Problem with SSL

Arty Ziff · 12-11-2010, 11:42 PM

I'm having some problems with SSL.

In httpd.conf, I have these two directives:

Code:

<Directory "/home/my_site/public_html">
    AllowOverride All
    RewriteEngine On 
    RewriteCond %{SERVER_PORT} 443 
    RewriteRule ^(.*)$ http://www.my_site.com/$1 [R,L]
</Directory>

<Directory "/home/my_site/public_html/classes">
    AllowOverride All
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} secure
    RewriteRule ^(.*)$ https://www.my_site.com/classes/$1 [R,L]
</Directory>

<Directory "/home/my_site/public_html/secure">
    AllowOverride All
    RewriteEngine On 
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} secure 
    RewriteRule ^(.*)$ https://www.my_site.com/secure/$1 [R,L]
</Directory>

The problem is that in https://www.my_site.com/secure, I have some paged that include scripts in /home/my_site/public_html/classes with the path $_SERVER['DOCUMENT_ROOT']."/classes/access_user/some_script.php" not a URL, so they are not being served up via HTTPS.

Simply changing the include to "https://my_site.com/classes/access_user/some_script.php"

The problem seems to be the first directive that I'm using to prevent HTTPS access for content that doesn't need it...

What is the solution?

Fullmetal Chocobo · 12-18-2010, 01:11 AM

I'm not sure if this will help or not, but my mod_rewrite for sending all traffic to port 443 from 80 is the following:

Code:

RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]

This routes all traffic from the server in that virtual host to https:...

sneakyimp · 12-18-2010, 09:20 AM

I could be wrong, but I think your problem might be this directive:

Code:

<Directory "/home/my_site/public_html">
    AllowOverride All
    RewriteEngine On 
    RewriteCond %{SERVER_PORT} 443 
    RewriteRule ^(.*)$ http://www.my_site.com/$1 [R,L]
</Directory>

I believe that says that if someone visits on port 443 (which is the port used for HTTPS) then you redirect them to the non-HTTPS version of your site. This would effectively prevent anyone from accessing /home/my_site/public_html through anything but regular HTTP.

Arty Ziff · 12-18-2010, 06:03 PM

Quote:

Originally Posted by sneakyimp

I could be wrong, but I think your problem might be this directive:

Code:

<Directory "/home/my_site/public_html">
    AllowOverride All
    RewriteEngine On 
    RewriteCond %{SERVER_PORT} 443 
    RewriteRule ^(.*)$ http://www.my_site.com/$1 [R,L]
</Directory>

I believe that says that if someone visits on port 443 (which is the port used for HTTPS) then you redirect them to the non-HTTPS version of your site. This would effectively prevent anyone from accessing /home/my_site/public_html through anything but regular HTTP.

Right, but there are two more directives that follow it that address SSL for two specific directories.

My objective is to NOT ALLOW HTTPS on directories that don't need it. Server load and all...

sneakyimp · 12-18-2010, 06:31 PM

If you try to access anything in your public_html using HTTPS, that first directive will redirect the request to plain old HTTP and prevent parsing of additional rewrite rules. You would need to alter this rule with some additional RewriteCond directives that exclude your secure subdir and any other dirs where you want to server files HTTPS.

Also, this directive might be useful if your classes directory is full of javascript, but if you are trying this for PHP files it's probably not going to help because included PHP files don't get their own distinct distinct request:

Code:

<Directory "/home/my_site/public_html/classes">
    AllowOverride All
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} secure
    RewriteRule ^(.*)$ https://www.my_site.com/classes/$1 [R,L]
</Directory>