT NOTE: It is very likely that these rule will not work for you straight away. That is because modern browser do CACHE 301 redirects from your previous attempts. Therefore I recommend testing it on another browser and change 301 to 302 during testing (302 is not cached) .. or clear all browser caches (maybe even history) and restart browser.
BTW:
No need to escape slash in
%{SCRIPT_FILENAME} !\/login.php$
%{SCRIPT_FILENAME}
will only match file name and definitely not the query string, therefore!\/register.php\?country=([a-z]+)$
make no sense at all.
精彩评论