Q: How do I automatically redirect to HTTPS URLs?
Answer
One of the potential downsides to certificate-protecting pages on web.mit.edu is that visitors to the protected portion of your site must use URLs beginning with https://. Anyone who tries to access the protected portion of your site via http:// URLs will receive a "Forbidden" error message.
The simplest way to avoid this is to make the front page of your site a public page, with links to certificate-protected content denoted as such. However, if that is not possible, there is a way to automatically redirect users to the certificate-protected URLs.
Advanced Users Before following these instructions, you or your webmaster should have an understanding of Server-Side Includes, typical Apache Server variables accessible via SSI, and the concept of relative versus absolute links. |
The following example assumes that your website is active at web.mit.edu/joeuser and you want to certificate-protect web.mit.edu/joeuser/mitonly.
The first step is to create a sample 403 error page. Create a directory in your locker called "errors" (the name is not important, but the directory should be separate from the rest of your site). That directory must be readable by system:anyuser. A basic 403 error page might look like this:
<html> <head> <title>Certificates Required</title> </head> <body> You must access this document via HTTPS. If you have MIT Certificates, click <a href="https://<!--#echo var="HTTP_HOST"--><!--#echo var="REQUEST_URI"-->">here</a> to continue to your document. </body> </html>
You can save that document in a file called "certificates.shtml" in the "errors" directory.
The next step is to tell the server to use this document. At the lowest level of your website, create (or edit, if you already have one) a .htaccess.mit file. Add the following line to your .htaccess.mit file:
ErrorDocument 403 /joeuser/errors/certificates.shtml
Now, if you attempt to access web.mit.edu/joeuser/mitonly without certificates, you should see your new page.
Denied Users Will Also See This Page Remember, the "Forbidden" page will be displayed under two circumstances: a) if they are not using certificates; b) if they are using certificates, but do not have permission to access the document. Your Forbidden page should say something to that effect. |