Redirect SSL with .htaccess
If you use an SSL certificate to secure pages on your website, you may want to setup your server to always display non-secure pages using ‘http’ instead of ‘https’.
In terms of search engine optimisation it is advisable that your server is setup to display a single version of a page to avoid duplication.
In other words, when an SSL certificate is setup, it generally means that every page on the site is available at http://www.yoursitedomain.com and https://www.yoursitedomain.com. Other than duplicate content, this can also cause the splitting of link equity between two versions of the same page. Which can happen when a user navigates to a secure page on your site (‘https’) and then navigates to other areas of the site whilst still remaining on the secure version of the site (which is the default behaviour on most Apache servers with SSL installed).
How to Create .htaccess Files
To create .htaccess files you will need to use a simple text editor such as Notepad on Windows or TextEdit on an Apple Mac. The .htaccess file should be saved with no file extension and it is important to include the full stop ‘.’ at the beginning of the filename. To do this, click Save As, and name the file .htaccess. If the program tries to save the file as .rtf or .txt, change this option to All Files.
Redirect Folder to HTTPS
Create the following .htaccess file and place it within the folder that you want to serve using SSL. Change the domain name and folder name to match your sites requirements. The .htaccess file will redirect http://www.yousitedomain.com/foldername/ to https://www.yoursitedomain.com/foldername/, it will also redirect any other pages within the folder to the ‘https’ version.
RewriteEngine On
RewriteCond %{SERVER_PORT} !=443
RewriteCond %{REQUEST_URI} foldername
RewriteRule ^(.*)$ https://www.yoursitedomain.com/foldername/$1 [R=301,L]
Redirect Non-Secure Pages to HTTP
The following .htaccess file needs to be placed in the websites root folder. Change the domain name to match your sites requirements.
RewriteEngine On
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$ http://www.yousitedomain.com/$1 [R=301,L]
Please Note: When making adjustments to your server settings, please test the above method thorougly to check that it works correctly in all situations. Server’s can be setup with various different configurations. If this is the case the above .htaccess files may not work in their current format. It may be a simple case of changing the port settings in the .htaccess files or you may need to contact your website host for more information.
This does not work for ie7. While the address bar says https when I am in the secured directory, ie does not recognize it as a secure page, the LOCK icon appears at first but then disappears.
Any thoughts why?
Hi Jim,
Yes that is because you are serving a mixture of secure and unsecure elements on the same page. So it checks… shows the lock symbol… then the lock symbol disappears because unsecure content is being displayed.
To fix this you have to make sure all elements such as external JavaScript, CSS and images are being served from a directory that is SSL secured.
If you look at the source code for this page: https://brightscape.net/contact/ you’ll see that’s what I’ve done to ensure all content served on the page is served from https rather than http.
There are other ways to acheive this, but I found this way works just fine for my needs.
I hope that helps Jim
Everything is secure, and in every other browser displays the page as secure. It seems to have to do with the rewrite code in my root directory that I used from your above post. It seems when i remove it the page secures properly, but once I include the code to redirect to non-secure pages it makes the secure page display unsecure even though the url starts with https
If the error is only happening in IE7 then it sounds like a bug in that browser. I did a quick search which suggests there are some partial encryption bugs in IE7 when using .htaccess. I haven’t had that problem when I test my pages on IE7 so I can’t replicate the issue. If in find a solid solution for IE7 I’ll post an update to the article.
Thanks! It’s always fun to blame things on ie
So I figured out what the problem is, similar to what you stated before, My images, js, and css files are coded with https: but since they point to a directory outside of the secure directory the htaccess rewrite tells the browser that they are insecure.
I see what you did, basically duplicated the files and sticking them into the secure directory. Is there any way I can not duplicate the files to store them in a secure directory?
Hi Jim
I did some research and found some ways of using .htaccess to make the files appear like they are in a secure directory. Unfortunately I didn’t find they worked for me. As I’m sure you know .htaccess doesn’t always play fair on shared hosting accounts.
I found the easiest way was to duplicate the file structure in a secure folder and do a find and replace for http to https. Although you could always just use relative file paths to avoid the necessity to do that entirely.
Thanks!