Solved

REWRITE RULE - Forcing https to http for Non-SSL site using HTACCESS

Posted on 2016-10-26
9
213 Views
Last Modified: 2016-11-02
Hi all -
I have sites where I force HTTP -> HTTPS using this code in HTACCESS:
   RewriteEngine On
   RewriteCond %{SERVER_PORT} 80
   RewriteRule ^(.*)$ https://example.com/$1 [R,L]      
NOW I have a site that used to use an SSL Certif, and no longer needs one, and my users often access the site still using httpS://example.com
Is there a change to the above 3 lines to force HTTPS -> HTTP instead of HTTPS -> HTTPS ?    
(Or a better way to force HTTPS to HTTP?)  The users still entering https in a browser are receiving that "Invalid Certificate - Run!" error.
0
Comment
Question by:bleggee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 41861367
No, unfortunately you can't do it the other way around when there isn't a certificate.  The HTTPS connection is made or attempted before anything else happens.  The "Invalid Certificate - Run!" error comes from the browser, not the server.

The only way to eliminate that error message is to get the certificate again.
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 125 total points
ID: 41861537
The point Dave makes is that a valid certificate must exists or the user will get an allert warning about the expired certificate before the refirect can be processed.

The functionality is such that credential exchange has to be completed before the client can Make a request and the server respond.

Renewing the certificate, and using a refirect mechanism that includes a delay long enough to display a page stating https access is going away.

Though your move is counter to the current trend where most sites are going towards encrypted sites.

If you are determined, either leave the expired cert which will alert each user attempting secure access. This is a more reliable notifier where the client will have to add an exception before they could continue on.
Using redirect test on whether the connection is secure, before sending it back to an unsecure URL.
Testing for port 443 or reversing your rewrite....
0
 
LVL 43

Expert Comment

by:Rob
ID: 41865490
My first thought is to use https://letsencrypt.org/ to get a certificate if cost is an issue?

That said, where have you placed your .htaccess redirecting to https?  Depending on the level you put it will determine how much flexibility you have with redirection.  Also is dependant on your config of apache e.g.  for your "default document root".

e.g.

/var/www - nothing gets past this
/var/www/html - the subfolders .htaccess have some flexibility
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 
LVL 1

Author Comment

by:bleggee
ID: 41865497
Good point Rob - I have used LetsEncrypt.org for certificates, thought the last I knew, they had to be renewed every 3 months. I heard there may be a better solution now from LetsEncrypt (1 year renewal or automated renewals), do you know anything about that?
0
 
LVL 43

Assisted Solution

by:Rob
Rob earned 125 total points
ID: 41865501
https://certbot.eff.org is the scripting should your server environment be suited.
e.g.for apache on ubuntu, you can see it can be automated (and I do it for one of my local servers): https://certbot.eff.org/#ubuntuxenial-apache
0
 
LVL 43

Expert Comment

by:Rob
ID: 41865502
hasn't heard about the one year renewals yet though
0
 
LVL 79

Expert Comment

by:arnold
ID: 41865509
If you are event remotely inclined, to entertain extending an SSL certificate remaining on the site might as well consider whether transitioning to the unencrypted (http) is the way to go given your contention that many of the established users/visitors to your site have links/shortcuts to the secure site.

Like the band-Aid, the longer you contemplate on the transition, the longer you will remain in this ambiguous circumstance.

if your site is dynamic, php, etc. your pages could incorporate a check on whether the access is secure, and in those cases, display a banner, to indicate that secure accesses us going away by date certain..........
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41865519
https://www.startssl.com/ has free certificates.  I use them for my own site.
0
 
LVL 1

Author Comment

by:bleggee
ID: 41871003
Great Info ! Thank you all.
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Fine Tune your automatic Updates for Ubuntu / Debian
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question