Tweaking Slim's .htaccess

jjshell · December 5, 2013, 2:58pm

Hello,

I’m using the Slim PHP framework. Here’s the .htacces that comes with the framework.


RewriteEngine On

# Some hosts may require you to use the `RewriteBase` directive.
# If you need to use the `RewriteBase` directive, it should be the
# absolute physical path to the directory that contains this htaccess file.
#
# RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]

I would lik to do two things:

a) Redirect all HTTP requests to their HTTPS counterparts.
b) Point to an index.php file that is located in an “application” folder.

Here’s what I came up with (not working):


RewriteRule ^https:\\/\\/.*/application/index.php [QSA,L]



Thanks in advance.

Regards. :)

-jj

cpradio · December 5, 2013, 4:38pm

I think you actually want:

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%/application/index.php [QSA,R=302,L]

If HTTPS is off, redirect all traffic to https passing along any querystring data.

jjshell · December 6, 2013, 8:21am

Hello,

Many thanks!

Just a quick question: shouldn’t we check if HTTPS is “on” rather than “off”? What if I know for a fact that HTTPS is enabled? Do I still need the RewriteCond?

Regards,

-jj.

cpradio · December 6, 2013, 10:18am

You wanted to redirect HTTP requests to HTTPS, so you are going from someone accessing your site using HTTP (which means HTTPS is off for the request). Hopefully that makes sense. If you don’t use that condition, it will try to redirect ALL requests no matter where they came from, HTTP or HTTPS to a HTTPS url. So you’ll end up in an infinite loop. If you change it to “on”, it will redirect HTTPS to HTTPS and that is pointless.

wwb_99 · December 6, 2013, 5:25pm

FWIW, we usually just set up a separate HTTP redirects site. Much cleaner – loads simpler to make sure the secure site only listens to HTTPS and it keeps the rewriting much cleaner.

jjshell · December 9, 2013, 2:00pm

@cpradio: thanks for the clarification!

@wwb_99: How would I do that? My guess is: check the incoming request using a $_SERVER variable, check if “http:” then redirect to the “https” equivalent.

wwb_99 · December 10, 2013, 7:05am

Not really – more like you’ve got one virtual site bound to *:80 which only lives to redirect everything to *:443. Render unto infrastructure what is infrastructure’s so to speak.

dklynn · December 12, 2013, 11:50pm

cp,

{HTTPS} can only have “on” or is null therefore “off” should never match. Okay, at least that’s the way it was years ago when I learned to match “on” or “not on” … but I preferred to use the {SERVER_PORT} and match either 80 or 443 as that would always work.

If anyone know that {HTTPS} has been changed (“on” or “off|null”), please show a link to Apache.org where this is specified.

Regards,

DK

cpradio · December 12, 2013, 11:55pm

No idea if I am mis-reading this:

HTTPS
Will contain the text “on” if the connection is using SSL/TLS, or “off” otherwise. (This variable can be safely used regardless of whether or not mod_ssl is loaded).

source: http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html

dklynn · December 13, 2013, 4:52am

cp,

OMG! Things have changed. Thanks for that!

Regards,

DK