将 SSL *only* 添加到特定文件夹 [英] Add SSL *only* to specific folder
问题描述
当用户访问站点的帐户"部分时,我想将用户重定向到 SSL 安全服务器,该部分将包含用户配置文件、设置等的表单.但是,我不希望用户能够访问SSL 服务器上的站点的其余部分.由于我对模板进行编码的方式,我将路径设置为 作为示例.如果他们在帐户"部分并单击关于"部分的链接,他们仍将处于安全的 https: 连接上.显然,我可以硬编码链接到 http://服务器的链接,但我正在寻找替代方法.
到目前为止,我的 .htaccess 中有以下内容并且它正在运行,但我想知道这是否比它需要的资源更密集?将链接硬编码到任何其他非帐户"部分是否更好,或者通过 .htaccess 执行此操作是否是解决此问题的好方法?
RewriteEngine OnRewriteCond %{HTTPS} 关闭RewriteCond $1 ^(account) [NC]重写规则 (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]RewriteCond %{HTTPS} onRewriteCond $1 ^(about|terms|products) [NC]重写规则 (.*) http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
此外,如果我想阻止通过 https://访问主页,我将如何将其添加到我的 .htaccess 文件中?
我实际上建议避免为此使用重写规则.
将 http
请求转换为 https
请求的重写规则的问题在于它们实际上是重定向.这意味着对于每个要转换为 https
请求的 http
请求,浏览器首先要发出完整的 http
请求(包括内容、cookies,安全的除外),从服务器获取重定向代码,然后再次向https
重写的URL发出请求.
虽然这很方便,但如果您依赖它而不是确保您网站上旨在指向 https
部分的链接确实使用了 https
,它将很难检测这些链接何时错误地重定向到 http
变体.
典型的后果是:
- 混合内容警告,如果您使用
http
链接后嵌入某些内容,则会自动透明地转换为https
,这是一件坏事;和 - 可能会泄露数据.
相反,我建议您不要使用自动重写/重定向,并确保仅通过 HTTPS 可用的部分在纯 HTTP 变体上根本不可用(即 http://yourhost/account
应该返回 404s):这至少会迫使您注意链接错误并帮助您发现可能存在安全问题的地方.最终,尽管它们共享相同的主机名,http
站点和 https
站点可以有两个不同的 URL 空间:在这种情况下这不是一件坏事.
我看到从 http
重写到 https
的唯一情况是,当您想确保重定向到您网站的用户入口点时.>
从 https
重写到 http
当然不会出现这个问题.
I want to redirect users to the SSL secure server when they are accessing the 'Account' section of the site which will contain the forms for user profiles, settings, etc. However, I don't want users being able to access the rest of the site on the SSL server. Because of how I coded my templates, I have my paths set as <a href="/about">
as an example. If they are in the Account section and click a link to the About section, they would still be on the secure https: connection. Obviously, I can just hard code the links to link to the http:// server, but I'm looking for alternatives.
So far I have the following in my .htaccess and it is working, but I'm wondering if this more resource intensive than it needs to be? Is it better to hardcode links to any of the other 'non-account' sections, or is doing this via .htaccess a good way to go about it?
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond $1 ^(account) [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTPS} on
RewriteCond $1 ^(about|terms|products) [NC]
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Also, if I wanted to prevent the homepage from being accessed via https:// how would I go about adding that to my .htaccess file?
I would actually suggest to avoid to use rewrite rules for this.
The problem with rewrite rules that turn http
requests into https
requests is that they're in fact redirections. This means that for every http
request that is to be turned into an https
request, the browser is first going to make the full http
request (including content, cookies, except secure ones), get the redirection code from the server and then make the request again to the https
re-written URL.
Although this is convenient, if you rely on this instead of making sure the links on your site that are intended to be to https
sections are indeed using https
, it will make it hard to detect when those link are incorrectly redirecting to the http
variant.
The typical consequences are:
- mixed content warnings if you embed something using an
http
linked later turned automatically and transparently intohttps
, which is a bad thing; and - possible leakage of data.
Instead, I would suggest that you don't use automatic rewrite/redirects and make sure the sections that are meant to be available via HTTPS only are not available at all on the plain HTTP variant (i.e. http://yourhost/account
should return 404s): this will at least force you to notice when you've incorrectly linked and help you spot where you could have a security issue. Ultimately, although they share the same host name, an http
site and and https
site can have two distinct URL spaces: it's not a bad thing in this context.
The only case I see where rewrites from http
to https
are really useful are when you want to make sure the user's entry point to your site is redirected.
Rewrites from https
to http
don't present this problem of course.
这篇关于将 SSL *only* 添加到特定文件夹的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!