I’m sure this has been covered before, but as I’ve just had to do it, here’s how you force all requests to /symphony to run via https.

In your .htaccess file in the /symphony folder, add the following lines:

### Force HTTPS
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://your-domain/symphony/$1 [R,L]


RewriteEngine on
RewriteBase /symphony/


Nice tip, Joe, thanks.

Would also be nice to see it in the documentation for later reference.

Hi guys I’ve tried to restrict access to /symphony on a default installation on webfaction but with no luck. They have asked me to use the following in the /symphony .htaccess file:

RewriteCond %{HTTP:X-Forwarded-SSL} !on

RewriteRule ^(.*)$ https://domain/symphony/$1 [R,L]

but I get the old 403 forbidden. Without the https rewrite and without the following:

RewriteEngine on

Options +FollowSymlinks -Indexes

RewriteBase /symphony

I can get access to /symphony but obviously over http.

Do I have to make any changes to the .htaccess in the root folder? thanks

I am using a symlink app - it links to /symphony with https enabled. So as I understand the web server will look for index.html/.htm/.py/.php within /symphony.

If it finds the file, it will serve it as the directory index. If it doesn’t find it, it will serve a directory listing or will rewrite the request as directed by your .htaccess.

I only get a directory listing if I don’t include ‘-Indexes’ so I guess the .htaccess files are at fault..


All rewrite rules are now in the root folder.

Have you made the htaccess file in the symphony dir yourself?

If you have, try to include those rules to the htaccess file in your root directory. You will have to change ^(.)$ to symphony/(.)?$

EDIT: oh, and you should delete the htaccess file from the symphony directory.

Good luck!

Thanks that makes a bit more sense, I will give it a shot, much appreciated! Yes I did create a .htaccess in the /symphony folder.

If anyone can forward a working version of this I would appreciate it. I can’t get this to work at the moment. For security, it would be good to see a working version as an optional part of the default symphony package.

I have included

RewriteCond %{HTTP:X-Forwarded-SSL}!on RewriteRule ^symphony/ https://%{HTTPHOST}%{REQUESTURI} [R=301,L]

but get a directory listing…

You will need to tell your httpd server to be setup to route https requests to the same location on disk as http requests.

If you mail your httpd.conf file to me (me AT josephdenne DOT com) I can take a look for you.

@jospeh thanks man though I am on shared hosting with webfaction so I will put in a request for their support team to look into this. Much appreciated!

Ive got a site where I want all of the https pages to forward to http but one. Ive found a bunch of htaccess examples but they seem to not work with symphony.

RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !^/quotes
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

The 2nd line is suppose to stop the /quotes/ page from being redirected to the http page however it doesnt work and a lot of times (ive tried many variations on that line) I get the whole symphony page string after it forwards to http


another thing is that sometimes the page will have form variables passed to it so whatever that line is it needs to be ok with that as well

You will need to tell your httpd server to be setup to route https requests to the same location on disk as http requests.

Setup Host: Webfaction, Symphony: 2.06, Webfaction's SSL. (Shared hosting, I haven't installed my own Apache so didn't have access to the httpd.conf)

Thanks guys, I added the, app1 and website1 record as usual. I also added a website2 record that has https enabled and points to the app1.

So at this point I had the site and admin working on http and https.

.htaccess Then...this is where it got interesting.. I played about with the .htaccess (well it's not the weekend yet so wasn't in the mood to edit my fantasy football team)

Eventually I came up with this contraption:

#RewriteRule ^symphony/?$ ./index.php?mode=administration&%{QUERY_STRING} [NC,L]

RewriteCond %{HTTP:X-Forwarded-SSL} !on
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f 
    RewriteRule ^symphony(/(.*/?))?$ ./error  [NC,L]

RewriteCond %{HTTP:X-Forwarded-SSL} on
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f 
    RewriteRule ^symphony(/(.*/?))?$ ./index.php?symphony-page=$1&mode=administration&%{QUERY_STRING} [NC,L]

What the hell's that? I hear you all cry....yes I was forced to comment out a default line.

The result Er...this is where the redirects go from interesting to embarrassing...

http or https / --> --> --> https:// login screen

Now if you're not splitting at the edges with laughter by now please can you at least snigger a little. I know it's not ideal but for my own site it provides a little security.

Jeff I think you yours working didn't you as I saw another one of your posts?

I ended up using robot no index on all ssl pages by checking the current url for https (other then quotes page) and used the following to force ssl on the quote page

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^quotes/?$ [R=301,L]

I think it's a good idea to include the following if on 2.06 - I saw it in the 2.2 .htaccess file:

SECURITY - Protect crucial files

RewriteRule ^manifest/(.*)$ - [F]
RewriteRule ^workspace/utilities/(.*).xsl$ - [F]
RewriteRule ^workspace/pages/(.*).xsl$ - [F]
RewriteRule ^(.*).sql$ - [F]

As mentioned here:

Create an account or sign in to comment.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.3
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details