redirect all http:// requests to https:// (SSL)

[eluser]niwa[/eluser]
Hello, I would like all urls of my web app to use SSL (https).
But I can't get it right, there is always a problem (css background-images are still loading from http://).

Is there a way I could do that simply with mod_rewrite ?

My current htaccess is :

Code:

<IfModule mod_rewrite.c>
RewriteEngine on
Options +FollowSymLinks

    # Enforce NO www
    RewriteCond %{HTTP_HOST} ^www [NC]
    RewriteRule ^(.*)$ http://domain.com/$1 [L,R=301]
    ###


    # Checks to see if the user is attempting to access a valid file,
    # such as an image or css document, if this isn't true it sends the
    # request to index.php
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php/$1 [L]
  

</IfModule>

Thank you

[eluser]@robertotra[/eluser]
Do not know if it can be done by url rewriting, but it can be done for sure inside the index.php on its top by using the server variable $_SERVER['HTTPS']:

Code:

session_start();
if (empty($_SERVER['HTTPS'])
{
   /* to avoid a potential infinite cicle of redirections, uses a session variable as a flag */
   if ((! isset($_SESSION['redirected'])) || ($_SESSION['redirected'] != 'yes')) {
       $_SESSION['redirected'] = 'yes';
       header('Location: https://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']);
       exit;
   } else {
       // something wrong, your error catching procedure here
   }
} else {
   // you are on https, reset flag
   $_SESSION['redirected'] = 'no';
}

Anyway, any rewriting or redirection will non ensure images and stylesheets to be loaded by https until you use relative paths. You need to use absolute paths starting with https.

Code:

$GLOBALS['imageDir'] = 'https://yoursite.ext/images/';
<img src="&lt;?php echo $GLOBALS['imageDir']; ?&gt;yourimage.gif">

Roberto

[eluser]CroNiX[/eluser]
Put before CI rules...

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L]

[eluser]Kobus M[/eluser]
[quote author="CroNiX" date="1329162283"]Put before CI rules...

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R,L][/quote]

Hi,

In which .htaccess must this go? I do not have .htaccess in my site root (base_url location), only in sub folders with "deny from all" entry.

Thanks in advance,

Kobus

Edit: Just wanted to add, I want to run my entire site in HTTPS, not only some pages. No distinction necessary. Thanks!

[eluser]InsiteFX[/eluser]
It goes in the same folder that your index.php file is in!

[eluser]Kobus M[/eluser]
[quote author="InsiteFX" date="1329168565"]It goes in the same folder that your index.php file is in!
[/quote]

Hi, I have done that, but it doesn't work as I expect. My site styling is broken. My .htaccess where my index.php is, contains this (and only this):

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.impero.co.za/$1 [R,L]

See the difference at www.impero.co.za with and without https. On https it looks fine now, but without https, not. Problem is, people will most likely type impero.co.za instead of www.impero.co.za or https://www.impero.co.za. I should probably also cater for when they do not add the www?

Sorry - I know this is not strictly a CI issue, but I do not know how to do this, and my site is based on CI, and currently it is broken, so I hope you can help.

Thanks!

Kobus

[eluser]Kobus M[/eluser]
I got it fixed, thanks.

I did the following:

$proto = "http" . ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") ? "s" : "") . "://";
$config['base_url'] = $proto . 'www.impero.co.za/';

Found it here: there is more to it, so for those having a similar issue: http://www.davidnard.com/2011/04/easy-ss...deigniter/

Regards,

Kobus

[eluser]@robertotra[/eluser]
[quote author="Kobus M" date="1329170243"]I got it fixed, thanks.

I did the following:

$proto = "http" . ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") ? "s" : "") . "://";
$config['base_url'] = $proto . 'www.impero.co.za/';[/quote]

I think it is not enough: this will set all your url's to https on your internal links, but will not force redirections if someone types the url manually. The same source that you cite uses a function to force redirection if a controller is called on http.

Roberto

[eluser]Kobus M[/eluser]
[quote author="@robertotra" date="1329171609"][quote author="Kobus M" date="1329170243"]I got it fixed, thanks.

I did the following:

$proto = "http" . ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") ? "s" : "") . "://";
$config['base_url'] = $proto . 'www.impero.co.za/';[/quote]

I think it is not enough: this will set all your url's to https on your internal links, but will not force redirections if someone types the url manually. The same source that you cite uses a function to force redirection if a controller is called on http.

Roberto[/quote]

I tried this. I typed the URL with https:// and then browsed around, and viewed the source, it stayed on https and all assets were loaded on https. If I then typed the URL to normal without https (only http) and browsed around, it worked as expected, all assets loaded from http://... If needed, I will follow the rest of the advice in the article. Thanks for responding, Roberto :-)

Kobus

[eluser]niwa[/eluser]
thanks for the replies,
@robertotra and CroNiX both methods are working, all browsing url are forced in SSL, however,

there is still mixed content due to CSS background images.

Css is correctly loading from https in the browser :

Code:

<link type="text/css" rel="stylesheet" href="https://domain.com/css/main.css" media="screen" />

but inside it, background-image are still loading from http://

I use relative paths as in the CSS file such as :

Code:

background:url(../img/image.png)

Putting absolute paths could probably fix that, but isn't there a more elegant solution ? Absolute paths are hard to maintain as there are different production environments ...