添加SSL * *只对特定的文件夹 [英] Add SSL *only* to specific folder
问题描述
我想将用户重定向到SSL安全服务器,他们正在访问的网站的帐户部分,其中包含的形式为用户配置文件,设置等时,不过,我不希望用户能够访问SSL服务器在网站上的其余部分。因为我是如何codeD我的模板,我有我的路径设置为< A HREF =/关于> 作为一个例子。如果他们在帐户部分,然后单击链接到关于部分,他们仍然将是安全的HTTPS:连接。很显然,我可以c中的链接就很难$ C $链接的http://服务器,但我正在寻找替代品
I want to redirect users to the SSL secure server when they are accessing the 'Account' section of the site which will contain the forms for user profiles, settings, etc. However, I don't want users being able to access the rest of the site on the SSL server. Because of how I coded my templates, I have my paths set as <a href="/about"> as an example. If they are in the Account section and click a link to the About section, they would still be on the secure https: connection. Obviously, I can just hard code the links to link to the http:// server, but I'm looking for alternatives.
到目前为止,我有以下我的.htaccess,这是工作,但我不知道这更多的资源比它需要的是什么?它是更好地硬code链接到任何其他非账户部分,或通过的.htaccess是这样做的一个很好的方式去了解它?
So far I have the following in my .htaccess and it is working, but I'm wondering if this more resource intensive than it needs to be? Is it better to hardcode links to any of the other 'non-account' sections, or is doing this via .htaccess a good way to go about it?
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond $1 ^(account) [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTPS} on
RewriteCond $1 ^(about|terms|products) [NC]
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
另外,如果我想prevent从通过HTTPS所访问的网页://我将如何去补充说,到我的.htaccess文件?
Also, if I wanted to prevent the homepage from being accessed via https:// how would I go about adding that to my .htaccess file?
推荐答案
我真的建议避免使用重写规则这一点。
I would actually suggest to avoid to use rewrite rules for this.
与转重写规则的问题 HTTP 要求为 HTTPS 要求是,他们实际上是重定向。这意味着,每 HTTP 请求将被变成了一个 HTTPS 请求,浏览器首先要作全 HTTP 请求(包括内容,饼干,除了安全的),得到重定向code从服务器,然后再次发出请求到 HTTPS 重新编写的网址。
The problem with rewrite rules that turn http requests into https requests is that they're in fact redirections. This means that for every http request that is to be turned into an https request, the browser is first going to make the full http request (including content, cookies, except secure ones), get the redirection code from the server and then make the request again to the https re-written URL.
虽然这是方便,如果你靠这个,而不是确保的本意是为 HTTPS 部分在您的网站的链接确实使用 HTTPS ,它将使防不胜防时,这些链接被错误地重定向到 HTTP 的变种。
Although this is convenient, if you rely on this instead of making sure the links on your site that are intended to be to https sections are indeed using https, it will make it hard to detect when those link are incorrectly redirecting to the http variant.
典型的后果是:
- 如果您使用的是
HTTP后挂自动,透明地变成HTTPS,这是嵌入的东西混合内容的警告一件坏事;和 - 在可能的泄漏数据。
- mixed content warnings if you embed something using an
httplinked later turned automatically and transparently intohttps, which is a bad thing; and - possible leakage of data.
相反,我建议您不要使用自动重写/重定向和确保,目的是要可以通过HTTPS唯一不可用在所有的普通HTTP变异的部分(即 HTTP:// yourhost /帐户应该返回404):这至少会迫使你发现当你不正确的链接,并帮助你发现,你可以有一个安全问题。最终,虽然它们共享相同的主机名, HTTP 网站,并和 HTTPS 站点可以有两种不同的URL空间:这不是一件坏事,在这种情况下。
Instead, I would suggest that you don't use automatic rewrite/redirects and make sure the sections that are meant to be available via HTTPS only are not available at all on the plain HTTP variant (i.e. http://yourhost/account should return 404s): this will at least force you to notice when you've incorrectly linked and help you spot where you could have a security issue. Ultimately, although they share the same host name, an http site and and https site can have two distinct URL spaces: it's not a bad thing in this context.
我看到从 HTTP 改写为 HTTPS 的唯一情况是真正有用的,当你要确保被用户的入口点到您的网站重定向。
The only case I see where rewrites from http to https are really useful are when you want to make sure the user's entry point to your site is redirected.
重写从 HTTPS 到 HTTP 不要present当然这个问题。
Rewrites from https to http don't present this problem of course.
这篇关于添加SSL * *只对特定的文件夹的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
