ViaThinkSoft CodeLib
Dieser Artikel befindet sich in der Kategorie:
CodeLib → HowTos → Apache
Summary
Version 1.4 (February, 27th 2012)
This very elegant and probably unique solution provides
- automatic redirects for secured areas (htaccess)
- automatic redirecting GET requests (not POST requests)
.htaccess
(docroot)/https_redirector.php
Attention: Needs to be installed in every document root of each virtual host!
Attention: The redirect only works for GET requests. POST request data will not be forwarded. This is also not required since they probably already contain sensitive data like login data and therefore you MUST use the HTTPS url in a form directly to be secure.
Vorsicht: Die Weiterleitung funktioniert nur mit GET Anfragen. POST Anfragedaten werden nicht durchgeleitet. Dies ist auch nicht erwünschenswert, da eine POST-Anfrage meist vertrauliche Informationen beinhaltet (z.B. Logindaten). Daher MUSS eine POST Anfrage direkt an die HTTPS Adresse erfolgen!
Disadvantage: You cannot define own 403 pages (except if you modify https_redirector.php).
Apache configuration for redirections
It is important to store redirections inside the apache configuration, not inside the HTACCESS. Otherwise, it is possible that redirections between domains interact with https_redirector.php . It is very important that https_redirector.php is NOT affected by any rewritings.
(Example for domain www.example.com)
Version 1.4 (February, 27th 2012)
This very elegant and probably unique solution provides
- automatic redirects for secured areas (htaccess)
- automatic redirecting GET requests (not POST requests)
.htaccess
# VIATHINKSOFT HTTPS-ENFORCER 1.4
# USED FOR HTTP->HTTPS REDIRECTION FOR SECURED AREAS
# https://www.viathinksoft.de/?page=codelib&showid=90
# Everything except robots.txt and https_redirector.php are
# secured. (You must exclude https_redirector.php if you want to
# secure / )
<FilesMatch "^(?!https_redirector\.php$|robots\.txt$).*">
AuthName "Secured area"
AuthUserFile /(directory outside of docroot)/.htpasswd
AuthType Basic
require valid-user
# Enforce SSL
SSLOptions +StrictRequire
SSLRequireSSL
Satisfy All
ErrorDocument 403 /https_redirector.php
</FilesMatch>
# Other things to define by you, e.g.
# Options +Indexes(docroot)/https_redirector.php
Attention: Needs to be installed in every document root of each virtual host!
<?php
// VIATHINKSOFT HTTPS-REDIRECTORY HIDDEN SCRIPT 1.4
// USED FOR HTTP->HTTPS REDIRECTION FOR SECURED AREAS
// https://www.viathinksoft.de/?page=codelib&showid=90
if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == '1' || strtolower($_SERVER['HTTPS'])=='on')) {
# We are already at HTTPS, so we got a "real" 403 error on that resource we are requesting
header('HTTP/1.1 403 Forbidden');
// This message is taken from /usr/share/apache2/error/HTTP_FORBIDDEN.html.var
// of Apache 2.2.16 on Debian 6.0.1
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don\'t have permission to access '.$_SERVER['REDIRECT_SCRIPT_URL'].'
on this server.</p>
<hr>
'.$_SERVER['SERVER_SIGNATURE'].'
</body></html>';
die();
}
$requri = getenv('REQUEST_URI');
// Attention: Do NOT use SERVER_NAME here; Missing square brackets in IPv6 and server-configuration dependent!
$servername = getenv('HTTP_HOST');
$servername = strtolower($servername); // Not neccessary
header("Location: https://$servername$requri");
?>
Attention: The redirect only works for GET requests. POST request data will not be forwarded. This is also not required since they probably already contain sensitive data like login data and therefore you MUST use the HTTPS url in a form directly to be secure.
Vorsicht: Die Weiterleitung funktioniert nur mit GET Anfragen. POST Anfragedaten werden nicht durchgeleitet. Dies ist auch nicht erwünschenswert, da eine POST-Anfrage meist vertrauliche Informationen beinhaltet (z.B. Logindaten). Daher MUSS eine POST Anfrage direkt an die HTTPS Adresse erfolgen!
Disadvantage: You cannot define own 403 pages (except if you modify https_redirector.php).
Apache configuration for redirections
It is important to store redirections inside the apache configuration, not inside the HTACCESS. Otherwise, it is possible that redirections between domains interact with https_redirector.php . It is very important that https_redirector.php is NOT affected by any rewritings.
(Example for domain www.example.com)
<VirtualHost (your ip):80>
RewriteEngine On
RewriteOptions inherit
# --- HTTP Redirects ---
# example.com -> www.example.com
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteCond %{HTTPS} !=on
RewriteCond %{SCRIPT_FILENAME} !/https_redirector.php$
RewriteRule ^(.*)$ http://www\.example\.com$1 [R=301,L]
# The rest -> www.example.com
RewriteCond %{HTTP_HOST} ^(.*)\.example\.com$ [NC]
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{HTTPS} !=on
RewriteCond %{SCRIPT_FILENAME} !/https_redirector.php$
RewriteRule ^(.*)$ http://www\.example\.com$1 [R=301,L]
# --- HTTPS Redirects ---
# example.com -> www.example.com
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteCond %{HTTPS} =on
RewriteCond %{SCRIPT_FILENAME} !/https_redirector.php$
RewriteRule ^(.*)$ https://www\.example\.com$1 [R=301,L]
# The rest -> www.example.com
RewriteCond %{HTTP_HOST} ^(.*)\.example\.com$ [NC]
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{HTTPS} =on
RewriteCond %{SCRIPT_FILENAME} !/https_redirector.php$
RewriteRule ^(.*)$ https://www\.example\.com$1 [R=301,L]
...
</VirtualHost>Daniel Marschall
ViaThinkSoft Mitbegründer
ViaThinkSoft Mitbegründer