HTTPS secure subsections of website (using Apache mod_rewrite)

Published on
8,732 Points
Last Modified:
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure those sections of your website with SSL so they are https, while your main site is http.

This article will walk you through how to HTTPS secure subsections of you website on an Apache webserver using the mod_rewrite Module.

The alternative is to either (1) make your entire website to always be SSL secured, which unless the entire site does need to be secured, is not recommended due to the higher server load (http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#load) or (2) manually change your links between http or https, which is also not recommended since users could manually type the link in or you may miss a link an accidentally . This is why automatically securing just the sections that are required to be secure is the best way to secure your site.

However, the issue arises as to how to ensure every time someone visits those secure pages they are using SSL while visiting the main site they do not. If you forget to change even a single link to those pages and left the links as http:// instead of https:// users would get to the page unsecured. Additionally a user could always simply manually enter the URL into their web browser’s address bar without the https:// as well. The solution, of course, is for the web server to detect if the user is viewing the secured page with http:// and redirect them to https:// if they are.

Server Requirements:

1. Apache web server
2. If mod_rewrite is not enabled on your server you will need to uncomment the mod_rewrite LoadModule call (LoadModule rewrite_module modules/mod_rewrite.so) in the httpd.conf file
3. Make sure AllowOverride is set to “All” instead of “None” in the Directory section of the httpd.conf file

If your site is powered using Apache web server you can perform this switch over using mod_rewrite and the .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Open in new window

All you need to do is create a file called “.htaccess” with the above contents and put it in the directory of your web server you need to switch to SSL, such as the /customer or /order folder (remember that your server must first be configured to use SSL).

This is a great feature for webstores, etc. Simply create a directory called “secure”, place all of your web store files in that directory along with the above .htaccess file and you have just ensured your web store is always using encrypted HTTPS communication. The alternative, trying to manage every link into the web store pages, is a nightmare (I’ve done it before and you will always end up missing links).

Placing this file in the root of your website will cause the entire website to always be SSL secured; which is as mentioned above, is not recommended unless the entire site does need to be secured.

Take note that since Windows will not allow a file without a name to be stored on your hard drive, you will need to name the file “htaccess.txt” locally and then rename it after uploading it to the web server using the FTP program used during upload.

Documentation on the Apache .htaccess file can be found in Apache's documentation: http://httpd.apache.org/docs/2.2/howto/htaccess.html

Have previously posted this Article on my blog : http://www.matthewstevenkelly.com/blog/tag/server

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Join & Write a Comment

In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Watch this simple and effective video tutorial to extract attachments from Outlook 2007 and try this easy method by yourself. No need to go anywhere, just watch the video and export attachments from Outlook in few simple steps. To know more, click h…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month