Home / server / Questions / 357206
Accepted
Urda
Asked: 2012-02-07 05:47:27 +0800 CST

How do I avoid URL redirect when using SSLRequireSSL + ErrorDocument

  • 772

Ok, so I have an Apache host I'm working on (shared host) who has this in their root .htaccess file.:

Options -Indexes

SSLOptions +StrictRequire

ErrorDocument 401 "<!DOCTYPE html><html lang='en'> ... "
ErrorDocument 403 "<!DOCTYPE html><html lang='en'> ... "

SSLRequireSSL

So when a user tries to connect without SSL, they are prompted with the custom 403 html listed in the file. This occurs while keeping their old URL in the address bar so they can just add the https quickly.

However, for error page improvements, it is desired to load a php file from ./error and use that file in the definition for ErrorDocument. Now this is the kicker, if one just specifies the document directly...

ErrorDocument 403 /error/script.php

They will get another 403 or Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request. since the connection to the file is not under SSL. In an attempt to fix that, one may try this...

ErrorDocument 403 https://site.tld/error/script.php

But that redirects the client to https://site.tld/error/script.php which is UNDESIRED because they have to retype the url, and thus unable to just change the http to https.

So, I imagine I must do one of the following:

  • EXCLUDE ./error from the SSL requirement with some .htaccess handling OR
  • Build a REWRITE rule that detects the use of an error page, and doesn't rewrite the URL

I was unable to do either of this things yesterday. Perhaps neither of those options are viable, but I'm stuck at what to do.

How can I instruct .htaccess to allow http connections in ./error, or some other fix, so I still get my error pages, but the client still keeps their original URL?

apache-2.2 ssl .htaccess

1 Answers

  1. Best Answer

    Ok, here is my fix for now.

    I have a folder structure as follows:

    / (web root)
|
|- .htaccess
|- index.php
|
|- error
|- dir1
|- dir2
~
|- dir(n - 1)
`- dir(n)

    In (web root).htaccess I have the following:

    Options -Indexes

ErrorDocument 403 /error/script.php

    And within ANY subdir's folder (EXCEPT FOR /error/):

    SSLOptions +StrictRequire
SSLRequireSSL

    This allows me to load error pages without SSL, but still enforce it for every other folder. Is it pretty? No, I'd like to be able to control this from the root's .htaccess. But this is the only thing I have gotten to work so far.

    If you can find a better solution, please post your work here.

    • 0