我试图重定向所有不安全的HTTP请求在我的网站(例如http://www.example.com)到HTTPS (https://www.example.com)。我如何在.htaccess文件中做到这一点?

我用的是PHP。


当前回答

Not only can you do this in your .htaccess file, you should be doing this period. You will also want to follow the steps here to get your site listed on the HSTS preload list after you implement this redirect so that any requests to the insecure http version of your website never make it past the user agent. Instead, the user agent checks the requested URI against a baked in list of https only websites and, if the requested URI is on that list, changes the protocol from http to https before transmitting the request to the server. Therefore, the insecure request never makes it out into the wild and never hits the server. Eventually when the internet changes over to https only the HSTS preload list will not be needed. Until then, every site should be using it.

为了执行重定向,我们需要启用重写引擎,然后将所有流量从http端口80重定向到https。

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourwebsite.tld/$1 [L,R=301]

其他回答

正如我在这个问题中所说的,我建议您避免盲目地将所有HTTP请求重定向到其HTTPS对等物,因为这可能会使您对安全性产生错误的印象。相反,您应该将HTTP站点的“根”重定向到HTTPS站点的根,并从那里链接到HTTPS。

问题是,如果HTTPS站点上的某些链接或表单使客户端向HTTP站点发送请求,那么在重定向之前,其内容将是可见的。

例如,如果一个通过HTTPS提供服务的页面有一个<form action="http://example.com/doSomething">的表单,并且发送了一些不应该明确发送的数据,浏览器将首先将完整的请求(包括实体,如果它是POST)首先发送到HTTP站点。重定向将立即发送到浏览器,由于大量用户禁用或忽略警告,它很可能被忽略。

Of course, the mistake of providing the links that should be to the HTTPS site but that end up being for the HTTP site may cause problems as soon as you get something listening on the HTTP port on the same IP address as your HTTPS site. However, I think keeping the two sites as a "mirror" only increases the chances of making mistakes, as you may tend to make the assumption that it will auto-correct itself by redirecting the user to HTTPS, whereas it's often too late. (There were similar discussions in this question.)

Apache文档不建议使用重写:

要重定向http url到https,请执行以下操作: < VirtualHost *: 80 > ServerName www.example.com 重定向/ https://www.example.com/ < /虚拟主机> < VirtualHost *: 443 > ServerName www.example.com #……SSL配置在这里 < /虚拟主机>

这段代码应该放在主服务器配置文件中,而不是像问题中要求的那样放在.htaccess中。

这篇文章可能是在问题被提出和回答之后才出现的,但似乎是目前的做法。

我尝试了所有我能在互联网上找到的。htaccess配置,但没有一个有效。 然后,我意识到Apache不鼓励使用mod_rewrite。

我的解决方案是在以下文件夹下编辑apache配置文件: /etc/apache2/sites-enabled

您将有一个名为000-default.conf的强制文件和一个名为000-default-le-ssl.conf的ssl配置文件(如果您从letsencrypt/certbot安装了ssl证书)。但是,这些文件的名称可能不同,这取决于您在设置网站时提供的文件名。

在000-default.conf中,我在<VirtualHost *:80>中编辑了以下内容:

<VirtualHost *:80>
    ServerName example.com
    Redirect / https://example.com/
</VirtualHost>

在000-default-le-ssl.conf中,我在<VirtualHost *:80>中编辑了以下内容:

<VirtualHost *:80>
    ServerName example.com
    Redirect / https://example.com/
</VirtualHost>

不需要其他重定向。

保存文件,然后使用sudo service apache2 restart重启apache服务器

在.htaccess文件中使用以下代码自动将访问者重定向到站点的HTTPS版本:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

如果你有一个现有的。htaccess文件:

不要重复“重写引擎”。

确保以RewriteCond和RewriteRule开头的行立即跟随已经存在的RewriteEngine On。

这是html重定向方法,它的工作,但不是最好的。

 <meta http-equiv="Refresh" content="0;URL=https://www.example.com" />

PHP方法

<?php
function redirectTohttps() {
    if ($_SERVER['HTTPS']!="on") {
        $redirect= "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
        header("Location:$redirect"); 
    } 
}
?>

.htaccess approch

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

抄袭: www.letuslook.org