Apache RewriteRule - everything except localhost and loopback

apache redirectmatch
apache rewriterule examples
apache redirect https
rewriterule f
apache redirect root to subdirectory
apache 2.2 mod_rewrite
apache block url location
apache redirect vs rewrite

I have a server that I want to enforce https communication to from the outside world, however, there are services on the server that need to be accessed over http by processes on the local server.

I've tried the following:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}

But of course, services running on the local server fail to be accessed over http. How do I enforced https for everything except localhost and 127.0.0.1? Or, if easier, I have 2 external domains for this server - how do I only force https for http://sub1.domain1.suffix1 and http://sub2.domain2.suffix2 and the server's external facing IP?

Try this, I'm not positive it will work, but it might, I've never dealt with the actual 'localhost' value.

RewriteEngine On
RewriteCond %{HTTP_HOST} !^localhost [NC]
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://mysub.mydomain.com/$1 [R=301,L]

UPDATE 2: I thought about this, and realized this fails to handle this case: https://mysub2.mydomain.com/ redirect to https://mysub.mydomain.com/ - before adding this, test that url and see if it redirects with the first rule or not, if it does not, test this second set of rules instead.

To correct this case, try:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^localhost [NC]
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP_HOST} mysub2.mydomain.com [NC]
RewriteRule ^/?(.*) https://mysub.mydomain.com/$1 [R=301,L]

UPDATE2 explanation, if it works:

Make the test more complicated, now the rewrite happens if not localhost/127.0.0.1 then test not https OR is mysub2.mydomain.com (or whatever other domains/sub domains are on the server that you want to redirect to: https://mysub.mydomain.com

=UPDATE explanation:

This is a pretty simple set of rules. We create 3 conditions that must be met for the rewrite rules to apply. To be safe I use the ^ by habit, ie, that's what it starts with, so this says, host name/IP does not start with localhost/127.0.0.1. ! means not.

  1. The hostname is not localhost (hostname is what you would type in your browser to access the page, or the name you'd use to access it via your web service). Because domain names are not case sensitive, I added the [NC] flag, which means No Case, ie, case insenstive. This is the one I wasn't sure would work:

    RewriteCond %{HTTP_HOST} !^localhost [NC]

  2. The remote request IP is not 127.0.0.1

    RewriteCond %{REMOTE_ADDR} !^127.0.0.1$

  3. https is not on already

    RewriteCond %{HTTPS} !=on

Then the actual rewrite rule, which triggers if these three conditions are met. Rewrite all urls not including the starting /, take everything in that url (.*) which does not include the domain name and add it after https://mysub.mydomain.com/, Then do a 301 permanent redirect to that resultant full url. ? means 0 or 1. (.*) means: put everything after starting / or no starting / into $1, each (...) in the rule is put into variables $1, $2, and so on.

RewriteRule ^/?(.*) https://mysub.mydomain.com/$1 [R=301,L]

=END update

Your setup is not fully intuitive to me, to me, but assuming there is only one actual domain on the server that you want to be handling requests, then this I think would work, not positive, given there's some features I'm not familiar with.

To redirect to https, all three conditions must be true, that is, not local/127, and https not on.

When not to use mod_rewrite, A common use for RewriteRule is to redirect an entire class of URLs. For example, all URLs in the /one directory must be redirected to http://one.example.​com/  RewriteEngine on RewriteRule "^/foo\.html$" "bar.html" [R] Discussion In this example, as contrasted to the internal example above, we can simply use the Redirect directive. mod_rewrite was used in that earlier example in order to hide the redirect from the client:

Try this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^localhost [NC]
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

.htaccess causes infinite loop on live server but works on localhost , Redirect, Change URLs or Redirect HTTP to HTTPS in Apache - Everything You Ever Wanted to Know About Mod_Rewrite Rules but Were  When RewriteRule is used in VirtualHost or server context with version 2.2.22 or later of httpd, mod_rewrite will only process the rewrite rules if the request URI is a URL-path. This avoids some security issues where particular rules could allow "surprising" pattern expansions (see CVE-2011-3368 and CVE-2011-4317 ).

This is a slightly different case, but if you have a proxy in front of your server like a load balancer, you can do this (which is what is proposed by AWS for redirecting to TLS while behind ELB), which I thought was kind of cool once I figured out that not doing this makes my config also redirect localhost:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

Memoire of a Hacker, localhost|loopback|127.0.0.1).* [NC,OR] This can be a script that logs all the information, or you can send it to a forbidden page. Anything you wish. Stack Overflow Public questions and answers; Apache RewriteRule - everything except localhost and loopback. The hostname is not localhost (hostname is what

Apache redirect to https if the request is not from localhost, You need to use a RewriteCond with %{REMOTE_ADDR} , possibly multiple to deal with if you have IPv6 enabled or not. This is the basic  Apache Redirect to HTTPS Although installing an SSL certificate on a website provides the possibility of accessing it with the secure https:// protocol, the protocol is not used by default. To make sure that the website is accessed using the https:// protocol by default, you will need to set up an automatic redirect.

Eight Ways to Blacklist with Apache's mod_rewrite, Eight Ways to Block and Redirect with Apache's mod_rewrite The examples may be modified to redirect (or block) just about anything. deny access to any URL -request that includes a query-string containing localhost references, Last but certainly not least, we can blacklist according to IP address. A RewriteRule can have its behavior modified by one or more flags. Flags are included in square brackets at the end of the rule, and multiple flags are separated by commas. RewriteRule pattern target [Flag1,Flag2,Flag3] Each flag (with a few exceptions) has a short form, such as CO, as well as a longer form, such as cookie. While it is most

mod_rewrite: A Beginner's Guide to URL Rewriting, http://www.mysite.com/anything After you restart Apache (you'll get used to it soon!) you can type this into your browser: this PHP file is located at http://​localhost/shortcut/index.php header ("Location: But, what mod_rewrite does is totally different: it 'tricks' the browser, and serves the page as if it were  Apache’s mod_rewrite automatically passes through a query string unless you do either of the following: Assign a new query string (you can keep the original query string by adding a QSA flag, e

Comments
  • please give an example of a service from 127.0.0.1, I do lots of server based requests on an https/ssl site, but they all just request via lynx to a page on the site. I'm unclear what case would involve what you are talking about. If the two domains are being run via apache vitualhosts, you'd be setting up https per domain in the normal case, not per server, unless you have a global certificate for all subdomains of domain1 or domain2.
  • I'm hosting on windows azure via a VM, so I've got 2 domains - the one provided by azure (thedomain.cloudapp.net) and the one that I have my SSL cert for (mysub.mydomain.com). Nobody should be using the cloudapp.net domain, but if they do, I want to ensure I redirect them to the real SSL domain properly. I'm running mediawiki with a parsoid server located on the box. Parsoid is only accessible via the local machine but is a web service, and mediawiki is configured to access it via localhost.
  • That did it! Thank you very much. If you have a few minutes, explaining why this works would be really helpful too.
  • Oh, it worked, that's good, I wasn't positive because of your setup. It's pretty simple, I'll update the answer to explain it.
  • Now that I think of it, you can probably remove the localhost condition, because the REMOTE_ADDR is going to be 127.0.0.1 for localhost, but I wanted to be sure since I've never dealt with that scenario. But it doesn't hurt to have it there, and on the weird off chance that localhost became not 127.0.0.1 you'd still be covered.