我开发了一些只应通过HTTPS访问形式。我有一个专门的服务器拥有自己的证书和所有的好东西。

I am developing a number of forms which should only be accessed via https. I have a dedicated server with its own cert and all the good stuff.

所以我的问题是双重的真正：

So my question is two-fold really:

1）。什么是强迫每一个请求是HTTPS的最佳方式？难道还有比这.htacess / mod_rewrite的规则更好的方式：

1). What's the best way to force every request to be https? Is there a better way than this .htacess/mod_rewrite rule:

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

2）。是否有任何潜在的缺陷或缺点迫使一切是HTTPS，我应该考虑的问题（除开销，这似乎不是一个问题呢）？

2). Are there any potential pitfalls or downside to forcing everything to be https that I should be thinking about (other than overhead, which wouldn't seem to be an issue anyway)?

推荐答案

你有什么要细，这是我使用的：

What you have should be fine, this is what I use:

RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

在研究表示这是一个重定向，而不​​是重写，而→表示重写引擎不应该执行任何更多的重写。

The R signifies it's a redirect instead of a rewrite, and the L indicates that the rewrite engine should not perform any more rewrites.

我最初发现这个在这里：的httpd维基

I originally found this here: Httpd Wiki

编辑：

我忘了提 SSLRequireSSL 指令，迫使所有的请求是通过HTTPS。详细信息可以在 Apache文档被发现。

I forgot to mention the SSLRequireSSL directive that forces all requests to be over HTTPS. Details can be found in the Apache Documentation.