Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


HTTPS secure subsections of website (using Apache mod_rewrite)

Published on
8,499 Points
Last Modified:
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure those sections of your website with SSL so they are https, while your main site is http.

This article will walk you through how to HTTPS secure subsections of you website on an Apache webserver using the mod_rewrite Module.

The alternative is to either (1) make your entire website to always be SSL secured, which unless the entire site does need to be secured, is not recommended due to the higher server load (http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#load) or (2) manually change your links between http or https, which is also not recommended since users could manually type the link in or you may miss a link an accidentally . This is why automatically securing just the sections that are required to be secure is the best way to secure your site.

However, the issue arises as to how to ensure every time someone visits those secure pages they are using SSL while visiting the main site they do not. If you forget to change even a single link to those pages and left the links as http:// instead of https:// users would get to the page unsecured. Additionally a user could always simply manually enter the URL into their web browser’s address bar without the https:// as well. The solution, of course, is for the web server to detect if the user is viewing the secured page with http:// and redirect them to https:// if they are.

Server Requirements:

1. Apache web server
2. If mod_rewrite is not enabled on your server you will need to uncomment the mod_rewrite LoadModule call (LoadModule rewrite_module modules/mod_rewrite.so) in the httpd.conf file
3. Make sure AllowOverride is set to “All” instead of “None” in the Directory section of the httpd.conf file

If your site is powered using Apache web server you can perform this switch over using mod_rewrite and the .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Open in new window

All you need to do is create a file called “.htaccess” with the above contents and put it in the directory of your web server you need to switch to SSL, such as the /customer or /order folder (remember that your server must first be configured to use SSL).

This is a great feature for webstores, etc. Simply create a directory called “secure”, place all of your web store files in that directory along with the above .htaccess file and you have just ensured your web store is always using encrypted HTTPS communication. The alternative, trying to manage every link into the web store pages, is a nightmare (I’ve done it before and you will always end up missing links).

Placing this file in the root of your website will cause the entire website to always be SSL secured; which is as mentioned above, is not recommended unless the entire site does need to be secured.

Take note that since Windows will not allow a file without a name to be stored on your hard drive, you will need to name the file “htaccess.txt” locally and then rename it after uploading it to the web server using the FTP program used during upload.

Documentation on the Apache .htaccess file can be found in Apache's documentation: http://httpd.apache.org/docs/2.2/howto/htaccess.html

Have previously posted this Article on my blog : http://www.matthewstevenkelly.com/blog/tag/server
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Join & Write a Comment

Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month