EllisLab text mark
Advanced Search
1 of 2
1
   
HTTP/HTTPS, without index.php, using htaccess, plus XHR
Posted: 24 July 2008 12:42 AM
Joined: 2008-05-02
21 posts

Removing index.php and forcing HTTP/HTTPS

I have read many posts about people trying to force HTTPS for some views and returning to HTTP for others. I struggled with this for a while too but I think this solution is pretty solid.

First of all, having your base_url automatically adjust between http and https makes everything much easier. This way all your base_url() and site_url() calls have the proper protocol.

$config['base_url'"http".((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'== "on") ? "s" "")."://".$_SERVER['HTTP_HOST'].str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']); 

Starting with the usual htaccess file:

<IfModule mod_rewrite.c>
    
RewriteEngine on
    Options 
+FollowSymLinks
    RewriteBase 
/
    
    
RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond 
%{REQUEST_FILENAME} !-d
    RewriteRule 
^(.*)$ index.php/$1
</IfModule>

<
IfModule !mod_rewrite.c>
    
ErrorDocument 404 /index.php
</IfModule

You can then check whether HTTPS is on or not with:

RewriteCond %{HTTPS} off
RewriteCond 
%{HTTPS} on 

For example, to force HTTPS on all pages you could use the following:

RewriteCond %{HTTPS} off
RewriteRule 
^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301] 

To force HTTPS on some pages:

RewriteCond %{HTTPS} off
RewriteCond 
%{REQUEST_URI} (auth|register|secure)
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301] 

To return back to HTTP:

RewriteCond %{HTTPS} on
RewriteRule 
^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [R=301] 

To return back to HTTP on all other pages, you need to add exceptions for the pages that are secure:

RewriteCond %{HTTPS} off
RewriteCond 
%{REQUEST_URI} (auth|register|secure)
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301]

RewriteCond %{HTTPS} on
RewriteCond 
%{REQUEST_URI} !(auth|register|secure)
RewriteRule ^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [R=301] 

To avoid a partially encrypted page, you need to add exceptions for any other URIs you might use such as your images or scripts folder. I like to place everything in a folder called ‘static’ (‘static/images’, ‘static/js’, etc) so I only add one exception for that.

RewriteCond %{REQUEST_URI} !(static|auth|register|secure

The finished product:

<IfModule mod_rewrite.c>
    
RewriteEngine on
    Options 
+FollowSymLinks
    RewriteBase 
/
    
    
RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond 
%{REQUEST_FILENAME} !-d
    RewriteRule 
^(.*)$ index.php/$1

    RewriteCond 
%{HTTPS} off
    RewriteCond 
%{REQUEST_URI} (auth|register|secure)
    
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301]

    
RewriteCond %{HTTPS} on
    RewriteCond 
%{REQUEST_URI} !(static|auth|register|secure)
    
RewriteRule ^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [R=301]
</IfModule>

<
IfModule !mod_rewrite.c>
    
ErrorDocument 404 /index.php
</IfModule


HTTPS and XmlHttpRequests (Ajax)

Not only do XHR calls throw security errors when you try to load content between domains but also between HTTP and HTTPS. Secondly, the headers passed by apache allow browsers to automatically redirect but the XmlHttpRequest object does not.

To solve this you would have to add an exception for any URI that you planned on accessing from one protocol to another.

Example:

RewriteCond %{REQUEST_URI} !(static|auth|register|secure|categories/get_list|products/get_types)

<?=site_url('categories/get_list');?> 

I quickly found out that this became tedious and confusing when I had a lot of requests in a secure environment. Routes to the rescue!

By adding the following to your routes file:

$route['xhr/(:any)''$1'

And adding ‘xhr’ to your list of exceptions; you can now call any URI within your application without changing protocols while still allowing the browser to view that controller using another protocol.

RewriteCond %{REQUEST_URI} !(static|xhr|auth|register|secure)

<?=site_url('xhr/categories/get_list');?> 

I hope this has been helpful!

Phil

 
Posted: 09 December 2008 07:08 PM   [ # 1 ]   [ Rating: 0 ]
Avatar
Joined: 2008-01-22
2 posts

Might be a bit late, but this is quite informative. Good post. =]

 
Posted: 10 December 2008 01:45 AM   [ # 2 ]   [ Rating: 0 ]
Joined: 2008-07-16
40 posts

thank you for bumping this up—I have not seen this post and it is exactly what I needed

 
Posted: 18 June 2009 05:16 AM   [ # 3 ]   [ Rating: 0 ]
Avatar
Joined: 2007-10-27
6 posts

Phil_B’s .htaccess is great and I’m an active user of it!

I would just drop my two cents. If you follow the rules straight all your static content will be served non SSL which is actually good for performance but will drop a Firefox alert (not all content is encrypted) and you will not get the blue/green bar.

Just a small change to make the static content, under encrypted pages, be encrypted served.

Also added the [L] (last) modifier to make the server stop processing after one of the bottom two requests (should make it micro, mini, faster).

RewriteEngine on
Options 
+FollowSymLinks

RewriteCond 
%{REQUEST_FILENAME} !-f
RewriteCond 
%{REQUEST_FILENAME} !-d
RewriteRule 
^(.*)$ index.php/$1

RewriteCond 
%{HTTPS} off
RewriteCond 
%{REQUEST_URI} (auth|register|secure|payment)
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} on
RewriteCond 
%{REQUEST_FILENAME} !-f
RewriteCond 
%{REQUEST_FILENAME} !-d
RewriteCond 
%{REQUEST_URI} !(static|auth|register|secure|payment)
RewriteRule ^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] 

Thanks for your code Phil_B!

Frankie

 
Posted: 18 January 2010 04:44 AM   [ # 4 ]   [ Rating: 0 ]
Avatar
Joined: 2009-06-02
5 posts

This is awesome, thank you to everyone who contributed.

 
Posted: 18 January 2011 03:24 AM   [ # 5 ]   [ Rating: 0 ]
Joined: 2010-09-16
11 posts

I tried all the rules given above. But my URL does not work under https://. I am facing 404 page not found error.
RewriteCond %{REQUEST_URI} (auth|register|secure|payment)
What does this line do?

 
Posted: 03 February 2011 10:44 AM   [ # 6 ]   [ Rating: 0 ]
Joined: 2010-09-16
11 posts

I have tried all the suggestions in this thread for Htaccess to remove index.php from Code Igniter URL.
This rewrite rules removes index.php from URL but does not display under Secure URL.
for example:
http://www.mysite.com/CodeIg/MyController —Works perfect

https://www.mysite.com/CodeIg/index.php/MyController —Works perfect

    But

https://www.mysite.com/CodeIg/MyController —Does not Work at all. It gives page not found server error.

Then I tried adding the htaccess rules in Virtual host file…
Now the Screen get displayed but without any css, js and Images included in the page.

All these folder like css, images and JS are in application directory.

Does anyone know why this problem is coming?

REply to post would be appreciated a lot….


Thanks

 
Posted: 05 February 2011 03:20 AM   [ # 7 ]   [ Rating: 0 ]
Avatar
Joined: 2011-01-10
127 posts

I think the problem is with the position of your css js and other folders. It should not be inside application folder. Instead try putting it at the same position as ur system folder. To be specific just inside your public_html folder.

 Signature 

PHP | HTML5 | Codeigniter | Opencart Developer

Personal Blog

 
Posted: 05 February 2011 03:22 AM   [ # 8 ]   [ Rating: 0 ]
Avatar
Joined: 2011-01-10
127 posts

..

 Signature 

PHP | HTML5 | Codeigniter | Opencart Developer

Personal Blog

 
Posted: 05 February 2011 10:19 AM   [ # 9 ]   [ Rating: 0 ]
Joined: 2011-02-05
2 posts

Doesn’t work for me either.
My goal is to reach the whole site ONLY via HTTPS.

With the changes from the first post, I have these results:
http://onnext.dev.local/index.php/home
http://onnext.dev.local/home
That works.

https://onnext.dev.local/index.php/home
https://onnext.dev.local/home
That does not work.

My changed htaccess(for HTTPS access)

<IfModule mod_rewrite.c>
    
RewriteEngine on
    Options 
+FollowSymLinks
    RewriteBase 
/

    
RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond 
%{REQUEST_FILENAME} !-d
    RewriteRule 
^(.*)$ index.php/$1

    RewriteCond 
%{HTTPS} off
    RewriteCond 
%{REQUEST_URI} (auth|register|secure)
</
IfModule>

<
IfModule !mod_rewrite.c>
    
ErrorDocument 404 /index.php
</IfModule

What am I doing wrong?
Do I have to add something to the VHOST-File? What would I have to add there?
Please help, Thanks

 

 

Edit:
Well, that seems to work now, but I does not redirect to the subfolder /onnext/ :-(

<IfModule mod_rewrite.c>
    
RewriteEngine on
    RewriteBase 
/onnext/

    
RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond 
%{REQUEST_FILENAME} !-d
    RewriteRule 
^(.*)$ index.php/$1

    RewriteCond 
%{HTTPS} off
    RewriteRule 
^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301]
</IfModule>

<
IfModule !mod_rewrite.c>
    
ErrorDocument 404 /index.php
</IfModule
 
Posted: 06 May 2011 06:24 PM   [ # 10 ]   [ Rating: 0 ]
Joined: 2010-12-09
13 posts

Awesome work guys. Thanks for sharing the easiest method of dealing with ssl i’ve seen yet.

One issue i’m having is that the base url is not converting to http: when i access from a page which is https:. 

EXAMPLE:
Enter site at home page -> link to ssl page -> click link “Home” button to be redirected back to base url but it does not revert to http.

Ideas?

 
Posted: 07 October 2011 08:11 PM   [ # 11 ]   [ Rating: 0 ]
Joined: 2011-05-16
3 posts

hi,

I m really noob with url_rewriter and i haven’t a lot of time to learn it. So any help would be apprecied !

my url : my_site/index.php/site1/home

and i d like url as : my_site/home


for now i use the standard code to remove the index.php who’s work perfectly :
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]

what i have to edit to have this ?


Thanks for help !

 

 
Posted: 14 December 2011 07:26 AM   [ # 12 ]   [ Rating: 0 ]
Joined: 2011-01-20
22 posts

I get a redirection erro when using this. Has anyone had this problem before?

 
Posted: 15 June 2012 09:10 AM   [ # 13 ]   [ Rating: 0 ]
Joined: 2012-01-27
11 posts

I have followed this exactly… what gives? Why does this not work? How can this be the only post referencing this issue?

My .htaccess file:

<IfModule mod_rewrite.c>
    
RewriteEngine on
    RewriteBase 
/

    
RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond 
%{REQUEST_FILENAME} !-d
    RewriteRule 
^(.*)$ index.php/$1

    RewriteCond 
%{HTTPS} off
    RewriteRule 
^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301]
</IfModule>

<
IfModule !mod_rewrite.c>
    
ErrorDocument 404 /index.php
</IfModule

It works to the point that everything is being forced to https://intranet.domain.org, but NO SUB LINKS ARE WORKING…

https://intranet.domain.org/test does not work

however

https://intranet.domain.org/index.php/test works

According to this post, the above should be the exact opposite. What am I doing wrong here?

 

 
Posted: 15 June 2012 09:14 AM   [ # 14 ]   [ Rating: 0 ]
Joined: 2012-01-27
11 posts

If it matters… the logs say this when accessing https://intranet.domain.org/test

[Fri Jun 15 09:11:58 2012] [error] [client 10.1.0.17] File does not exist: C:/Webserver/htdocs/intranet/test, referer: https://intranet.domain.org/

And this is what my URLs look like, as when I am linking to a different section:

<a href="<?php echo base_url()?>test"><span>test</span></a

The above takes me to https://intranet.domain.org/test, however, a
Not Found
The requested URL /test was not found on this server.

 
Posted: 13 July 2012 07:32 AM   [ # 15 ]   [ Rating: 0 ]
Joined: 2012-01-18
1 posts

Thank you thank you thank you thank you thank you thank you.  I was starting to lose the will to live, then you came out of the adrkness like a guiding light.  WOW, I know, what a review!!!

 
1 of 2
1