HTTPS secure subsections of website (using Apache mod_rewrite)

Published:
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure those sections of your website with SSL so they are https, while your main site is http.

This article will walk you through how to HTTPS secure subsections of you website on an Apache webserver using the mod_rewrite Module.

The alternative is to either (1) make your entire website to always be SSL secured, which unless the entire site does need to be secured, is not recommended due to the higher server load (http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#load) or (2) manually change your links between http or https, which is also not recommended since users could manually type the link in or you may miss a link an accidentally . This is why automatically securing just the sections that are required to be secure is the best way to secure your site.

However, the issue arises as to how to ensure every time someone visits those secure pages they are using SSL while visiting the main site they do not. If you forget to change even a single link to those pages and left the links as http:// instead of https:// users would get to the page unsecured. Additionally a user could always simply manually enter the URL into their web browser’s address bar without the https:// as well. The solution, of course, is for the web server to detect if the user is viewing the secured page with http:// and redirect them to https:// if they are.

Server Requirements:

1. Apache web server
2. If mod_rewrite is not enabled on your server you will need to uncomment the mod_rewrite LoadModule call (LoadModule rewrite_module modules/mod_rewrite.so) in the httpd.conf file
3. Make sure AllowOverride is set to “All” instead of “None” in the Directory section of the httpd.conf file

If your site is powered using Apache web server you can perform this switch over using mod_rewrite and the .htaccess file:

<IfModule mod_rewrite.c>
                      RewriteEngine On
                      RewriteCond %{HTTPS} off
                      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
                      </IfModule>

Open in new window


All you need to do is create a file called “.htaccess” with the above contents and put it in the directory of your web server you need to switch to SSL, such as the /customer or /order folder (remember that your server must first be configured to use SSL).

This is a great feature for webstores, etc. Simply create a directory called “secure”, place all of your web store files in that directory along with the above .htaccess file and you have just ensured your web store is always using encrypted HTTPS communication. The alternative, trying to manage every link into the web store pages, is a nightmare (I’ve done it before and you will always end up missing links).

Placing this file in the root of your website will cause the entire website to always be SSL secured; which is as mentioned above, is not recommended unless the entire site does need to be secured.

Take note that since Windows will not allow a file without a name to be stored on your hard drive, you will need to name the file “htaccess.txt” locally and then rename it after uploading it to the web server using the FTP program used during upload.

Documentation on the Apache .htaccess file can be found in Apache's documentation: http://httpd.apache.org/docs/2.2/howto/htaccess.html

Have previously posted this Article on my blog : http://www.matthewstevenkelly.com/blog/tag/server
0
3,272 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.