How to redirect all HTTP requests to HTTPS

前端 未结 26 2179
小鲜肉
小鲜肉 2020-11-22 00:40

I\'m trying to redirect all insecure HTTP requests on my site (e.g. http://www.example.com) to HTTPS (https://www.example.com). I\'m using PHP btw.

相关标签:
26条回答
  • 2020-11-22 00:59

    Using the following code in your .htaccess file automatically redirects visitors to the HTTPS version of your site:

    RewriteEngine On
    
    RewriteCond %{HTTPS} off
    
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    

    If you have an existing .htaccess file:

    Do not duplicate RewriteEngine On.

    Make sure the lines beginning RewriteCond and RewriteRule immediately follow the already-existing RewriteEngine On.

    0 讨论(0)
  • 2020-11-22 01:01

    Do everything that is explained above for redirection. Just add "HTTP Strict Transport Security" to your header. This will avoid man in the middle attack.

    Edit your apache configuration file (/etc/apache2/sites-enabled/website.conf and /etc/apache2/httpd.conf for example) and add the following to your VirtualHost:

    # Optionally load the headers module:
    LoadModule headers_module modules/mod_headers.so
    
    <VirtualHost 67.89.123.45:443>
        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
    </VirtualHost>
    

    https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

    0 讨论(0)
  • 2020-11-22 01:01

    If you are using Apache, mod_rewrite is the easiest solution, and has a lot of documentation online how to do that. For example: http://www.askapache.com/htaccess/http-https-rewriterule-redirect.html

    0 讨论(0)
  • 2020-11-22 01:02

    Through .htaccess This will help.

    RewriteEngine On
    
    
    RewriteBase /
    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
    
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
    

    Also, Refer this for More Detail. How To Redirect Http To Https?

    0 讨论(0)
  • 2020-11-22 01:07

    If you want to do it from the tomcat server follow the below steps

    In a standalone Apache Tomcat (8.5.x) HTTP Server, how can configure it so if a user types www.domain.com, they will be automatically forwarded to https(www.domain.com) site.

    The 2 step method of including the following in your [Tomcat_base]/conf/web.xml before the closing tag

    step 1: 
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>HTTPSOnly</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    

    and setting the [Tomcat_base]/conf/server.xml connector settings:

    step 2:
    <Connector URIEncoding="utf-8" connectionTimeout="20000" port="80" protocol="HTTP/1.1" redirectPort="443"/>
    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
    <Certificate certificateKeystoreFile="[keystorelocation]" type="RSA" />
    </SSLHostConfig>
    </Connector>
    

    Note: If you already did the https configuration and trying to redirect do step 1 only.

    0 讨论(0)
  • 2020-11-22 01:08

    If you are in a situation where your cannot access the apache config directly for your site, which many hosted platforms are still restricted in this fashion, then I would actually recommend a two-step approach. The reason why Apache themselves document that you should use their configuration options first and foremost over the mod_rewrite for HTTP to HTTPS.

    First, as mentioned above, you would setup your .htaccess mod_rewrite rule(s):

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    

    Then, in your PHP file(s) (you need to do this where ever it would be appropriate for your situation, some sites will funnel all requests through a single PHP file, others serve various pages depending on their needs and the request being made):

    <?php if ($_SERVER['HTTPS'] != 'on') { exit(1); } ?>
    

    The above needs to run BEFORE any code that could potentially expose secure data in an unsecured environment. Thus your site uses automatic redirection via HTACCESS and mod_rewrite, while your script(s) ensure no output is provided when not accessed through HTTPS.

    I guess most people don't think like this, and thus Apache recommends that you don't use this method where possible. However, it just takes an extra check on the development end to ensure your user's data is secure. Hopefully this helps someone else who might have to look into using non-recommended methods due to restrictions on our hosting services end.

    0 讨论(0)
提交回复
热议问题