Issue:
Some Web Applications provide feature to force direct to https from http links either at installation stage or configured later by application administrators, but some web applications do not provide such security feature.
Solution:
a general workaround is to create a .htaccess file in the root directory of the web application. .htaccess should including the following lines:
- RewriteEngine On
- RewriteCond %{HTTPS} off
- RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
- Only set up the above usually doesn’t work because there is restriction in the config. file of Apache for such change in the web application access.
The following error message will appear in error_log of httpd:
RewriteEngine not allowed here
Tricks:
Directive such as follows should be added to httpd.conf:
- AllowOverride AuthConfig Limit FileInfo Options
- Order allow,deny
- Allow from all
Configuration:
- Apache/2.2.2 (Fedora 5)
- mod_ssl/2.2.2
- OpenSSL/0.9.8a
- TLSv1