I have this .htaccess file to redirect http:// to https://
I also did www. to root domain redirection!
www. to root domain works! however https:// redirection doesn't!
If I set RewriteCond %{HTTPS} on to RewriteCond %{HTTPS} off or RewriteCond %{HTTPS} =!on I get a browser error:
The example.com page isn’t working
mysite.com redirected you too many times.
Try clearing your cookies.
ERR_TOO_MANY_REDIRECTS
One edit I did gave me a 500 error but I reverted that back to how it was before! all I did was change: RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} to RewriteRule(.*) https://%{HTTP_HOST}%{REQUEST_URI} or RewriteRule (.*)https://%{HTTP_HOST}%{REQUEST_URI}
Anyone have any Ideas on how to fix this issue?
This is my entire .htaccess file!
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{HTTPS} on [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://antimalwareprogram.co%{REQUEST_URI} [R=301,L,NE]
</IfModule>
RewriteCond %{HTTPS} on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Yes, this will create a redirect loop. The logic is wrong. What this says is... if HTTPS is "on" then redirect to HTTPS. You should be checking if HTTPS is "off" (or "not on", ie. !on).
(By removing the spaces between the arguments you likely created a rewrite loop, hence the 500 error. Spaces are delimiters in Apache config files.)
Try something like the following instead:
RewriteEngine On
RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [R=302,L,NE]
This handles both the HTTPS and www canonical redirects. You don't need the first rule. You don't need the <IfModule> container either.
Change the 302 to 301 only when you are sure it's working OK.
Make sure you've cleared your browser cache before testing. 301s get cached hard by the browser.
UPDATE: If this still gives you the same error (a redirect loop) then it's possible that your SSL is managed by a front-end proxy, not your application server. If this is the case then you won't be able to use the HTTPS server variable. See these related questions:
http to https redirection through htaccess: incorrect redirection error
htaccess rewrite - too many redirects
It seems that in this case, ENV:HTTPS (an environment variable) needed to be used in place of HTTPS (Apache server variable). Note, however, that this is non-standard / server specific, as it implies a front-end proxy is being used to manage the SSL.
Related
I need to convert all http access to a domain including its potential pages under the main page, to its https equivalent. What I have now just directs all Domain and www.Domain access to https://Domain but not pages that are off the main page. How can I modify the htaccess commands so in addition I can get http://Domain/other-web-pages to go to https://Domain/other-web-pages
RewriteEngine On
RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule (.*) https://example.com [L,R=301]
You are close. The redirection works, but you need to actually hand over the requested path too:
RewriteEngine On
RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule ^ https://example.com%{REQUEST_URI} [QSA,L,R=301]
Such general should get implemented in the actual http server's central host configuration. If you have no access to that you can use a distributed configuration file instaed. Such file has to be placed inside the http server's DOCUMENT_ROOT folder.
(An alternative to #arkascha's answer, that builds on your existing code.)
:
RewriteRule (.*) https://example.com [L,R=301]
You are already capturing the requested URL-path (ie. (.*)) but not passing this through to the substitution string. So, all you need is the corresponding backreference ($1) that contains the URL-path. For example:
:
RewriteRule (.*) https://example.com/$1 [L,R=301]
And, if you have other directives, this needs to go near the top of the .htaccess file before any existing rewrites.
You will need to clear your browser cache before testing, since any erroneous 301 (permanent) redirects to the homepage will have been cached by the browser. Test with 302 (temporary) redirects to avoid such caching issues.
I have a .htaccess file with a few rules that have served well so far. Now I implemented SSL in the website and I need to add a rule to redirect just a single webpage to HTTPS, leaving the rest as it was. Unfortunately but I'm not being able to do so.
Pre SSL code
RewriteEngine On
RewriteBase /
#Redirect http://example.com to http://www.example.com
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301]
#Rewrite http://www.example.com/123 to http://www.example.com/data.php?id=123
RewriteRule ^([0-9]+)$ data.php?id=$1 [L,NC]
#Rewrite http://www.example.com/about to http://www.example.com/about.php
RewriteRule ^about$ about.php [L,NC]
#Rewrite http://www.example.com/ab123 to http://www.example.com/abdisp.php?id=123
RewriteRule ^ab([0-9]+)$ abdisp.php?id=$1 [L,NC]
Now I need to redirect to HTTPS only the requests for a single specific script. The pre SSL rules need to keep working as they did so far, so all I do is add the following code:
New HTTP to HTTPS
#If HTTPS is not set and the script being requested is rvservice.php, redirect to HTTPS
RewriteCond %{HTTPS} != on
RewriteCond %{REQUEST_URI} rvservice\.php
RewriteRule ^/rvservice\.php(.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This is not working. When I upload this addition to the original code into the server, I get internal server error. I've tried putting this new code at the beginning of the original .htaccess file, but the result is the same. I re-wrote it as a single rewrite rule (no conditions) but I get a redirect loop error. I've been reading posts on SO about HTTP to HTTPS and applied their solutions, but it seems there is something in my old code that does not get along with the new lines. I feel I'm close to the solution, but for the time being it looks I'm closer to clueless. I'll appreciate any pointers in the right direction. Thanks!
In .htaccess, no / at the beginning in test RewriteRule parameter :
RewriteCond %{HTTPS} off
RewriteRule ^rvservice\.php(.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
But if you use %{REQUEST_URI} they always start with a /
So my SSL certificate only applies to https://example.com - not https://www.example.com (can't complain, it was free).
After venturing into mod_rewrite and a lot of reading (mostly from stackoverflow) I have an .htaccess file that does most of what I need, here is that file (with domain redacted of course).
<IfModule mod_rewrite.c>
RewriteEngine On
#First rewrite any request to the wrong domain to use the correct one
RewriteCond %{HTTP_HOST} !^subdomain\.
RewriteCond %{HTTP_HOST} ^(www|ftp|mail)\.example\.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
#Redirect these subdomains to a subfolder
RewriteCond %{HTTP_HOST} ^([^/.]+)\.example\.com$
RewriteCond %1 !^(www|ftp|mail)$ [NC]
RewriteRule (.+)$ "http://example.com/%1" [L,P]
#Now, rewrite to HTTPS:
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
The script contains comments as to what it does (I need them more than you think).
And there is an additional .htaccess file on the folder for the subdomain that is being redirected (a subfolder in the root web folder, with matching subdomain name) and the accompanying dns entry on my dns server. The .htaccess on that folder simply redirects http (port 80) to https.
At the moment, it does what I need but I'm looking for simpler ways to write this. And by simpler it could also mean more global (if it makes it faster than hardcoding domains) and if there are any speed improvements to gain from said rewrite.
As previously mentioned, my certificate is only for a non-www example.com domain so this brings me to the second (but my main) question.
Traffic that is routed like so: https://www.example.com will see the error before any routing, rewrite, etc is ever done. This is because a connection to the web server has not even happened at this point, correct? This is essentially your server handing your certificate over and the browser saying:
wait a minute!
Is there a way to prevent traffic to hit your server the improper way (https://www) before the browser gives out a certificate error?
This does not have to be restricted to just the .htaccess method.
Is there a way to do this - at all? And what is that way?
Edit:
I was having a few issues with my conditions and rewrites hitting queries it should not. I was also having a few redirect loops so headed over to apache.org to research that; so just as a way to keep track of said changes here is the .htaccess file now:
<IfModule mod_rewrite.c>
RewriteEngine On
# First rewrite any request to the wrong domain to use the correct one
RewriteCond %{HTTP_HOST} ^(www|ftp|mail)\.example\.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1
# Redirect these subdomains to a subfolder
RewriteCond %{HTTP_HOST} ^([^/.]+)\.example\.com$
RewriteCond %{REQUEST_URI} !^([^/.]+)/([^/.]+)
RewriteCond %1 !^(www|ftp|mail)$ [NC]
RewriteRule ^(.*)$ http://example.com/%1$1 [L,NC,QSA]
#Now, rewrite to HTTPS:
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} ^http://example\.com/$ [NC]
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [L,R,NE]
</IfModule>
Is there a way to prevent traffic to hit your server the improper way (https:// www) before the browser gives out a certificate error?
No, there's nothing you can do, your assessment is correct that the browser looks at the server certificate and sees that the host doesn't match and displays the error. The error isn't generated by the server, and this happens before a request is even sent to the server. This happens during the SSL handshake. The only things you can do are prevent any http://www links from existing, or buy a new certificate that includes "www".
As for your rules, there's really no way to simplify it since you have multiple conditions for each rule.
We have domain.com and domain.com.au pointing to the same website and currently have the following in our .htaccess
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.domain.com.au/$1 [R=301,L]
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.domain\.com\.au$ [NC]
RewriteRule ^(.*)$ https://www.domain.com.au/$1 [R=301,L]
This is semi working to redirect all requests for the site to the correct secured url.
The only issue is when we go to https://domain.com we are always warned by the browser first that the page may be insecure - if we accept the warning then the page correctly redirects to https://www.domain.com.au.
Is there some way to prevent this warning prior to the redirection of the correct secured domain or should we have the .htaccess redirection written differently?
I want to one of my site's page will use only HTTPS.
I have given manually link to all sites to https.
But I want that if user manually types that page URL with http then it should be redirected to https page.
So if user types:
http://example.com/application.php
then it should be redirected to
https://example.com/application.php
Thanks
Avinash
Here's a couple of lines I used in an .htaccess file for my blog, some time ago :
RewriteCond %{HTTP_HOST} =www.example.com
RewriteCond %{REQUEST_URI} ^/admin*
RewriteCond %{HTTPS} !=on
RewriteRule ^admin/(.*)$ https://www.example.com/admin/$1 [QSA,R=301,L]
Basically, the idea here is to :
determine whether the host is www.example.com
and the URL is /admin/*
Because I only wanted the admin interface to be in https
which means this second condition should not be useful, in your case
and https is off (i.e. the request was made as http)
And, if so, redirect to the requested page, using https instead of http.
I suppose you could use this as a starting point, for your specific case :-)
You'll probably just have to :
change the first and last line
remove the second one
Edit after the comment : well, what about something like this :
RewriteCond %{HTTP_HOST} =mydomain.com
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://mydomain.com/$1 [QSA,R=301,L]
Basically :
using your own domain name
removing the parts about admin
Try this rule:
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^application\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This rule is intended to be used in the .htaccess file in the document root of your server. If you want to use it in the server configuration file, add a leading slash to the pattern of RewriteRule.
use this:
RewriteEngine On
# Turn SSL on for /user/login
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/user/login
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
# Turn SSL off everything but /user/login
RewriteBase /
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/user/login
RewriteRule ^(.*)$ http://%{HTTP_HOST}$1 [R=301,L]
website
open httpd.conf or .htaccess file (mod_rewrite not required):
# vim httpd.conf
Append following line :
Redirect permanent / https://example.com/