Apologies for the twiki cruft, we still haven't switched to Foswiki yet...
Edit: After doing all this, I found a different solution over at http://twiki.org/cgi-bin/view/TWiki/UsingSslForAuthenticationOnly
HttpsRedirectPlugin is a great plugin, but kills caching for authenticated users. Making the wiki unbearably slow (in our case).
Below is a set of rewrite rules that forces
An (untested) Foswiki-fied version, assuming base URL is
This topic: Sandbox > SSLForNonViewScriptsOnly
Topic revision: 31 Jul 2009, PaulHarvey
view script to be redirected to HTTP and all other scripts to SSL.
Of course, we still want some topics hit via the view script to be SSL'd, a few (not all) of those are shown below.
<Location "/twiki/bin">
RewriteEngine on
#####################################################################
# Redirect hits to password sensitive topics via view script to https
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^\/twiki\/bin\/view\/(TWiki\/ResetPassword|TWiki\/ChangePassword|TWiki\/TWikiRegistration|TWiki\/BulkResetPassword).*
RewriteRule .* https://wiki.server.org%{REQUEST_URI} [L,NE]
# Redirect non-view scripts where the HTTP_REFERER was from a view script
# topic, unless this is a POST, to https
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !.*\/twiki\/bin\/view.*
RewriteCond %{HTTP_REFERER} .*\/twiki\/bin\/view.*
RewriteCond %{REQUEST_METHOD} !^POST$
RewriteRule .* https://wiki.server.org%{REQUEST_URI} [L,NE]
# Redirect non-view scripts to https
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^\/twiki\/bin\/view.*
RewriteCond %{HTTP_REFERER} !.*\/twiki\/bin\/view.*
RewriteRule .* https://wiki.server.org%{REQUEST_URI} [L,NE]
# Redirect https view scripts that aren't password sensitive to http,
# unless this is a form POST from some other script to a view page
# (unlikely?)
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^\/twiki\/bin\/view\/(TWiki\/ResetPassword|TWiki\/ChangePassword|TWiki\/TWikiRegistration|TWiki\/BulkResetPassword).*
RewriteCond %{REQUEST_URI} ^\/twiki\/bin\/view\/.*
RewriteCond %{REQUEST_METHOD} !^POST$
RewriteCond %{HTTP_USER_AGENT} !^.*MSIE\ 6.0
RewriteRule .* http://wiki.server.org%{REQUEST_URI} [L,NE]
# As above, IE6 compatibility hack:
# "You are about to be redirected to a connection that is not secure"
# Use a specially crafted 400 Error Document whose content (via JS or meta refresh)
# will force IE6 to redirect quietly away from https://.
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^\/twiki\/bin\/view\/(TWiki\/ResetPassword|TWiki\/ChangePassword|TWiki\/TWikiRegistration|TWiki\/BulkResetPassword).*
RewriteCond %{REQUEST_URI} ^\/twiki\/bin\/view\/.*
RewriteCond %{REQUEST_METHOD} !^POST$
RewriteCond %{HTTP_USER_AGENT} ^.*MSIE\ 6.0
RewriteRule .* https://wiki.server.org/cgi-bin/redirect.php?to=http://wiki.server.org%{REQUEST_URI} [L,NE,R=303]
</Location>
An (untested) Foswiki-fied version, assuming base URL is
http[s]://wiki.server.org.au/foswiki:
<Location "/foswiki/bin">
RewriteEngine on
#####################################################################
# Redirect hits to password sensitive topics via view script to https
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^\/foswiki\/bin\/view\/(System\/ResetPassword|System\/ChangePassword|System\/SystemRegistration|System\/BulkResetPassword).*
RewriteRule .* https://wiki.server.org%{REQUEST_URI} [L,NE]
# Redirect non-view scripts where the HTTP_REFERER was from a view script
# topic, unless this is a POST, to https
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !.*\/foswiki\/bin\/view.*
RewriteCond %{HTTP_REFERER} .*\/foswiki\/bin\/view.*
RewriteCond %{REQUEST_METHOD} !^POST$
RewriteRule .* https://wiki.server.org%{REQUEST_URI} [L,NE]
# Redirect non-view scripts to https
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^\/foswiki\/bin\/view.*
RewriteCond %{HTTP_REFERER} !.*\/foswiki\/bin\/view.*
RewriteRule .* https://wiki.server.org%{REQUEST_URI} [L,NE]
# Redirect https view scripts that aren't password sensitive to http,
# unless this is a form POST from some other script to a view page
# (unlikely?)
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^\/foswiki\/bin\/view\/(System\/ResetPassword|System\/ChangePassword|System\/SystemRegistration|System\/BulkResetPassword).*
RewriteCond %{REQUEST_URI} ^\/foswiki\/bin\/view\/.*
RewriteCond %{REQUEST_METHOD} !^POST$
RewriteCond %{HTTP_USER_AGENT} !^.*MSIE\ 6.0
RewriteRule .* http://wiki.server.org%{REQUEST_URI} [L,NE]
# As above, IE6 compatibility hack:
# "You are about to be redirected to a connection that is not secure"
# Use a specially crafted 400 Error Document whose content (via JS or meta refresh)
# will force IE6 to redirect quietly away from https://.
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^\/foswiki\/bin\/view\/(System\/ResetPassword|System\/ChangePassword|System\/SystemRegistration|System\/BulkResetPassword).*
RewriteCond %{REQUEST_URI} ^\/foswiki\/bin\/view\/.*
RewriteCond %{REQUEST_METHOD} !^POST$
RewriteCond %{HTTP_USER_AGENT} ^.*MSIE\ 6.0
RewriteRule .* https://wiki.server.org/cgi-bin/redirect.php?to=http://wiki.server.org%{REQUEST_URI} [L,NE,R=303]
</Location>
redirect.php, inspired from http://jehiah.cz/archive/redirect-to-a-connection-that-is-not-secure. Above apache config fragments assume this script is to be found at https://wiki.server.og/cgi-bin/redirect.php
<?php
header("HTTP/1.0 400 Bad Request", true, 400);
header('Content-Type: text/html');
echo "<html><head></head><body>Please upgrade your web browser...</body></html>";
if ($_GET['to'] != '') {
redirect($_GET['to']);
}
function redirect($url){
echo '<script type="text/javascript">';
echo 'window.location.href="'.$url.'";';
echo '</script>';
echo '<noscript>';
echo '<meta http-equiv="refresh" content="0;url='.$url.'" />';
echo '</noscript>';
exit;
}
?>
This topic: Sandbox > SSLForNonViewScriptsOnly
Topic revision: 31 Jul 2009, PaulHarvey
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. 
