12 replies to this topic

[Shutupquare]

Hi all been banging my head against a wall on this one and looked at a lot of articles.
I'm trying to rewrite 3 sections of a wordpress site to https if they are accessed over http:

/cart/

/my-account/

/checkout/

As well as these rewrite's worpress has added a rewrite to remove index.php out of the url.
The index.php rewrite is about the only thing that is working.
here is my .htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} (checkout|cart|my-account)
RewriteRule ^(.*)$ [url="https://%{SERVER_NAME}%{REQUEST_URI}"]https://%{SERVER_NAME}%{REQUEST_URI}[/url] [R=302,L]

# BEGIN WordPress
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

</IfModule>

# END WordPress

It redirects to the https but then gets stuck in a loop and the browser will complain of a loop. Any rewrite guru's in here.

Edited by Shutupquare, 19 February 2013 - 11:26 AM.

[Shutupquare]

Okay somthing strange happened when i posted the .htaccess here it is raw.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} (checkout|cart|my-account)
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=302,L]

# BEGIN WordPress
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

</IfModule>

# END WordPress

[requinix]

I'm probably just missing it but I don't see a loop [edit] unless you don't have SSL set up [/edit]. Where does the browser get redirected to?

Edited by requinix, 19 February 2013 - 06:35 PM.

[Shutupquare]

I'm probably just missing it but I don't see a loop [edit] unless you don't have SSL set up [/edit]. Where does the browser get redirected to?

Thanks for the reply,

It gets redirected to the https: version of the page but the page never shows as it complains about a loop.

if I run curl on the page to negate any caching problems

PS C:\Users\Stephen> C:\Users\Stephen\Downloads\curl-7.23.1-win64-ssl-sspi\curl.exe -k -i http://www.mysite.com/cart
HTTP/1.1 302 Found
Date: Wed, 20 Feb 2013 09:07:06 GMT
Server: Apache
Location: https://www.mysite.com/cart
Vary: Accept-Encoding
Content-Length: 285
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.mysite.com/cart">here</a>.</p>
<hr>
<address>Apache Server at www.mysite.com Port 80</address>
</body></html>

PS C:\Users\Stephen> C:\Users\Stephen\Downloads\curl-7.23.1-win64-ssl-sspi\curl.exe -k -i https://www.mysite.com/cart
HTTP/1.1 302 Found
Date: Wed, 20 Feb 2013 09:07:06 GMT
Server: Apache
Location: https://www.mysite.com/cart
Vary: Accept-Encoding
Content-Length: 285
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.mysite.com/cart">here</a>.</p>
<hr>
<address>Apache Server at www.mysite.com Port 80</address>
</body></html>

If I got to the http url I get rightfully redirected to the https url, but when I go to the https url I get redirected back to the https url again even though i'm already on it.

[requinix]

Modify the Rule to

RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI}---%{HTTPS} [R=302,L]

Where does it try to redirect you? Specifically, what does that URL imply about the value of HTTPS?

[Shutupquare]

Just tried it here is the results:

PS C:\Users\Stephen> C:\Users\Stephen\Downloads\curl-7.23.1-win64-ssl-sspi\curl.exe -k -i https://www.mysite.com/cart
HTTP/1.1 302 Found
Date: Wed, 20 Feb 2013 11:43:11 GMT
Server: Apache
Location: https://www.mysite.com/cart---off
Vary: Accept-Encoding
Content-Length: 291
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.mysite.com/cart---off">here</a>.</p>
<hr>
<address>Apache Server at www.mysite.com Port 80</address>
</body></html>

Cheers.

[Shutupquare]

So somehow it thinks that it's not on https even though it very much is. Would this have something to do with internal rewrites in Wordpress?

[Shutupquare]

Okay I've got a feeling this host is behind a proxy.

[requinix]

That would certainly explain it. Look at $_SERVER["REMOTE_ADDR"]: if it's a LAN address like 10.* or 192.* then it's probably behind a proxy. (If not, it still could be.) Also $_SERVER["SERVER_PORT"] will be 80 for HTTP and 443 for HTTPS.

Edited by requinix, 20 February 2013 - 01:30 PM.

[Shutupquare]

Yeah I checked them out yesterday,

$_SERVER["SERVER_PORT"] = 80 for both http and https,

however

$_SERVER["REMOTE_ADDR"] shown my IP address for http and https, but the proxy could pass that through right?

Edited by Shutupquare, 21 February 2013 - 07:17 AM.

[requinix]

No, that's not something that a proxy could safely change. It would break HTTPS, for one.

There's something else going on. Contact your web host and see what they're doing.

[Shutupquare]

It wouldn't break https if the proxy server was the one doing the ssl, Client connect securely to proxy, proxy connects insecurely to wordpress webserver. Sure the connection between proxy and webserver is insecure but it's internal and could even be on the same host. I don't think it would pass any PCI compliance checks though!

[requinix]

I meant the proxy forging the IP address would break it.

[edit] Because then the web server would try to send traffic to that fake IP address (the client), except the client would receive HTTP data instead of the HTTPS it was expecting (assuming the proxy also set the source port to the client's). Don't know what would happen but there would certainly be some problems somewhere.

Edited by requinix, 21 February 2013 - 04:44 PM.