Forcing SSL in Apache Without Hard-Coding the Hostname

apache-2.2mod-rewritemod-ssl

I think that I have this sorted (thanks mainly to the question How to redirect non-www to www without hardcoding using .htaccess?), but I still don't entirely understand a couple of things.

I would like to force all non-SSL connections to my server to be routed to SSL. I have only one vhost (and that will reliably remain the case for the lifetime of the server), but I would like to avoid hard-coding the domain name, partly so that the httpd.conf files for Staging and Production remain identical.

I know I can force requests to use SSL with a mod_rewrite rule like

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

I have two relatively simple questions, though:

Should I prefer one of those RewriteCond statements over the other for any reason? Presumably if I use the %{SERVER_PORT} variable, any connections on, say, port 8000 would continue to be served in the clear? Is there some reason I should avoid using the %{HTTPS} variable that I'm overlooking?
Will that %{HTTP_HOST} variable in the RewriteRule statement be respected and automagically substitute in whatever the Host: header was from the request? Is there some circumstance under which this might not work?

In case it makes a difference, we're running Apache 2 on RedHat with mod_ssl and the site used Drupal 7.

Sorry for what is a relatively stupid question; Apache sysadmin is by no means a core part of my job, so I'm trying to muddle through as best I can. Thanks, all!

Best Answer

I've always used something like the following:

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Because occasionally, I like to serve HTTP over ports other than 80. Well, I don't like to do it, but sometimes needs must, etc. %{HTTPS} will be true, for example, if SSL is being used over port 80.

I think I usually use

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

%{HTTP_HOST} will always be whatever is set as the Host: header by the client.

It occurs to me, however.. that there's another way to do this.

<VirtualHost *:80>
   ServerName mysite.example.com
   Redirect permanent / https://mysite.example.com/
</VirtualHost>

You'll notice there's no DocumentRoot in the above block. If you're redirecting everything, you don't need one.

If you only wanted to redirect a bit of your site to SSL, you could just do

Redirect permanent /secure https://mysite.example.com/secure

I think the Redirect option is more preferable for full site HTTPS forcing, because it's one less level of insanity (as provided so kindly by mod_rewrite).

It might even be faster, as there'd be one less module to load / run.

Related Solutions

Apache, Wildcard SSL and mod_rewrite

I'd suggest looking at the HTTPS variable, which is supposed to be a reliable indicator of whether the current connection is using HTTPS or not. You should be able to do something like this:

RewriteCond %{HTTPS} off
RewriteRule ^/dashboard.* https://%{HTTP_HOST}%{REQUEST_URI} [L,R]

I'd recommend using the [R] flag to force an external redirect because, according to the documentation, Apache checks to see if the hostname in the redirected URL is the same as the one in the current request, and if so it strips off the scheme and hostname and only does an internal rewrite using the URL path (which means it ignores the https:// part of your rewrite rule).

Linux – Redirect non-www ssl traffic to www ssl (apache)

I can't see anything wrong with your rewrite rule. Are you sure :

RewriteEngine on

has been specified and this config is definitely being executed? Is it in a .htaccess file?

Try setting up a rewrite log it can help:

http://www.latenightpc.com/blog/archives/2007/09/05/a-couple-ways-to-debug-mod_rewrite

Best Answer

Related Solutions

Apache, Wildcard SSL and mod_rewrite

Linux – Redirect non-www ssl traffic to www ssl (apache)

Related Topic