Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 249
  • Last Modified:

REWRITE RULE - Forcing https to http for Non-SSL site using HTACCESS

Hi all -
I have sites where I force HTTP -> HTTPS using this code in HTACCESS:
   RewriteEngine On
   RewriteCond %{SERVER_PORT} 80
   RewriteRule ^(.*)$ https://example.com/$1 [R,L]      
NOW I have a site that used to use an SSL Certif, and no longer needs one, and my users often access the site still using httpS://example.com
Is there a change to the above 3 lines to force HTTPS -> HTTP instead of HTTPS -> HTTPS ?    
(Or a better way to force HTTPS to HTTP?)  The users still entering https in a browser are receiving that "Invalid Certificate - Run!" error.
0
bleggee
Asked:
bleggee
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
No, unfortunately you can't do it the other way around when there isn't a certificate.  The HTTPS connection is made or attempted before anything else happens.  The "Invalid Certificate - Run!" error comes from the browser, not the server.

The only way to eliminate that error message is to get the certificate again.
0
 
arnoldCommented:
The point Dave makes is that a valid certificate must exists or the user will get an allert warning about the expired certificate before the refirect can be processed.

The functionality is such that credential exchange has to be completed before the client can Make a request and the server respond.

Renewing the certificate, and using a refirect mechanism that includes a delay long enough to display a page stating https access is going away.

Though your move is counter to the current trend where most sites are going towards encrypted sites.

If you are determined, either leave the expired cert which will alert each user attempting secure access. This is a more reliable notifier where the client will have to add an exception before they could continue on.
Using redirect test on whether the connection is secure, before sending it back to an unsecure URL.
Testing for port 443 or reversing your rewrite....
0
 
RobOwner (Aidellio)Commented:
My first thought is to use https://letsencrypt.org/ to get a certificate if cost is an issue?

That said, where have you placed your .htaccess redirecting to https?  Depending on the level you put it will determine how much flexibility you have with redirection.  Also is dependant on your config of apache e.g.  for your "default document root".

e.g.

/var/www - nothing gets past this
/var/www/html - the subfolders .htaccess have some flexibility
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
bleggeeAuthor Commented:
Good point Rob - I have used LetsEncrypt.org for certificates, thought the last I knew, they had to be renewed every 3 months. I heard there may be a better solution now from LetsEncrypt (1 year renewal or automated renewals), do you know anything about that?
0
 
RobOwner (Aidellio)Commented:
https://certbot.eff.org is the scripting should your server environment be suited.
e.g.for apache on ubuntu, you can see it can be automated (and I do it for one of my local servers): https://certbot.eff.org/#ubuntuxenial-apache
0
 
RobOwner (Aidellio)Commented:
hasn't heard about the one year renewals yet though
0
 
arnoldCommented:
If you are event remotely inclined, to entertain extending an SSL certificate remaining on the site might as well consider whether transitioning to the unencrypted (http) is the way to go given your contention that many of the established users/visitors to your site have links/shortcuts to the secure site.

Like the band-Aid, the longer you contemplate on the transition, the longer you will remain in this ambiguous circumstance.

if your site is dynamic, php, etc. your pages could incorporate a check on whether the access is secure, and in those cases, display a banner, to indicate that secure accesses us going away by date certain..........
0
 
Dave BaldwinFixer of ProblemsCommented:
https://www.startssl.com/ has free certificates.  I use them for my own site.
0
 
bleggeeAuthor Commented:
Great Info ! Thank you all.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now