[Httpd Wiki] Update of Info by JohnCrown
Dear Wiki user, You have subscribed to a wiki page or wiki category on Httpd Wiki for change notification. The following page has been changed by JohnCrown: http://wiki.apache.org/httpd/Info The comment on the change is: added htaccess category -- * [Info/Common_HTTPStatusCodes] - A bit of information about common status codes * [Info/RemoveSSLCertPassPhrase] - A quick guide on how to remove the SSL !PassPhrase from your certifcates * [Info/CommonMisconfigurations] - Information on common Apache misconfigurations as seen in #apache. + * [Info/htaccess] - Information about .htaccess files.
[Httpd Wiki] Update of Info by JohnCrown
Dear Wiki user, You have subscribed to a wiki page or wiki category on Httpd Wiki for change notification. The following page has been changed by JohnCrown: http://wiki.apache.org/httpd/Info The comment on the change is: added . before htaccess -- * [Info/Common_HTTPStatusCodes] - A bit of information about common status codes * [Info/RemoveSSLCertPassPhrase] - A quick guide on how to remove the SSL !PassPhrase from your certifcates * [Info/CommonMisconfigurations] - Information on common Apache misconfigurations as seen in #apache. - * [Info/htaccess] - Information about .htaccess files. + * [Info/.htaccess] - Information about .htaccess files.
[Httpd Wiki] Update of Info/(2e)htaccess by JohnCrown
Dear Wiki user,
You have subscribed to a wiki page or wiki category on Httpd Wiki for change
notification.
The following page has been changed by JohnCrown:
http://wiki.apache.org/httpd/Info/%282e%29htaccess
--
- {{mergefrom|Info/htaccess}}
+ Describe Info/.htaccess here.
[Httpd Wiki] Update of Info by JohnCrown
Dear Wiki user, You have subscribed to a wiki page or wiki category on Httpd Wiki for change notification. The following page has been changed by JohnCrown: http://wiki.apache.org/httpd/Info -- + == Info == + Useful information and documentation about the Apache HTTP Server. (Or, in other words, stuff that doesn't fit in other categories.) * [Info/DistrosDefaultLayout] - Information on the default configuration of Apache httpd as distributed by various third parties * [Info/Common_HTTPStatusCodes] - A bit of information about common status codes * [Info/RemoveSSLCertPassPhrase] - A quick guide on how to remove the SSL !PassPhrase from your certifcates * [Info/CommonMisconfigurations] - Information on common Apache misconfigurations as seen in #apache. - * [Info/.htaccess] - Information about .htaccess files. + * [Info/htaccess] - Information about .htaccess files. + [[Category:httpd]] +
[Httpd Wiki] Update of Info/(2e)htaccess by pctony
Dear Wiki user, You have subscribed to a wiki page or wiki category on Httpd Wiki for change notification. The following page has been changed by pctony: http://wiki.apache.org/httpd/Info/%282e%29htaccess The comment on the change is: unsure of the reasoning for this page, can be created with comments if required -- - Describe Info/.htaccess here. + deleted
[Httpd Wiki] Update of Info by pctony
Dear Wiki user, You have subscribed to a wiki page or wiki category on Httpd Wiki for change notification. The following page has been changed by pctony: http://wiki.apache.org/httpd/Info The comment on the change is: removed htaccess link -- || [Info/Common_HTTPStatusCodes] || ||A bit of information about common status codes|| || [Info/RemoveSSLCertPassPhrase] || ||A quick guide on how to remove the SSL !PassPhrase from your certifcates|| || [Info/CommonMisconfigurations] || ||Information on common Apache misconfigurations as seen in #apache|| - || [Info/htaccess] || ||Information about .htaccess files||
[Httpd Wiki] Update of Info/htaccess by pctony
Dear Wiki user,
You have subscribed to a wiki page or wiki category on Httpd Wiki for change
notification.
The following page has been changed by pctony:
http://wiki.apache.org/httpd/Info/htaccess
The comment on the change is:
The HTTPd docs has a good article on this: h.a.o./docs/2.2/howto/htaccess.html
--
- = How do I use .htaccess files? =
+ deleted
- Implementation of .htaccess files is universal across the Internet. Many
manuals are available online. You can visit your favorite search engine and
search for 'htaccess', and you'll probably find a nice tutorial just like
[http://httpd.apache.org/docs/2.0/howto/htaccess.html this one]! Once you have
grasped the basic concepts, it would definately help you to refer to the many
examples available here on the wiki, there is also a great
[http://www.askapache.com/2006/htaccess/htaccesselite-ultimate-htaccess-article.html
htaccess Code Snippet Article] full of the most commonly requested htaccess
code examples.
-
-
-
- == How can I create a plain text file for .htaccess? ==
-
- You can do it by sshing in to yourdomain.com and using pico, a user-friendly
text editor. All the commands for its use appear at the bottom of the page (^
means ''press the Control key.'') Just change to the directory in which you
want to use .htaccess, and type pico .htaccess to get started with a blank
.htaccess file.
-
- == How do I block certain IPs from accessing my site or directory? ==
- It's pretty easy! All you have to do is file in the directory you'd like to
restrict (your main directory to restrict the entire site) and then put the
following in it:
-
- {{{
- Limit GET
- order allow,deny
- allow from all
- deny from 123.142.124.152
- deny from 124.24.
- /LIMIT
- }}}
-
-
- You can put whole ips or just the beginning part you'd like to match, and you
can add more and more ips, each with its own line! When somebody's ip is
banned, they will get a 403 error (access forbidden) when trying to visit your
site.
-
-
- == How do I block people coming from a certain website or URL from visiting
my site or directory? ==
-
- It's actually very similar to [[KB / Unix / .htaccess files| blocking people
by IP]]! Again, you need to add some lines to an .htaccess text file that you
create in the home directory of your web site.
-
- Here is some example code for giving everybody who comes to you from
www.yahoo.com or www.google.com an (access denied):
-
- {{{
- SetEnvIfNoCase Referer ^http://www.google.com/; BadReferrer
- SetEnvIfNoCase Referer ^http://www.yahoo.com/; BadReferrer
- order deny,allow
- deny from env=BadReferrer
- }}}
-
- Another way to block people where you end up just redirecting them to a
different url involves using the
[http://httpd.apache.org/docs/mod/mod_rewrite.html mod_rewrite] functionality
of our web server. Here's how to block everybody from www.yahoo.com and
www.google.com again (put this in your .htaccess file):
-
- {{{
- RewriteEngine On
- RewriteCond %{HTTP_REFERER} ^http://www.yahoo.com/
- RewriteRule /* http://www.yoursite.com/restricted_url.html [R,L]
- RewriteCond %{HTTP_REFERER} ^http://www.google.com/
- RewriteRule /* http://www.yoursite.com/restricted_url.html [R,L]
- }}}
-
-
- == Force a server to only use SSL and fix double logins ==
- If you really want to be sure that your server is only serving documents over
an encrypted SSL channel ''(you wouldn't want visitors to submit a htaccess
password prompt on an unencrypted connection)'' then you need to use the
'''SSLRequireSSL''' directive with the +StrictRequire Option turned on.
-
- {{{
- SSLOptions +StrictRequire
- SSLRequireSSL
- SSLRequire %{HTTP_HOST} eq site.com #or www.site.com
- ErrorDocument 403 https://site.com
- }}}
-
- The cool thing about using mod_ssl instead of mod_rewrite to force SSL is
that apache gives mod_ssl priority ABOVE mod_rewrite so it will always require
SSL. ''(may be able to get around first method using http://site.com:443 or
https://site.com:80)''
- * An in-depth article about what this is doing can be found in the
[http://www.htaccesselite.com/htaccess/redirecting-all-or-part-of-a-server-to-ssl-vt61.html
SSL Forum]
-
-
-
- == How do I stop others from hotlinking my files? ==
- Hotlinking is when somebody displays an image (or any type of file
actually) on somebody else's web site directly inline on their site! There's
nothing particularly '''wrong''' with that, it's a big part of how the WWW was
designed to work. However, it does steal the bandwidth of the original site,
and could possibly infringe on a copyright.
-
- Blocking specific domains
- The following code will return a '''403 Forbidden''' error instead of the
requested image, but only when the image has been requested by ''badsite.net''
or ''badsite.com'':
- {{{
- RewriteEngine On
- RewriteCond %{HTTP_REFERER}
[Httpd Wiki] Update of Info/htaccess by pctony
Dear Wiki user,
You have subscribed to a wiki page or wiki category on Httpd Wiki for change
notification.
The following page has been changed by pctony:
http://wiki.apache.org/httpd/Info/htaccess
--
+ This page has been deleted, please DO NOT recreate it again.
- == Force a server to only use SSL and fix double logins ==
- If you really want to be sure that your server is only serving documents over
an encrypted SSL channel ''(you wouldn't want visitors to submit a htaccess
password prompt on an unencrypted connection)'' then you need to use the
'''SSLRequireSSL''' directive with the +StrictRequire Option turned on.
+ Thanks,
+ pctony
- {{{
- SSLOptions +StrictRequire
- SSLRequireSSL
- SSLRequire %{HTTP_HOST} eq site.com #or www.site.com
- ErrorDocument 403 https://site.com
- }}}
-
- The cool thing about using mod_ssl instead of mod_rewrite to force SSL is
that apache gives mod_ssl priority ABOVE mod_rewrite so it will always require
SSL. ''(may be able to get around first method using http://site.com:443 or
https://site.com:80)''
- * An in-depth article about what this is doing can be found in the
[http://www.htaccesselite.com/htaccess/redirecting-all-or-part-of-a-server-to-ssl-vt61.html
SSL Forum]
-
-
-
- == How do I stop others from hotlinking my files? ==
- Hotlinking is when somebody displays an image (or any type of file
actually) on somebody else's web site directly inline on their site! There's
nothing particularly '''wrong''' with that, it's a big part of how the WWW was
designed to work. However, it does steal the bandwidth of the original site,
and could possibly infringe on a copyright.
-
- Blocking specific domains
- The following code will return a '''403 Forbidden''' error instead of the
requested image, but only when the image has been requested by ''badsite.net''
or ''badsite.com'':
- {{{
- RewriteEngine On
- RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.net/ [NC,OR]
- RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.com/ [NC]
- RewriteRule \.(jpe?g|gif|png)$ - [F]
- }}}
- Note that in the above example, only images are being protected. To protect
other resources, such as video and audio files, add additional extensions to
the codeRewrite Rule/code parentheses block.
-
- Blocking most domains
- The following code will return a '''403 Forbidden''' error instead of the
requested resource, unless requested from example.com or livejournal.com (note
that one of the allowed sites should be the domain where the resource is
actually used):
- {{{
- RewriteEngine On
- RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/ [NC]
- RewriteCond %{HTTP_REFERER} !^http://(www\.)?livejournal\.com/ [NC]
- RewriteCond %{HTTP_REFERER} !^$
- RewriteRule \.(jpe?g|gif|png)$ - [F]
- }}}
-
- Blocking all domains
- The following code will return a '''403 Forbidden''' error instead of the
requested resource, unless the referrer is example.com, which should be changed
to the domain of the site where the image is used:
- {{{
- RewriteEngine On
- RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/ [NC]
- RewriteCond %{HTTP_REFERER} !^$
- RewriteRule \.(jpe?g|gif|png)$ - [F]
- }}}
-
- === Replacing images ===
- This method will '''still''' result in bandwidth theft, but it will protect
your images. Bandwidth theft may reduce eventually as people learn linking your
images will not work.
-
- Replacing the image
- The following code will cause the remote server to display
'''no_hotlink.jpg''' instead of the requested image:
- {{{
- RewriteEngine On
- RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/ [NC]
- RewriteCond %{HTTP_REFERER} !^$
- RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [L]
- }}}
-
- Allow certain hotlinking
- The following code will cause the remote server to display
'''no_hotlink.jpg''' instead of the requested image, unless the image has been
requested from a specified directory ('''dir'''):
- {{{
- RewriteEngine On
- RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/dir/ [NC]
- RewriteCond %{HTTP_REFERER} !^$
- RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [L]
- }}}
-
- Block specific domains
- The following code will cause the remote server to display
'''no_hotlink.jpg''' instead of the requested image, but only when the image
has been requested by ''badsite.net'' or ''badsite.com'':
- {{{
- RewriteEngine On
- RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.net/ [NC,OR]
- RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.com/ [NC]
- RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [L]
- }}}
-
-
-
-
- == External Links ==
- *
[http://wiki.mobbing-gegner.de/?action=fullsearchcontext=180value=apachetitlesearch=Titel
german] tips and links for apache
-
[Httpd Wiki] Update of ScratchPad/htaccess by pctony
Dear Wiki user, You have subscribed to a wiki page or wiki category on Httpd Wiki for change notification. The following page has been changed by pctony: http://wiki.apache.org/httpd/ScratchPad/htaccess -- - ## page was renamed from Info/htaccess + ! THIS IS A SCRATCHPAD ONLY PAGE AT THE MOMENT, AND SHOULD NOT BE MOVED OUT OF SUCH ! + = How do I use .htaccess files? = Implementation of .htaccess files is universal across the Internet. Many manuals are available online. You can visit your favorite search engine and search for 'htaccess', and you'll probably find a nice tutorial just like [http://httpd.apache.org/docs/2.0/howto/htaccess.html this one]! Once you have grasped the basic concepts, it would definately help you to refer to the many examples available here on the wiki, there is also a great [http://www.askapache.com/2006/htaccess/htaccesselite-ultimate-htaccess-article.html htaccess Code Snippet Article] full of the most commonly requested htaccess code examples.
[Httpd Wiki] Update of ScratchPad/htaccess by pctony
Dear Wiki user,
You have subscribed to a wiki page or wiki category on Httpd Wiki for change
notification.
The following page has been changed by pctony:
http://wiki.apache.org/httpd/ScratchPad/htaccess
The comment on the change is:
Innaccurate statements, bad practices, and external links have been removed.
--
(!) THIS IS A SCRATCHPAD ONLY PAGE AT THE MOMENT, AND SHOULD NOT BE MOVED OUT
OF SUCH (!)
+ (!) This document should be used to draft a new version of the official httpd
howto docs (!)
- = How do I use .htaccess files? =
+ '''The use of .htaccess files is strongly discouraged as they can have a
detremental effect on server performance.'''
- Implementation of .htaccess files is universal across the Internet. Many
manuals are available online. You can visit your favorite search engine and
search for 'htaccess', and you'll probably find a nice tutorial just like
[http://httpd.apache.org/docs/2.0/howto/htaccess.html this one]! Once you have
grasped the basic concepts, it would definately help you to refer to the many
examples available here on the wiki, there is also a great
[http://www.askapache.com/2006/htaccess/htaccesselite-ultimate-htaccess-article.html
htaccess Code Snippet Article] full of the most commonly requested htaccess
code examples.
+
+ == How do I use .htaccess files? ==
- == How can I create a plain text file for .htaccess? ==
+ == How can I create a new .htaccess file? ==
+ Use your favourite editor to create a .htaccess file in the folder where you
want it to take affect.
- You can do it by sshing in to yourdomain.com and using pico, a user-friendly
text editor. All the commands for its use appear at the bottom of the page (^
means ''press the Control key.'') Just change to the directory in which you
want to use .htaccess, and type pico .htaccess to get started with a blank
.htaccess file.
-
- == How do I block certain IPs from accessing my site or directory? ==
- It's pretty easy! All you have to do is file in the directory you'd like to
restrict (your main directory to restrict the entire site) and then put the
following in it:
-
- {{{
- Limit GET
- order allow,deny
- allow from all
- deny from 123.142.124.152
- deny from 124.24.
- /LIMIT
- }}}
-
-
- You can put whole ips or just the beginning part you'd like to match, and you
can add more and more ips, each with its own line! When somebody's ip is
banned, they will get a 403 error (access forbidden) when trying to visit your
site.
-
-
- == How do I block people coming from a certain website or URL from visiting
my site or directory? ==
-
- It's actually very similar to [[KB / Unix / .htaccess files| blocking people
by IP]]! Again, you need to add some lines to an .htaccess text file that you
create in the home directory of your web site.
-
- Here is some example code for giving everybody who comes to you from
www.yahoo.com or www.google.com an (access denied):
-
- {{{
- SetEnvIfNoCase Referer ^http://www.google.com/; BadReferrer
- SetEnvIfNoCase Referer ^http://www.yahoo.com/; BadReferrer
- order deny,allow
- deny from env=BadReferrer
- }}}
-
- Another way to block people where you end up just redirecting them to a
different url involves using the
[http://httpd.apache.org/docs/mod/mod_rewrite.html mod_rewrite] functionality
of our web server. Here's how to block everybody from www.yahoo.com and
www.google.com again (put this in your .htaccess file):
-
- {{{
- RewriteEngine On
- RewriteCond %{HTTP_REFERER} ^http://www.yahoo.com/
- RewriteRule /* http://www.yoursite.com/restricted_url.html [R,L]
- RewriteCond %{HTTP_REFERER} ^http://www.google.com/
- RewriteRule /* http://www.yoursite.com/restricted_url.html [R,L]
- }}}
-
-
- == Force a server to only use SSL and fix double logins ==
- If you really want to be sure that your server is only serving documents over
an encrypted SSL channel ''(you wouldn't want visitors to submit a htaccess
password prompt on an unencrypted connection)'' then you need to use the
'''SSLRequireSSL''' directive with the +StrictRequire Option turned on.
-
- {{{
- SSLOptions +StrictRequire
- SSLRequireSSL
- SSLRequire %{HTTP_HOST} eq site.com #or www.site.com
- ErrorDocument 403 https://site.com
- }}}
-
- The cool thing about using mod_ssl instead of mod_rewrite to force SSL is
that apache gives mod_ssl priority ABOVE mod_rewrite so it will always require
SSL. ''(may be able to get around first method using http://site.com:443 or
https://site.com:80)''
- * An in-depth article about what this is doing can be found in the
[http://www.htaccesselite.com/htaccess/redirecting-all-or-part-of-a-server-to-ssl-vt61.html
SSL Forum]
+ == What can I do with my .htaccess file ==
- == How do I stop others from hotlinking my files? ==
- Hotlinking is when somebody displays an image (or any type of file
actually) on somebody else's web site
[Httpd Wiki] Trivial Update of ScratchPad/htaccess by pctony
Dear Wiki user, You have subscribed to a wiki page or wiki category on Httpd Wiki for change notification. The following page has been changed by pctony: http://wiki.apache.org/httpd/ScratchPad/htaccess -- (!) THIS IS A SCRATCHPAD ONLY PAGE AT THE MOMENT, AND SHOULD NOT BE MOVED OUT OF SUCH (!) + (!) This document should be used to draft a new version of the official httpd howto docs (!) '''The use of .htaccess files is strongly discouraged as they can have a detremental effect on server performance.'''
[Httpd Wiki] Update of ScratchPad/htaccess by RichBowen
Dear Wiki user, You have subscribed to a wiki page or wiki category on Httpd Wiki for change notification. The following page has been changed by RichBowen: http://wiki.apache.org/httpd/ScratchPad/htaccess The comment on the change is: Link to the official docs. The official howto needs some love. -- (!) THIS IS A SCRATCHPAD ONLY PAGE AT THE MOMENT, AND SHOULD NOT BE MOVED OUT OF SUCH (!) - (!) This document should be used to draft a new version of the official httpd howto docs (!) + (!) This document should be used to draft a new version of the [http://httpd.apache.org/docs/trunk/howto/htaccess.html official httpd howto docs] (!) '''The use of .htaccess files is strongly discouraged as they can have a detremental effect on server performance.'''
[Httpd Wiki] Update of Recipes/RedirectSSL by JohnCrown
Dear Wiki user,
You have subscribed to a wiki page or wiki category on Httpd Wiki for change
notification.
The following page has been changed by JohnCrown:
http://wiki.apache.org/httpd/Recipes/RedirectSSL
The comment on the change is:
added a bunch of improved code
--
- = Redirect Request To SSL =
+ = Redirect Request To SSL with httpd.conf =
+
Let's say you want http://www.domain.com/secure/ to always be sent over SSL
(I presume here that both the normal and the SSL vhost have the same content).
You could do this by linking to the correct page from within your HTML pages...
but there will always be some user who will sneak by it that way.
- == Using mod_rewrite ==
+ === Using mod_rewrite ===
+
{{{
Location /secure
RewriteEngine On
@@ -12, +14 @@
RewriteRule .* https://%{HTTP_HOST}:443%{REQUEST_URI} [QSA,R=permanent,L]
/Location
}}}
-
- '''Note: This snippet can also be used inside a directory or vhost
container.'''
+ '''Note:''' This snippet can also be used inside a directory or vhost
container.
Make sure you have loaded
[http://httpd.apache.org/docs/trunk/mod/mod_rewrite.html mod_rewrite] and have
it enabled.
-
{{{
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
}}}
- == Using virtual hosts ==
+ === Using virtual hosts ===
When using SSL, you will frequently have at least two virtual hosts: one on
port 80 to serve ordinary requests, and one on port 443 to serve SSL. If you
wish to redirect users from the non-secure site to the SSL site, you can use an
ordinary [http://httpd.apache.org/docs/trunk/mod/mod_alias.html#redirect
Redirect] directive inside the non-secure VirtualHost:
@@ -40, +40 @@
SSLEngine On
# etc...
/VirtualHost
+ }}}
+
+
+
+ = Redirect To SSL with .htaccess =
+ '''following htaccess methods are from:
[http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html
askApache.com]'''
+ {{{
+ # If server does not have mod_ssl or mod_rewrite deny access
+ [IfModule !mod_rewrite.c]
+ [IfModule !mod_ssl.c]
+ deny from all
+ [/IfModule]
+ [/IfModule]
+ }}}
+
+
+
+ === Most Secure SSL Forcing Method '''(doesn't require mod_rewrite!)''' ===
+
+ This will check to make sure that the connection is using SSL, or it will
fail. This works regardless of if you are serving SSL on port 443, 80, 81, etc.
This is the most secure setting for SSL logins.
+
+ This also fixes having to type in the username and password twice by
requiring the HTTP_HOST to match the HTTP_HOST that your SSL certificate is
set-up for, in the case above, the SSL is for google.com not www.google.com
+
+ So if either of those 2 checks fail '''(!SSL or !correct domain)''' than the
(403) ErrorDocument directive issues a 302 Found, Location: https://google.com
which forces the client to connect to the correct location.
+
+ {{{
+ [IfModule mod_ssl.c]
+ SSLOptions +StrictRequire
+ SSLRequireSSL
+ SSLRequire %{HTTP_HOST} eq google.com
+ ErrorDocument 403 https://google.com
+ [/IfModule]
+ }}}
+
+
+
+
+
+ === Rewrite non-SSL requests to SSL '''(doesn't require mod_ssl!)''' ===
+
+ {{{
+ [IfModule !mod_rewrite.c]
+ RewriteCond %{HTTPS} !=on
+ RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
+ [/IfModule]
+ }}}
+
+ ''NOTE'': The HTTPS variable is always present, even if mod_ssl isnât
loaded!
+
+
+
+
+ === Redirect everything served on port 80 to SSL ===
+
+ {{{
+ RewriteCond %{SERVER_PORT} ^80$
+ RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
+ }}}
+
+
+
+ === Changing to SSL or non-SSL using relative URLs ===
+
+ {{{
+ RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [QSA,R,L]
+ RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [QSA,R,L]
+ }}}
+ This lets you use hyperlinks in your web document of the form
+ {{{
+ /document.html:SSL-- https://google.com/document.html
+ /document.html:NOSSL -- http://google.com/document.html
+ }}}
+
[Httpd Wiki] Trivial Update of Recipes/RedirectSSL by pctony
Dear Wiki user,
You have subscribed to a wiki page or wiki category on Httpd Wiki for change
notification.
The following page has been changed by pctony:
http://wiki.apache.org/httpd/Recipes/RedirectSSL
The comment on the change is:
removed link to askapache, and reworded title
--
= Redirect To SSL with .htaccess =
- '''following htaccess methods are from:
[http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html
askApache.com]'''
+
{{{
# If server does not have mod_ssl or mod_rewrite deny access
[IfModule !mod_rewrite.c]
@@ -58, +58 @@
- === Most Secure SSL Forcing Method '''(doesn't require mod_rewrite!)''' ===
+ === Forcing SSL '''(doesn't require mod_rewrite!)''' ===
This will check to make sure that the connection is using SSL, or it will
fail. This works regardless of if you are serving SSL on port 443, 80, 81, etc.
This is the most secure setting for SSL logins.
Re: [Httpd Wiki] Update of Recipes/RedirectSSL by JohnCrown
On Jan 3, 2007, at 09:13, Apache Wiki wrote:
+ = Redirect To SSL with .htaccess =
+ '''following htaccess methods are from: [http://www.askapache.com/
2006/htaccess/apache-ssl-in-htaccess-examples.html askApache.com]'''
+ {{{
+ # If server does not have mod_ssl or mod_rewrite deny access
+ [IfModule !mod_rewrite.c]
+ [IfModule !mod_ssl.c]
+ deny from all
+ [/IfModule]
+ [/IfModule]
+ }}}
This, and other bits on this page, appear to be cargo-culted from
modssl.org, askapache.com, and various other places. I'm not real
comfortable with that precedent, particularly when the given examples
are inaccurate. Can we stick to functional examples, and original
work, please?
JohnCrown, are you on this mailing list? We've got some rather
specific goals for the wiki. Foremost is the enhancement of the
official documentation. As such, contributions must be stuff that
you're actually legally able to give to the ASF. And, of course, they
also need to be accurate. I see that a number of your edits have been
reverted, and I imagine that must be frustrating. But you can't copy
stuff from other websites and paste it onto this website. We take
copyright pretty seriously.
--
If we only live,
We too will go to sea in a Sieve,---
To the hills of the Chankly Bore!
[Httpd Wiki] Update of Recipes/RedirectSSL by JohnCrown
Dear Wiki user,
You have subscribed to a wiki page or wiki category on Httpd Wiki for change
notification.
The following page has been changed by JohnCrown:
http://wiki.apache.org/httpd/Recipes/RedirectSSL
--
- = Redirect Request To SSL =
+ = Redirect Request To SSL with httpd.conf =
+
Let's say you want http://www.domain.com/secure/ to always be sent over SSL
(I presume here that both the normal and the SSL vhost have the same content).
You could do this by linking to the correct page from within your HTML pages...
but there will always be some user who will sneak by it that way.
- == Using mod_rewrite ==
+ === Using mod_rewrite ===
+
{{{
Location /secure
RewriteEngine On
@@ -12, +14 @@
RewriteRule .* https://%{HTTP_HOST}:443%{REQUEST_URI} [QSA,R=permanent,L]
/Location
}}}
-
- '''Note: This snippet can also be used inside a directory or vhost
container.'''
+ '''Note:''' This snippet can also be used inside a directory or vhost
container.
Make sure you have loaded
[http://httpd.apache.org/docs/trunk/mod/mod_rewrite.html mod_rewrite] and have
it enabled.
-
{{{
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
}}}
- == Using virtual hosts ==
+ === Using virtual hosts ===
When using SSL, you will frequently have at least two virtual hosts: one on
port 80 to serve ordinary requests, and one on port 443 to serve SSL. If you
wish to redirect users from the non-secure site to the SSL site, you can use an
ordinary [http://httpd.apache.org/docs/trunk/mod/mod_alias.html#redirect
Redirect] directive inside the non-secure VirtualHost:
@@ -40, +40 @@
SSLEngine On
# etc...
/VirtualHost
+ }}}
+
+
+
+ = Redirect To SSL with .htaccess =
+ '''following htaccess methods are from:
[http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html
askApache.com]'''
+ {{{
+ # If server does not have mod_ssl or mod_rewrite deny access
+ [IfModule !mod_rewrite.c]
+ [IfModule !mod_ssl.c]
+ deny from all
+ [/IfModule]
+ [/IfModule]
+ }}}
+
+
+
+ === Most Secure SSL Forcing Method '''(doesn't require mod_rewrite!)''' ===
+
+ This will check to make sure that the connection is using SSL, or it will
fail. This works regardless of if you are serving SSL on port 443, 80, 81, etc.
This is the most secure setting for SSL logins.
+
+ This also fixes having to type in the username and password twice by
requiring the HTTP_HOST to match the HTTP_HOST that your SSL certificate is
set-up for, in the case above, the SSL is for google.com not www.google.com
+
+ So if either of those 2 checks fail '''(!SSL or !correct domain)''' than the
(403) ErrorDocument directive issues a 302 Found, Location: https://google.com
which forces the client to connect to the correct location.
+
+ {{{
+ [IfModule mod_ssl.c]
+ SSLOptions +StrictRequire
+ SSLRequireSSL
+ SSLRequire %{HTTP_HOST} eq google.com
+ ErrorDocument 403 https://google.com
+ [/IfModule]
+ }}}
+
+
+
+
+
+ === Rewrite non-SSL requests to SSL '''(doesn't require mod_ssl!)''' ===
+
+ {{{
+ [IfModule !mod_rewrite.c]
+ RewriteCond %{HTTPS} !=on
+ RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
+ [/IfModule]
+ }}}
+
+ ''NOTE'': The HTTPS variable is always present, even if mod_ssl isnât
loaded!
+
+
+
+
+ === Redirect everything served on port 80 to SSL ===
+
+ {{{
+ RewriteCond %{SERVER_PORT} ^80$
+ RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
+ }}}
+
+
+
+ === Changing to SSL or non-SSL using relative URLs ===
+
+ {{{
+ RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [QSA,R,L]
+ RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [QSA,R,L]
+ }}}
+ This lets you use hyperlinks in your web document of the form
+ {{{
+ /document.html:SSL-- https://google.com/document.html
+ /document.html:NOSSL -- http://google.com/document.html
+ }}}
+
