我试图重定向所有不安全的HTTP请求在我的网站(例如http://www.example.com)到HTTPS (https://www.example.com)。我如何在.htaccess文件中做到这一点?
我用的是PHP。
我试图重定向所有不安全的HTTP请求在我的网站(例如http://www.example.com)到HTTPS (https://www.example.com)。我如何在.htaccess文件中做到这一点?
我用的是PHP。
当前回答
正如我在这个问题中所说的,我建议您避免盲目地将所有HTTP请求重定向到其HTTPS对等物,因为这可能会使您对安全性产生错误的印象。相反,您应该将HTTP站点的“根”重定向到HTTPS站点的根,并从那里链接到HTTPS。
问题是,如果HTTPS站点上的某些链接或表单使客户端向HTTP站点发送请求,那么在重定向之前,其内容将是可见的。
例如,如果一个通过HTTPS提供服务的页面有一个<form action="http://example.com/doSomething">的表单,并且发送了一些不应该明确发送的数据,浏览器将首先将完整的请求(包括实体,如果它是POST)首先发送到HTTP站点。重定向将立即发送到浏览器,由于大量用户禁用或忽略警告,它很可能被忽略。
Of course, the mistake of providing the links that should be to the HTTPS site but that end up being for the HTTP site may cause problems as soon as you get something listening on the HTTP port on the same IP address as your HTTPS site. However, I think keeping the two sites as a "mirror" only increases the chances of making mistakes, as you may tend to make the assumption that it will auto-correct itself by redirecting the user to HTTPS, whereas it's often too late. (There were similar discussions in this question.)
其他回答
如果你正在使用亚马逊Web服务弹性负载均衡器,它接受https流量并通过http将其路由到你的服务器,这里描述了将所有http流量重定向到https的正确方法:https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb
使用X-Forwarded-Proto报头(包含http或https),它总是包含在来自负载均衡器的http请求中,如下所述:https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html
在httpd.conf文件中:
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
</VirtualHost>
或者在你的根文件。htaccess中:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
好处:它不会尝试重定向本地开发机器上的http流量。
在.htaccess文件中添加以下代码:
Options +SymLinksIfOwnerMatch
RewriteEngine On
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^ https://[your domain name]%{REQUEST_URI} [R,L]
其中[您的域名]是您网站的域名。
你也可以重定向特定的文件夹从你的域名通过替换上面的最后一行代码:
RewriteRule ^ https://[your domain name]/[directory name]%{REQUEST_URI} [R,L]
正如我在这个问题中所说的,我建议您避免盲目地将所有HTTP请求重定向到其HTTPS对等物,因为这可能会使您对安全性产生错误的印象。相反,您应该将HTTP站点的“根”重定向到HTTPS站点的根,并从那里链接到HTTPS。
问题是,如果HTTPS站点上的某些链接或表单使客户端向HTTP站点发送请求,那么在重定向之前,其内容将是可见的。
例如,如果一个通过HTTPS提供服务的页面有一个<form action="http://example.com/doSomething">的表单,并且发送了一些不应该明确发送的数据,浏览器将首先将完整的请求(包括实体,如果它是POST)首先发送到HTTP站点。重定向将立即发送到浏览器,由于大量用户禁用或忽略警告,它很可能被忽略。
Of course, the mistake of providing the links that should be to the HTTPS site but that end up being for the HTTP site may cause problems as soon as you get something listening on the HTTP port on the same IP address as your HTTPS site. However, I think keeping the two sites as a "mirror" only increases the chances of making mistakes, as you may tend to make the assumption that it will auto-correct itself by redirecting the user to HTTPS, whereas it's often too late. (There were similar discussions in this question.)
这对我来说很管用:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
例如,http://server/foo?email=someone%40example.com可以正常重定向,没有任何问题。 文件.htaccess位于网站根文件夹(例如名为public_html)。 它是可以使用的 重写%{SERVER_PORT} !^443$ instead of重写%{HTTPS} !on
我喜欢这种从http重定向到https的方法。因为我不需要为每个网站编辑它。
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]