<

HTTPS secure subsections of website (using Apache mod_rewrite)

Published on
8,616 Points
2,616 Views
Last Modified:
Approved
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure those sections of your website with SSL so they are https, while your main site is http.

This article will walk you through how to HTTPS secure subsections of you website on an Apache webserver using the mod_rewrite Module.

The alternative is to either (1) make your entire website to always be SSL secured, which unless the entire site does need to be secured, is not recommended due to the higher server load (http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#load) or (2) manually change your links between http or https, which is also not recommended since users could manually type the link in or you may miss a link an accidentally . This is why automatically securing just the sections that are required to be secure is the best way to secure your site.

However, the issue arises as to how to ensure every time someone visits those secure pages they are using SSL while visiting the main site they do not. If you forget to change even a single link to those pages and left the links as http:// instead of https:// users would get to the page unsecured. Additionally a user could always simply manually enter the URL into their web browser’s address bar without the https:// as well. The solution, of course, is for the web server to detect if the user is viewing the secured page with http:// and redirect them to https:// if they are.

Server Requirements:

1. Apache web server
2. If mod_rewrite is not enabled on your server you will need to uncomment the mod_rewrite LoadModule call (LoadModule rewrite_module modules/mod_rewrite.so) in the httpd.conf file
3. Make sure AllowOverride is set to “All” instead of “None” in the Directory section of the httpd.conf file

If your site is powered using Apache web server you can perform this switch over using mod_rewrite and the .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>

Open in new window


All you need to do is create a file called “.htaccess” with the above contents and put it in the directory of your web server you need to switch to SSL, such as the /customer or /order folder (remember that your server must first be configured to use SSL).

This is a great feature for webstores, etc. Simply create a directory called “secure”, place all of your web store files in that directory along with the above .htaccess file and you have just ensured your web store is always using encrypted HTTPS communication. The alternative, trying to manage every link into the web store pages, is a nightmare (I’ve done it before and you will always end up missing links).

Placing this file in the root of your website will cause the entire website to always be SSL secured; which is as mentioned above, is not recommended unless the entire site does need to be secured.

Take note that since Windows will not allow a file without a name to be stored on your hard drive, you will need to name the file “htaccess.txt” locally and then rename it after uploading it to the web server using the FTP program used during upload.

Documentation on the Apache .htaccess file can be found in Apache's documentation: http://httpd.apache.org/docs/2.2/howto/htaccess.html

Have previously posted this Article on my blog : http://www.matthewstevenkelly.com/blog/tag/server
0
Comment
0 Comments

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Join & Write a Comment

How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…
Suggested Courses
Course of the Month4 days, 15 hours left to enroll

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month