Page 1 of 1

newb https question

Posted: Tue May 27, 2014 7:31 am
by pkocsis
Using apache on Linux (and of course, livecode server :)), what is the proper way to disallow http and force all to https? Is it simply utilizing the redirect functionality? .....or is there a more proper way in which to disallow requests via http?


Re: newb https question

Posted: Tue May 27, 2014 8:16 pm
by Pyrros
I would just use .htaccess rewrite to force the https.

Re: newb https question

Posted: Tue May 27, 2014 10:48 pm
by pkocsis
Thank you Pyrros,

If I could add one more question.....can this methodology be used to:

1) redirect all http requests to https EXCEPT...

2) if I have a directory in my documentroot called, say, "sslonly", can I make it so that any http requests to assets inside sslonly will NOT get rewritten and simply denied?

I ask because I do indeed want to globally force all http to https, but for some directories, I would like to simply deny http requests and require https be used from the gitgo....(I.E. for requests to assets inside sslonly, if they come in via http I don't want to rewrite and redirect to https....I want to deny them)

Thanks again Pyrros!


Re: newb https question

Posted: Wed May 28, 2014 8:52 pm
by Pyrros
Hi Paul

You should be able to do that.

I'm not an htaccess expert but I guessing something like this would work:

htaccess directory in the site root - specify which urls must redirect to ssl e.g:

RewriteCond %{HTTPS} != on
RewriteRule ^(system|dashboard) {http-domain}%{REQUEST_URI} [NC,R=301]

In the sslonly directory have another htaccess file to restrict access to only ssl:

RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule (.*) {warning-page} [R]

I can't post urls so,
{http-domain} would be your domain's https url
{warning-page} would be page telling the user the request was denied

Hope this helps.