Gehe zu deutscher Webseite

ViaThinkSoft CodeLib

This article is in:
CodeLibHow-TosApache

Summary

Version 1.4 (February, 27th 2012)

This very elegant and probably unique solution provides

- automatic redirects for secured areas (htaccess)
- automatic redirecting GET requests (not POST requests)

.htaccess

# VIATHINKSOFT HTTPS-ENFORCER 1.4
# USED FOR HTTP->HTTPS REDIRECTION FOR SECURED AREAS

# https://www.viathinksoft.de/?page=codelib&showid=90

# Everything except robots.txt and https_redirector.php are
# secured. (You must exclude https_redirector.php if you want to
# secure / )
<FilesMatch "^(?!https_redirector\.php$|robots\.txt$).*">
        AuthName "Secured area"
        AuthUserFile /(directory outside of docroot)/.htpasswd
        AuthType Basic
        require valid-user

        # Enforce SSL
        SSLOptions +StrictRequire
        SSLRequireSSL
        Satisfy All

        ErrorDocument 403 /https_redirector.php
</FilesMatch>

# Other things to define by you, e.g.
# Options +Indexes

(docroot)/https_redirector.php

Attention: Needs to be installed in every document root of each virtual host!

<?php

// VIATHINKSOFT HTTPS-REDIRECTORY HIDDEN SCRIPT 1.4
// USED FOR HTTP->HTTPS REDIRECTION FOR SECURED AREAS

// https://www.viathinksoft.de/?page=codelib&showid=90

if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == '1' || strtolower($_SERVER['HTTPS'])=='on')) {
    
# We are already at HTTPS, so we got a "real" 403 error on that resource we are requesting
    
header('HTTP/1.1 403 Forbidden');

    
// This message is taken from /usr/share/apache2/error/HTTP_FORBIDDEN.html.var
    // of Apache 2.2.16 on Debian 6.0.1
    
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don\'t have permission to access '
.$_SERVER['REDIRECT_SCRIPT_URL'].'
on this server.</p>
<hr>
'
.$_SERVER['SERVER_SIGNATURE'].'
</body></html>'
;
    die();
}

$requri getenv('REQUEST_URI');

// Attention: Do NOT use SERVER_NAME here; Missing square brackets in IPv6 and server-configuration dependent!
$servername getenv('HTTP_HOST');

$servername strtolower($servername); // Not neccessary

header("Location: https://$servername$requri");

?>

Attention: The redirect only works for GET requests. POST request data will not be forwarded. This is also not required since they probably already contain sensitive data like login data and therefore you MUST use the HTTPS url in a form directly to be secure.

Vorsicht: Die Weiterleitung funktioniert nur mit GET Anfragen. POST Anfragedaten werden nicht durchgeleitet. Dies ist auch nicht erwünschenswert, da eine POST-Anfrage meist vertrauliche Informationen beinhaltet (z.B. Logindaten). Daher MUSS eine POST Anfrage direkt an die HTTPS Adresse erfolgen!

Disadvantage: You cannot define own 403 pages (except if you modify https_redirector.php).

Apache configuration for redirections

It is important to store redirections inside the apache configuration, not inside the HTACCESS. Otherwise, it is possible that redirections between domains interact with https_redirector.php . It is very important that https_redirector.php is NOT affected by any rewritings.

(Example for domain www.example.com)

<VirtualHost (your ip):80>
RewriteEngine On
RewriteOptions inherit

# --- HTTP Redirects ---

# example.com -> www.example.com
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteCond %{HTTPS} !=on
RewriteCond %{SCRIPT_FILENAME} !/https_redirector.php$
RewriteRule ^(.*)$ http://www\.example\.com$1 [R=301,L]

# The rest -> www.example.com
RewriteCond %{HTTP_HOST} ^(.*)\.example\.com$ [NC]
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{HTTPS} !=on
RewriteCond %{SCRIPT_FILENAME} !/https_redirector.php$
RewriteRule ^(.*)$ http://www\.example\.com$1 [R=301,L]

# --- HTTPS Redirects ---

# example.com -> www.example.com
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteCond %{HTTPS} =on
RewriteCond %{SCRIPT_FILENAME} !/https_redirector.php$
RewriteRule ^(.*)$ https://www\.example\.com$1 [R=301,L]

# The rest -> www.example.com
RewriteCond %{HTTP_HOST} ^(.*)\.example\.com$ [NC]
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{HTTPS} =on
RewriteCond %{SCRIPT_FILENAME} !/https_redirector.php$
RewriteRule ^(.*)$ https://www\.example\.com$1 [R=301,L]

...
</VirtualHost>
Daniel Marschall
ViaThinkSoft Co-Founder