Mandatory HTTP jump to HTTPS configuration summary in Apache environment

Source: Internet
Author: User
Tags deprecated response code set cookie server port

I. Introduction to a simple example
In general, after the Apache configuration of HTTP and HTTPS, if you want to do http strong to HTTPS, you need to set the URL redirection rules, roughly need the following several steps to complete the configuration:

1) Make the following module effective in the httpd.conf file [[email protected] ~]# cat/usr/local/apache/conf/httpd.conf ..... LoadModule ssl_module modules/mod_ssl.so #如果使用https证书, this module function must be opened! ..... LoadModule rewrite_module modules/mod_rewrite.so #如果要http强转到https, this module function must be opened! 2) httpd.conf configuration file or in the httpd-vhost.conf file to modify [[email protected] ~]# cat/usr/local/apache/conf/httpd.conf ....  DocumentRoot "/data/vhosts" <directory "/data/vhosts" > Options followsymlinks multiviews includes AllowOverride All Require all granted</directory>3) Add the file ". htaccess" Directory access control file under the root of the Web site, and add the following: Rewriteengine on Rewriteb Ase/rewritecond%{server_port}!^443$ rewriterule ^.*$ Https://%{server_name}%{request_uri} [L,R] meaning this Kind: In order to let the user visit the traditional http://Go to https://, use a rewrite rule: the first sentence: start the rewrite engine third sentence: The rewrite condition is that the server port of access is not the fourth sentence of Port 443, which is the regular expression, ^ is the beginning, $ Is the end,/? Indicates there is no/can (0 or 1), (. *) is any number of arbitrary characters in the whole sentence meaning: Start the rewrite module, all access to the non-443 port domain name request, the URL address content unchanged, will/HTTP to become https://.

The above configuration enables the http jump of all domain names to https, if only for a specific URL of the HTTPS jump , the configuration will be different, as follows:

Only require access to http://bo.kevin.com/beijing/when forced to jump to https://bo.kevin.com/beijing/, other URLs do not do HTTP to https strong turn! Add the following in the. htaccess file: [[email protected] web]# cat. Htaccess<ifmodule mod_rewrite.c>rewriteengine onrewritebase/ Rewritecond%{server_port} 80RewriteCond%{http_host} ^bo.kevin.com/beijing/[Nc]rewriterule ^ (. *) $ https:// bo.kevin.com/beijing/[r,l]</ifmodule> above configuration, the implementation is just for http://bo.kevin.com/beijing/this a separate URL to do HTTPS force jump, Other URLs do not jump when they visit!

Of course, in addition to the above method, there are other configurations can be implemented, such as by matching the directory rules to achieve the jump requirements, the following will be described.

Two. Rewriterule jump rule parameters in Apache

The Apache module mod_rewrite provides a rewrite engine based on the regular expression parser to rewrite URL requests in real time. It supports a flexible and powerful URL manipulation mechanism in which each full rule can have an unlimited number of sub-rules and additional conditional rules. This URL operation can depend on a variety of tests, such as server variables, environment variables, HTTP headers, time stamps, and even lookup databases that match the URL component in various formats.

The Mod_rewrite module can manipulate all parts of the URL, including the path Information section, both at the server-level (httpd.conf) and at the directory-level (. htaccess) configuration , and to generate the final request string. The result of this override operation can be internal sub-processing, or it can be a steering of an external request, or even an internal agent processing.

The following highlights the rules and parameter descriptions for the next rewriterule. The rewriterule directive is the root of the rewrite engine. This instruction can be used multiple times. Each directive defines a simple rewrite rule. The order in which these rules are defined is particularly important-at run time, the rules are enforced in this order .

Configuration format:
Rewriterule Pattern Substitution [flags]

1) Pattern is a Perl-compatible regular expression that acts on the current URL .
"Current URL" is the value of the URL at the time the rule is in effect. It may be different from the requested URL, because other rules might have matched and changed it before.

2) Substitution is used to replace (or replace) a string when the original URL matches the pattern . In addition to plain text, you can also include:
-Reverse reference to pattern ($N)
-A reverse reference to the last matching Rewritecond (%N)
-Server variables in the rule condition test string (%{varname})
-Map function call (${mapname:key|default})

3) The [flags] tag as the third parameter of the Rewriterule directive is a comma-delimited list of the following tags:

3.1) ' chain| C' (link next rule)
This tag links the current rule to the next rule. It produces this effect:
If a rule is matched, it continues with its successor rule, which means that the tag does not work;
If the rule is not matched, its successor rule will be skipped.

Like what:
When performing an external redirect in a directory-level rule, you may need to delete ". www" (". www" should not appear here).
' cookie|co=name:val:domain[:lifetime[:p Ath]] ' (Set cookie): Set a cookie on the client. The name of the cookie is "name" and the value is Val.
Domains are the domain of the cookie, such as '. Apache.org ', the optional lifetime is the lifetime of the cookie (in minutes), and the optional path is the cookie.

3.2) ' env| E=var:val ' (Setting environment variables)
This flag sets the value of the environment variable VAR to val,val to include extensible regular Expression reverse references ($N and%n). This tag can be used multiple times to set multiple variables.
These variables can be indirectly referenced in many subsequent cases, usually in Xssi (<!--#echo var= "var"--) or CGI ($ENV {' var '}), or in subsequent
The Condpattern parameter of the Rewritecond directive is referenced by%{env:var}. Use it to remember the information that is stripped from the URL.

3.3) ' forbidden| F' (Enforce forbidden URL)
Forces the current URL to be suppressed, that is, to immediately respond to an HTTP response code of 403 (forbidden). With this tag, you can link several rewriteconds to conditionally block certain URLs.

3.4) ' gone| G' (Mandatory deprecated URL)
Forces the current URL to be deprecated, that is, immediately feedback an HTTP response code of 410 (deprecated). Using this tag, you can indicate that the page has been deprecated and does not exist.

3.5) ' handler| H=content-handler ' (enforces the specified content processor)
Changzi the content processor for the target file is Content-handler. For example, the Scriptalias directive used to emulate the Mod_alias module to force all files in the mapped folder to
Handled by the "Cgi-script" processor.

3.6) ' last| L' (end rule)
Stops the rewrite operation immediately and no longer applies another rewrite rule. It corresponds to the last command in Perl or the break command in the C language.
This flag is used to prevent URLs that are currently overridden from being rewritten again by subsequent rules. For example, you can use it to override the URL of the root path ('/') to a URL that actually exists (for example: '/e/www/').

3.7) ' next| N' (from scratch)
Re-executes the rewrite operation (starting with the first rule). The URL that was processed again at this point is not the original URL, but the URL that was processed by the last rewrite rule.
It corresponds to the next command in Perl or the Continue command in the C language. This tag can restart the rewrite operation (immediately to the beginning of the loop). But be careful not to create a dead loop!

3.8) ' nocase| NC' (ignoring case)
It makes the pattern ignore case, that is, ' A-Z ' and ' A-Z ' are not different when pattern matches the current URL.

3.9) ' noescape| NE' (the URI is not escaped in the output)
This flag prevents Mod_rewrite from applying a general URI escape rule to the overridden result. In general, special characters ('% ', ' $ ', '; ') etc.) will be escaped to the equivalent hexadecimal encoding ('%25 ', '%24 ', '%3b ', etc.).
This tag prevents such escapes from allowing symbols such as percent sign to appear in the output, such as rewriterule/foo/(. *)/bar?arg=p1\%3d$1 [R,ne], which allows '/foo/zed to turn to a secure request '/BAR?ARG=P1 =zed '.

3.10) ' nosubreq| NS' (Do not process internal sub-requests)
This token forces the rewrite engine to skip the rewrite rule when the current request is an internal child request. For example, when Mod_include tries to search the directory default file (INDEX.XXX), Apache generates a child request internally. For a child request, the rewrite rule is not necessarily useful, and it may even throw an error if the entire rule set works. Therefore, you can use this tag to exclude certain rules.
Usage guidelines: If you add a CGI script prefix to a URL to force them to be handled by a CGI script, the error rate (or resource overhead) of the child request processing is high, in which case the token can be used.

3.11) ' proxy| P' (Mandatory for proxy)
This token causes the replacement component to be internally forced to send as a proxy request, and immediately interrupts the rewrite process and then transfers the processing to the Mod_proxy module.
You must make sure that this replacement string is a valid URI that can be processed by mod_proxy (for example, starting with http://hostname), or you will get an error returned by a proxy module.
With this tag, some remote components can be mapped to the local server domain name space, thereby enhancing the functionality of the Proxypass directive.
Note: To use this feature, the mod_proxy module must already be enabled.

Mandatory HTTP jump to HTTPS configuration summary in Apache environment

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.