On Feb 12, 2011, at 8:44 PM, Ed Greenberg wrote:
>
> I'd like to redirect http to https so that users who don't specify
> https are forced to use it, especially for login/password
> transactions. Also it would be nice if the admin pages, which are
> blocked in http, would redirect, rather than fail.
>
> There were some postings about htaccess in the group, but none seem to
> have ever solved the problem.
>
> I do have control over the server, so I could put mod_rewrite commands
> in the virtual host section of the config. Can anybody give me
> pointers on exactly what to protect? Should I do something like this:
>
> <Directory /opt/web_apps/web2py>
> RewriteEngine On
> RewriteCond %{SERVER_PORT} =80
> RewriteRule (.*) https://hostname.example.com/$1 [L,R]
> </Directory>
>
> Or is something more complex required.
Something more complex is required. But not much more complex.
You need to send a redirect to the browser, because the browser has to
establish an end-to-end secure connection.
