Access Keys:
Skip to content (Access Key - 0)

Q: How do I automatically redirect to HTTPS URLs?

Answer

One of the potential downsides to certificate-protecting pages on web.mit.edu is that visitors to the protected portion of your site must use URLs beginning with https://. Anyone who tries to access the protected portion of your site via http:// URLs will receive a "Forbidden" error message.

The simplest way to avoid this is to make the front page of your site a public page, with links to certificate-protected content denoted as such. However, if that is not possible, there is a way to automatically redirect users to the certificate-protected URLs.

Advanced Users
Before following these instructions, you or your webmaster should have an understanding of Server-Side Includes, typical Apache Server variables accessible via SSI, and the concept of relative versus absolute links.

The following example assumes that your website is active at web.mit.edu/joeuser and you want to certificate-protect web.mit.edu/joeuser/mitonly.

The first step is to create a sample 403 error page. Create a directory in your locker called "errors" (the name is not important, but the directory should be separate from the rest of your site). That directory must be readable by system:anyuser. A basic 403 error page might look like this:

<html>
<head>
<title>Certificates Required</title>
</head>
<body>
You must access this document via HTTPS.  
If you have MIT Certificates, click 
<a href="https://<!--#echo var="HTTP_HOST"--><!--#echo var="REQUEST_URI"-->">here</a> to continue to your document.
</body>
</html>

You can save that document in a file called "certificates.shtml" in the "errors" directory.

The next step is to tell the server to use this document. At the lowest level of your website, create (or edit, if you already have one) a .htaccess.mit file. Add the following line to your .htaccess.mit file:

ErrorDocument 403 /joeuser/errors/certificates.shtml

Now, if you attempt to access web.mit.edu/joeuser/mitonly without certificates, you should see your new page.

Denied Users Will Also See This Page
Remember, the "Forbidden" page will be displayed under two circumstances: a) if they are not using certificates; b) if they are using certificates, but do not have permission to access the document. Your Forbidden page should say something to that effect.

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

October 01, 2013

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
jdreed-draft jdreed-draft Delete
htaccess htaccess Delete
certificates certificates Delete
c-web-publishing c-web-publishing Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use
This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki