http https 2

[joeschoe]

My web host uses Linux and Apache for my website.
I have to have secure access for some files.
I have purchased a certificate for ssl.
How can I make some of the pages open only with http and others with https?
I write in PHP but I think this is a server problem.

 

[axman505]

You will need to have your hosting providor install the certification for you. The certificate also requires its own ip, so you may have additional fees invovled.

Otherwise, you will want to have 2 different doucment roots. This will help you sort out between the secure and non secure pages.

However, you can have both the normal and secure domains use the same document root and do some php magic to load some pages secure, but others unsecure. Its really up to you.

 

[joeschoe]

How do I make two document roots one secure and the other not? This is the crux of my problem.

 

[axman505]

Your best bet will be to contact your host tech support. Every server is set up different, so it's really hard to say.

 

[danomac]

You can also use .htaccess files to force SSL on a certain subdirectory if the host allows it.

Best to contact the host first. The .htaccess would be a reasonably fast solution if they allow it, as opposed to editing scripts.

 

[joeschoe]

Do you have an example of the htaccess directive?

 

[danomac]

Well, it should actually require two htaccess files. One is placed in the DocumentRoot that turns SSL off. The second is placed in the directories that require SSL.

This would go in the DocumentRoot:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTPS} ^on$
RewriteRule ^(.*) [URL unfurl="true"]http://mywebsite.com%{REQUEST_URI}[/URL] [R]

(This forces normal access to requests.)

And this one should go in the directories that need SSL:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*) [URL unfurl="true"]https://mywebsite.com%{REQUEST_URI}[/URL] [R]

(This will force SSL in the directories it is placed in.)

You need to change mywebsite.com to your domain.

Note: This is a really simple way of doing it; it doesn't not force strong encryption. If you run a commerce site you really should force strong encryption.

Note 2: Be cautious about referencing URLs outside of the secured directories. This will cause browsers to display a warning to the user indicating so. An example of this is a image repository.

e.g.
DocRoot: mywebsite.com/
Image Repository: mywebsite.com/images/
Secured folder (htaccess): mywebsite.com/secure

If you have html/scripts in your secure directory that load images from your /images/ directory, they will not be served in SSL (the htaccess in the DocumentRoot changes it to non-SSL), causing the warning to appear in browsers.

 

[joeschoe]

Still not out of the woods.
I created a directory called assets
I created a .htaccess file containing:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*) [URL unfurl="true"]https://mywebsite.com%{REQUEST_URI}[/URL] [R]

I then ftp'd a gif file into the directory and tried viewing the gif in a browser as follows:

http://mywebsite.com/assets/test.gif

It changed the http to https, I got the warning that I an loading secure and not secure content.
The image was shown but there was no lock at the bottom of the page.

 

[danomac]

Not sure what to say here; the htaccess is working as it redirected you to the SSL url.

Have you tried it with an actual html page or php script (not that this should matter - but maybe the browser deals with images differently, as you accessed that directly.)

 

[joeschoe]

Funnily, when I load the graphic with an <IMG tag it behaves perfectly, the http gets converted to https and the lock appears at the bottom of the screen. With no warning messages.
Thanks danomac, your solution is exactly what I was looking for.