.htaccess - Redirect HTTP to HTTPS for one page

Question

I know this issue has been asked to death, but for some reason, out of the 20 posts that I've read, nothing is working properly for me and hopefully someone could shed some insight.

Basically, I have a simple shopping cart, where I want to redirect 2 uri's to HTTPS, my checkout page, and my admin folder:

/checkout
/admin

I can successfully redirect to the HTTPS version for checkout with the following code:

RewriteEngine On
#https
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^checkout https://palatinehillsestatewinery.com/checkout [R=301,L]

# remove index.php, this is just included to show everything in my .htaccess
RewriteCond $1 !.(gif|jpe?g|png)$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule ^(.*)$ /index.php/$1 [L]

The problem I've found with this and all other solutions, is that once I decide to go back to a page that shouldn't be HTTPS, the url stays HTTPS.

I've been fumbling with loops etc.

If anyone could help with redirecting to HTTPS on just these 2 pages, and then http on all other pages, that would be a great help and much appreciated.

Answer 1

This is not answering your question directly, but I feel I put it as an answer (plus it is too big to post as a comment).

My advice: please stop playing with htaccess for this kind of task (force few URLs to use HTTPS and force the rest to use HTTP).

The best way is to generate FULL URLs for all links (pages, not resources), where URL includes domain name and protocol. In this case all URLs will have proper protocol (HTTP/HTTPS) straight away. Of course: you can still fix (301 or 302 redirect) requests to supposed-to-be-https if they (for some strange reason) are requested via HTTP. That's where .htaccess can be safely and easily used.

If user will request normal page (should be served over HTTP) via HTTPS -- then let him do it -- there is nothing wrong with that. Yes -- HTTPS requires a bit more resources on server side, but if you generate all links in such way, there will be virtually no such situations, unless user specifically changes protocol. Even if such one page will be served over HTTPS, the next "normal" link he click will be HTTP -- 1 extra HTTPS-based page view will not kill your server.

I'm using this approach all the time when site is having secure area .. and based on the logs, we have less than 0.01% of ALL page views that were viewed/attempted to be viewed via "wrong" protocol -- vast majority of them were bots or attempts to hack/vulnerability search.

Based on such stats I would say -- it is working perfectly. yes -- you need to alter you code/templates a bit to implement this .. but it is much better than messing with .htaccess and mod_rewrite.

---

In any case, here are the rules that would do the job for you:

# force https for all URLs in /checkout
RewriteCond %{HTTPS} =off
RewriteRule ^checkout https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# don't do anything for images/css/js
RewriteRule .(gif|jpe?g|png|css|js)$ - [NC,L]

# force http for all other URLs that are not in /checkout
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^/(checkout|index.php/checkout)
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# your other rules here, e.g.:
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule ^(.*)$ /index.php/$1 [L]

OR

# force https for all URLs in /checkout
RewriteCond %{HTTPS} =off
RewriteRule ^checkout https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# do not do anything for already existing files
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule .+ - [L]

# force http for all other URLs that are not in /checkout
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^/checkout
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# your other rules here, e.g.:
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule ^(.*)$ /index.php/$1 [L]