+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: .htaccess to force http using https and still get rid off index.php etc. (/showthread.php?tid=42788)
.htaccess to force http using https and still get rid off index.php etc. - El Forum - 06-19-2011
[eluser]searain[/eluser]
I googled, to force the whole site using https. I can add these lines in .htaccess
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
But in CodeIgniter, we already use
RewriteEngine on
RewriteCond $1 !^(index\.php|images|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]
To get rid of the index.php in url.
How can we merge these two requests together to have a .htaccess rewrite rules which will get rid off index.php in the url and also force to redirect http to https?
Thanks!
.htaccess to force http using https and still get rid off index.php etc. - El Forum - 06-19-2011
[eluser]Seb[/eluser]
I guess you shoud use both rewrite rules, because they will be applied if necessary:
Code:
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond $1 !^(index\.php|images|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L].htaccess to force http using https and still get rid off index.php etc. - El Forum - 06-19-2011
[eluser]searain[/eluser]
I tried that. It would not work. Give me 403 error.
I think I would have to dig deep about how to apply multiple rewrite rule.
If I switch the order
RewriteEngine On
RewriteCond $1 !^(index\.php|images|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
I wouldn't get 403 error, and http is redirected to https, but index.php showed up too.
.htaccess to force http using https and still get rid off index.php etc. - El Forum - 06-19-2011
[eluser]skunkbad[/eluser]
What kind of site needs SSL on every page? Why not use per controller or per method?
Code:
public function force_ssl()
{
// force SSL if available
if( USE_SSL != 0 && ! isset( $_SERVER['HTTPS'] ) )
{
$this->load->helper('string');
header("Location: " . secure_base_url() . trim_slashes( $this->uri->uri_string() ) . url_suffix(), TRUE, 301);
exit;
}
}If you extend CI_Controller with MY_Controller, and put that in MY_Controller, you simply call:
$this->force_ssl();
wherever you need it.
Keep in mind, in my code secure_base_url() is a special function that I put in MY_url_helper.php:
Code:
function secure_base_url()
{
$CI = get_instance();
$url = $CI->config->slash_item('base_url');
if(USE_SSL === 1)
{
$url = substr($url, 0, 4).'s'.substr($url, 4);
}
return $url;
}USE_SSL is a constant, which you could put in config/constants or wherever you feel is good.
.htaccess to force http using https and still get rid off index.php etc. - El Forum - 06-20-2011
[eluser]Svante Hansson[/eluser]
skunkbad, I don't think it's that surprising seeing SSL needed on every page. Handling a e.g company website for handling sensitive information I'd certainly want SSL on every page.
.htaccess to force http using https and still get rid off index.php etc. - El Forum - 06-20-2011
[eluser]Aken[/eluser]
It's also very common for ecommerce.
My recommended .htaccess solution:
Code:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
#Force SSL
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
#Removes access to the system folder by users.
#Additionally this will allow you to create a System.php controller,
#previously this would not have been possible.
#'system' can be replaced if you have renamed your system folder.
RewriteCond %{REQUEST_URI} ^system.*
RewriteRule ^(.*)$ /index.php/$1 [L]
#Checks to see if the user is attempting to access a valid file,
#such as an image or css document, if this isn't true it sends the
#request to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]
</IfModule>
<IfModule !mod_rewrite.c>
# If we don't have mod_rewrite installed, all 404's
# can be sent to index.php, and everything works as normal.
# Submitted by: ElliotHaughin
ErrorDocument 404 /index.php
</IfModule>The problem you were having was that your switch to SSL was not done as a redirect. The [R,L] part of that line specifies that it should be redirected to that page instead of emulating it, and L means Last, as in stop processing rules at that point.
.htaccess to force http using https and still get rid off index.php etc. - El Forum - 06-21-2011
[eluser]searain[/eluser]
Thanks!
I will give a try.
Yes. This site is for company sensitive info only. And I would like all the pages on https.
.htaccess to force http using https and still get rid off index.php etc. - El Forum - 06-21-2011
[eluser]searain[/eluser]
Thanks! I tried, it works great!
Now I have another question.
Say if I have a form on this site, and the form is sent to a page on this site,
http://mysite.php/form
Now the form is sent to http://mysite.php/form, with two post variables user=me&password=open the door, but I am forcing it to redirect to https://mysite.php/form. But the post variable/value user=me&password=open the door are not posted to the redirected url, https://mysite.php/form.
I changed the base_url to https. This solved the problem for the web page form on this site, the form post url is https now.
But we may have other devices/apps rather than form on this site, post to this site too and if they post to http and after I redirected http to https, the post variables are lost.
Are there any solutions for this?
Thanks!