Re: [cobalt-security] [question] how to urge users to https sites

[Matthew Nuzum <cobalt@xxxxxxxxxxxxx>]

On Wed, 2001-12-26 at 05:20, markus noeske wrote:
> on the cobalt servers behind every https page there
> is (because of a lack of the web-based configuration)
> always a http site with the same name
> that can accessed without ssl-encryption. is
> there a way to implement a require https in a
> .htaccess file together with an user authentification
> like require valid user?
> 
> regards
> markus
> p.s. this was a topic a few months ago
> 
I remember when this was a topic a few months ago, and I'm not sure why
I didn't think of this then, but here's an idea...

First, I don't like .htaccess files in the site root if it can be
avoided.  It adds unneeded overhead to everh request in the site. 
Instead, I prefer to put site wide changes in the httpd.conf file. 
Either will work though.

My httpd.conf file has these rewrite rules already:
RewriteEngine on
RewriteCond %{HTTP_HOST}          !^192.168.0.2(:80)?$
RewriteCond %{HTTP_HOST}          !^www.somewhere.net(:80)?$
RewriteRule ^/(.*)                http://www.somewhere.net/$1 [L,R]
RewriteOptions inherit
AliasMatch ^/~([^/]+)(/(.*))? /home/sites/home/users/$1/web/$3

You should be able to change this to cause the rewritting to direct the
users to https I think.

Right now, I know the above rules will take any imperfect domain match
and rewrite it to the correct domain.  If I were to type
http://somewhere.net it would direct me to http://www.somewhere.net.  I
believe the 'R' in the [L,R] causes it to change what is displayed in
the browser address bar.

There are some very knowledgable people who know more about rewritting
than I.  You may want to post another question to the cobalt-developer
list for additional help.  Also, I typically go to the
www.phpbuilder.com website when I need to ask Apache questions.  There
are some major apache gurus hanging out on their message boards.

Matt Nuzum