4

I have ssl enabled on whole website, but I need to force all pages except login.php and register.php to http://

So basically I only need login.php and register.php pages to be https:// protocol-ed.

Right now I have script that makes login.php page https:// encrypted , but I don't understand how to add register.php to this code

Options +FollowSymLinks 
RewriteEngine On

RewriteBase /

# Turn SSL on for payments
RewriteCond %{HTTPS} off
RewriteCond %{SCRIPT_FILENAME} \/login\.php [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

# Turn SSL off everything but payments
RewriteCond %{HTTPS} on
RewriteCond %{SCRIPT_FILENAME} !\/login\.php [NC]
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]

Any ideas on how to edi/make this code to set login.php and register.php pages to https:// and all others to http://

Thank you

Ilja
  • 44,142
  • 92
  • 275
  • 498
  • Why would you _want_ to forbid SSL for anything? (Also, `login.php` seems to be a somewhat unorthodox URL for doing "payments"). – hmakholm left over Monica Aug 26 '11 at 14:38
  • 1) You approach is wrong (the whole idea); 2) Even if you implement what you are asking here (or someone else do this for you), you most likely will have issues (browser warning) with serving images/css/js on secure pages -- because your whole approach has flaws; 3) you are asking pretty much the same question 3rd time: http://stackoverflow.com/questions/7189484/htaccess-problem-turn-off-ssl-for-every-page-except-login-php-and-register-p ; http://stackoverflow.com/questions/7202472/how-to-use-htaccess-to-disable-ssl-off-for-all-pages-except-two-login-php-reg – LazyOne Aug 26 '11 at 14:46
  • @LazyOne yeh I gues I took it to far with 3 questions, What's wrong with my approach? I mean It work's now how I want it on login.php page the only thing I need is to add register.php page so both are https:// and the rest of the website stays http:// (for load time, and external link reasons) – Ilja Aug 26 '11 at 14:56
  • 1) So what about the account pages -- they will not be protected .. but they usually contain private info (address, date of birth etc -- I do not know what your website does, so cannot speculate on this). Why such important pages (if they are present) should not be protected by HTTPS? – LazyOne Aug 26 '11 at 15:11
  • 2) Assuming you are on `/login.php` page -- with your current logic all images/css/js should be served via HTTP which is not secure. If you want to protect the page, then ALL content on this page should be protected as well otherwise it is vulnerable to a man-in-the-middle type of attacks (where somebody intercepts your css/js and injects bad code during downloading these pages by user -- user will notice nothing). Plus, some browsers (Internet Explorer, for example) will show a warning and some other will prevent non-secure content to be displayed on secure page. – LazyOne Aug 26 '11 at 15:13
  • Well there is no information send from profile page, but I am planning to add edit-profile page and as it will send personal info I will need to secure it, but if I get this question answered I think I'll understand how to set edit-profile page to https:// (Other pages contain http:// links and I don't need to secure them) – Ilja Aug 26 '11 at 15:14
  • I dont use url links for images so for example instead of using http://mywebsite.com/images/test.jpg I am using ../images/test.jpg in css – Ilja Aug 26 '11 at 15:16
  • I do not know what kind of website you are working on and what kind of data you are collecting/storing .. but if you want to do a secure pages then DO IT PROPERLY. You have mentioned _payments_ in your question -- mentioning of this is already enough to consider your current approach unacceptable (if you would test your site for PCI compliance or similar "SecureSite" logo programs (like McAfee SecureSite, for instance) you will fail. **That's all what I wanted to say.** – LazyOne Aug 26 '11 at 15:18
  • _"I am using ../images/test.jpg in css"_ -- that does not matter as you trying to force HTTP via htaccess, and accordingly to your current logic (and your current rewrite rules) all requests to css/js/images WILL BE redirected to HTTP (because HTTPS will only be applied to those to URLs ONLY). – LazyOne Aug 26 '11 at 15:20
  • payments is my mistake, originally code was taken from this post http://stackoverflow.com/questions/2079015/htaccess-301-redirect-for-all-https-to-http-except-one-page and I forgot to remove/change comments, there is nothing to do with payment's on my website, the only reason i need to use ssl certificate is to secure user data on register login and profile-edit pages, that's it I ONLY NEED THOSE 3 PAGES ENCRYPTED. – Ilja Aug 26 '11 at 15:22
  • Oh, and I think I've got ya, what about if I don't use any images and js code? I mean I don't really need them on those pages. – Ilja Aug 26 '11 at 15:24
  • I also visited both login.php and register.php pages via https:// and they work perfectly fine now, no errors appear in firefox, safari, IE and chrome – Ilja Aug 26 '11 at 15:26
  • _"Oh, and I think I've got ya, what about if I don't use any images and js code? I mean I don't really need them on those pages."_ You can use them safely as long as they are embedded into a page itself (no links to separate files). I can give you the rule that will do the job -- it's ain't top science, but you have been warned of possible issues. – LazyOne Aug 26 '11 at 15:30
  • The rule would be great, I know what you mean, I'll try to do all styling and js on those pages, and also coul'd you please explain the rule, because I'm going to use it in future (e.g edit-profile.php) page. – Ilja Aug 26 '11 at 15:34

1 Answers1

6

If you are familiar with mod_rewrite and regex a little bit, you should have no problems reading these rules -- comments are present explaining what particular rule does. the rest -- regex basics:

Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteBase /

# force https for /login.php and /register.php
RewriteCond %{HTTPS} =off
RewriteRule ^(login|register)\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# don't do anything for images/css/js (leave protocol as is)
RewriteRule \.(gif|jpe?g|png|css|js)$ - [NC,L]

# force http for all other URLs
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^/(login|register)\.php$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  1. These rules need to be placed in .htaccess in website root folder BEFORE any other rewrite rules (if such present). If placed elsewhere some small tweaking may be required.

  2. They will

    • force HTTPS for /login.php and /register.php,
    • do nothing for images, css styles and JavaScript files (to be precise, for files with those extensions)
    • and will force HTTP for all other URLs

  3. You can easily add other URLs to that list -- just edit existing rule by adding additional file name to the list (the same text in 2 places: 1) to force 2) to exclude)

  4. File names are case-sensitive. So these rules will not work if /LOGIN.php is requested (Apache will not serve it either, as Linux is case-sensitive OS .. so no need to worry much here).

  5. Obvious thing: mod_rewrite should be enabled and .htaccess files needs to be processed by Apache (some website hosting companies disabling them for performance and security reasons).

LazyOne
  • 158,824
  • 45
  • 388
  • 391