.htaccess - How to set SSL on certain pages (Script need's modifying)

Question

I have ssl enabled on whole website, but I need to force all pages except login.php and register.php to http://

So basically I only nee

Answer 1

If you are familiar with mod_rewrite and regex a little bit, you should have no problems reading these rules -- comments are present explaining what particular rule does. the rest -- regex basics:

Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteBase /

# force https for /login.php and /register.php
RewriteCond %{HTTPS} =off
RewriteRule ^(login|register)\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# don't do anything for images/css/js (leave protocol as is)
RewriteRule \.(gif|jpe?g|png|css|js)$ - [NC,L]

# force http for all other URLs
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^/(login|register)\.php$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

1. These rules need to be placed in .htaccess in website root folder BEFORE any other rewrite rules (if such present). If placed elsewhere some small tweaking may be required.

2. They will

   • force HTTPS for /login.php and /register.php,
   • do nothing for images, css styles and JavaScript files (to be precise, for files with those extensions)
   • and will force HTTP for all other URLs

3. You can easily add other URLs to that list -- just edit existing rule by adding additional file name to the list (the same text in 2 places: 1) to force 2) to exclude)

4. File names are case-sensitive. So these rules will not work if /LOGIN.php is requested (Apache will not serve it either, as Linux is case-sensitive OS .. so no need to worry much here).

5. Obvious thing: mod_rewrite should be enabled and .htaccess files needs to be processed by Apache (some website hosting companies disabling them for performance and security reasons).