[Techtalk] implementing HTTPS-only sitewide
Maria McKinley
maria at shadlen.org
Wed Sep 5 18:35:44 UTC 2012
On 9/5/12 1:23 AM, Veronica K. B. Olsen wrote:
> On 5 September 2012 07:32, Carla Schroder <carla at bratgrrl.com> wrote:
>
>> howdy techtalkers,
>>
>> I need to figure out the best way to implement HTTPS for a client's site,
>> and
>> it's driving me buggy. It's Drupal 7 on Apache on CentOS 6. We have an SSL
>> cert already installed. The problem I'm struggling with is how to
>> implement it
>> in a way that doesn't get in the way of site visitors; I have actually seen
>> suggestions to force HTTPS only by closing port 80, and to serve up an
>> error
>> page for all HTTP requests that tells the user to type HTTPS. That is
>> definitely not an option; it must be handled by the server.
>>
>> I'm thinking the cleanest way, from the perspective of site visitors, is to
>> redirect all HTTP requests to HTTPS. Just force HTTPS sitewide. Then I
>> don't
>> have to worry about accidentally missing a page or a form. So how do I do
>> this? In Apache? Drupal? I've seen many different suggestions, and most of
>> them
>> look bizarre, and it seems odd that something this important is so poorly-
>> documented. So help plz.
>>
>> thanks in advance,
>>
>> Carla
>>
>> btw I am developing great dislike for CPanel and other "helpful" frontends.
>> They make a gawdawful mess sometimes!
>> --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Carla Schroder
>> ace Linux nerd
>> author of Linux Cookbook,
>> Linux Networking Cookbook,
>> Book of Audacity
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> _______________________________________________
>> Techtalk mailing list
>> Techtalk at linuxchix.org
>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>
>
> I have a private webserver set up with Ubuntu and Apache2.
> I do pretty much what you're asking (I think). This is how I do it:
>
> I have this bit added to /etc/apache2/sites-available/default
>
> <Directory /var/www/>
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
> Order allow,deny
> allow from all
> RewriteEngine On
> RewriteCond %{HTTPS} off
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
> </Directory>
>
> This redirects all requests to Https.
>
> –Veronica
This is approximately what I was going to say. For some reason the
RewriteCon and Rewrite rule are often in .htaccess, but I've never
understood why.
~maria
More information about the Techtalk
mailing list