Well, it should actually require two htaccess files. One is placed in the DocumentRoot that turns SSL off. The second is placed in the directories that require SSL.
This would go in the DocumentRoot:
Code:
RewriteEngine on
RewriteBase /
RewriteCond %{HTTPS} ^on$
RewriteRule ^(.*) [URL unfurl="true"]http://mywebsite.com%{REQUEST_URI}[/URL] [R]
(This forces normal access to requests.)
And this one should go in the directories that need SSL:
Code:
RewriteEngine on
RewriteBase /
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*) [URL unfurl="true"]https://mywebsite.com%{REQUEST_URI}[/URL] [R]
(This will force SSL in the directories it is placed in.)
You need to change mywebsite.com to your domain.
Note: This is a really simple way of doing it; it doesn't not force strong encryption. If you run a commerce site you really should force strong encryption.
Note 2: Be cautious about referencing URLs outside of the secured directories. This will cause browsers to display a warning to the user indicating so. An example of this is a image repository.
e.g.
DocRoot: mywebsite.com/
Image Repository: mywebsite.com/images/
Secured folder (htaccess): mywebsite.com/secure
If you have html/scripts in your secure directory that load images from your /images/ directory, they will not be served in SSL (the htaccess in the DocumentRoot changes it to non-SSL), causing the warning to appear in browsers.