CodeIgniter Forums

Full Version: .htaccess to force http using https and still get rid off index.php etc.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]searain[/eluser]
I googled, to force the whole site using https. I can add these lines in .htaccess

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

But in CodeIgniter, we already use

RewriteEngine on
RewriteCond $1 !^(index\.php|images|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

To get rid of the index.php in url.

How can we merge these two requests together to have a .htaccess rewrite rules which will get rid off index.php in the url and also force to redirect http to https?

Thanks!

El Forum

[eluser]Seb[/eluser]
I guess you shoud use both rewrite rules, because they will be applied if necessary:

Code:
RewriteEngine On

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

RewriteCond $1 !^(index\.php|images|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

El Forum

[eluser]searain[/eluser]
I tried that. It would not work. Give me 403 error.

I think I would have to dig deep about how to apply multiple rewrite rule.

If I switch the order

RewriteEngine On

RewriteCond $1 !^(index\.php|images|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

I wouldn't get 403 error, and http is redirected to https, but index.php showed up too.

El Forum

[eluser]skunkbad[/eluser]
What kind of site needs SSL on every page? Why not use per controller or per method?

Code:
public function force_ssl()
{
        // force SSL if available
        if( USE_SSL != 0 && ! isset( $_SERVER['HTTPS'] ) )
        {
                $this->load->helper('string');
                header("Location: " . secure_base_url() . trim_slashes( $this->uri->uri_string() ) . url_suffix(), TRUE, 301);
                exit;
        }
}

If you extend CI_Controller with MY_Controller, and put that in MY_Controller, you simply call:

$this->force_ssl();

wherever you need it.

Keep in mind, in my code secure_base_url() is a special function that I put in MY_url_helper.php:

Code:
function secure_base_url()
{
        $CI = get_instance();
        $url = $CI->config->slash_item('base_url');
        if(USE_SSL === 1)
        {
                $url = substr($url, 0, 4).'s'.substr($url, 4);
        }
        return $url;
}

USE_SSL is a constant, which you could put in config/constants or wherever you feel is good.

El Forum

[eluser]Svante Hansson[/eluser]
skunkbad, I don't think it's that surprising seeing SSL needed on every page. Handling a e.g company website for handling sensitive information I'd certainly want SSL on every page.

El Forum

[eluser]Aken[/eluser]
It's also very common for ecommerce.

My recommended .htaccess solution:

Code:
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    
    #Force SSL
    RewriteCond %{HTTPS} !on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

    #Removes access to the system folder by users.
    #Additionally this will allow you to create a System.php controller,
    #previously this would not have been possible.
    #'system' can be replaced if you have renamed your system folder.
    RewriteCond %{REQUEST_URI} ^system.*
    RewriteRule ^(.*)$ /index.php/$1 [L]

    #Checks to see if the user is attempting to access a valid file,
    #such as an image or css document, if this isn't true it sends the
    #request to index.php
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ /index.php/$1 [L]
</IfModule>

<IfModule !mod_rewrite.c>
    # If we don't have mod_rewrite installed, all 404's
    # can be sent to index.php, and everything works as normal.
    # Submitted by: ElliotHaughin

    ErrorDocument 404 /index.php
</IfModule>

The problem you were having was that your switch to SSL was not done as a redirect. The [R,L] part of that line specifies that it should be redirected to that page instead of emulating it, and L means Last, as in stop processing rules at that point.

El Forum

[eluser]searain[/eluser]
Thanks!

I will give a try.

Yes. This site is for company sensitive info only. And I would like all the pages on https.

El Forum

[eluser]searain[/eluser]
Thanks! I tried, it works great!

Now I have another question.

Say if I have a form on this site, and the form is sent to a page on this site,

http://mysite.php/form

Now the form is sent to http://mysite.php/form, with two post variables user=me&password=open the door, but I am forcing it to redirect to https://mysite.php/form. But the post variable/value user=me&password=open the door are not posted to the redirected url, https://mysite.php/form.

I changed the base_url to https. This solved the problem for the web page form on this site, the form post url is https now.

But we may have other devices/apps rather than form on this site, post to this site too and if they post to http and after I redirected http to https, the post variables are lost.

Are there any solutions for this?

Thanks!