I have the following in a .htaccess file:
Options +FollowSymLinks
RewriteEngine on
RewriteRule ^(.*)$ http://example.com/$1 [R=302,L]
Yet when I go to https://example.com I get an invalid certificate screen in the browser. How can I force the visitor to http:// temporarily until the SSL Cert gets purchased and installed?
Redirects happen on the HTTP layer with an HTTP response header. HTTPS encapsulates HTTP into a TLS connection; the TLS connection has to be negotiated first before interaction at the HTTP layer can happen. If your server fails to negotiate a valid TLS connection, e.g. because it cannot present a certificate the client will accept, then it also cannot redirect the client at the HTTP layer.
You could use the following Code in the .htaccess File:
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [L,R]
This will redirect the port request 443 (SSL) to 80 (HTTP).
I tried it out, it works fine for me.
Related
My site has a certificate but it's not a wildcard certificate. So it's for example.com, not for *.example.com.
Not a problem I thought, I'll just redirect any visitor to the proper URL through mod_rewrite:
RewriteEngine On
RewriteBase /
# Following two lines to strip machine name
RewriteCond %{HTTP_HOST} !^example.com [NC]
RewriteRule ^(.*)$ https://example.com%{REQUEST_URI} [L,R=301]
# Following two lines make sure the https version is always served
RewriteCond %{HTTPS} off
RewriteRule (.*) https://example.com%{REQUEST_URI} [L,R=301]
Now, the redirect actually works. When someone types in https://www.example.com/page, he will eventually be redirected to https://example.com/page.
But...
The browser first displays a warning that https://www.example.com is insecure. Only when I add an exception, will it be redirected to https://example.com/page which does not give a certificate error...
What am I doing wrong here?
Nothing. SSL negotiation occurs at the transport (TCP) level, not HTTP (even when using SNI) but the point is that the certificate is not valid for the requested domain. When the connection is initiated to www. the browser will request the certificate and compare the url with the CN in the cert and since it isn't there, it'll raise the alert.
To resolve this issue you will need a certificate that includes both ServerName and ServerAlias names. You could maybe try some DNS provider that offers DNS HTTP redirection, but getting a certificate is quite easy this days.
I am using Apache web server in front of Squid proxy server on the same machine, and got SSL certificate from Letsencrypt and Apache server now is trusted green site.
I changed the htaccess file to suit my needs to reach Squid server behined Apache in two cases with https or without it . So my htaccess file as following:
RewriteEngine On
# if not https Redirect all requests to Squid except for Let's Encrypt's ACME Challenge verification
RewriteCond %{HTTPS} off [NC]
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ [NC]
RewriteRule ^(.*) http://backend.squid.server:3128/$1 [R=301,L]
# if https on Redirect all requests to Squid except for Let's Encrypt's ACME Challenge verification
RewriteCond %{HTTPS} on [NC]
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ [NC]
RewriteRule ^(.*) https://backend.squid.server:3128/$1 [R=301,L]
The first part is redirecting well with no problems and I got the respnse from squid server.
but when we send the same request but with https I got the following error
An error occurred during a connection to backend.squid.server:3128.
SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG .
what I have on Squid.conf if that may help:
https_port 3128 cert=/etc/letsencrypt/live/mysite.tld/fullchain.pem key=/etc/letsencrypt/live/mysite.tld/privkey.pem
http_port 3128 act-as-origin name=server accel vhost
I think the problem in redirecting from https 443 to https with a custom port.
If anyone has dealt with such an issue Please tell me where is the problem ? what is the right syntax for this in htaccess file
I've placed the following lines in my apache config and in the .htaccess, but neither approach redirects to the non-www url. I need the www url to go to the non-www url based on how the SSL cert is registered.
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.mydomain\.com$ [NC]
RewriteRule ^(.*)$ https://mydomain/$1 [L,R=301]
This is not fixable, other than making sure that all links to your site use mydomain.com instead of the www-variant. With https, during the handshake, the browser will verify the certificate that is being used. When it detects that the certificate is invalid, it won't continue with the request, because from that point on, the certificate can be of anyone, and thus the connection is not secure.
Long story short: Because the browser will not go through with the request, the server will never have the chance to issue a redirect. Only if the user clicks through, the request will be finished and the browser will continue with the redirect.
in a search from google , i found my domain url with https and not http .
For example : https://xxxx.com/yyyy/zzzz and not http://xxxx.com/yyyy/zzzz
It's possible redirect from https to http for the domain xxxx.com ?
I use centos and apache web server
On the same server, i have a certificate https that respond to https://zzzz.com
Thanks
Carlo
This will work with mod_rewrite on. Put this code in .htaccess file at root of the site.
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
I need to automatically redirect any https:// to http:// on my localhost environment.
I tried to use a .htaccess file which I placed on my htdocs/ with the following code:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
For some reason this is not working. Any advice?
The problem with the rewrite rule is that it will never be reached if apache is not configured properly for SSL. The browser is trying to connect to http://localhost:443 and unless apache or some other service is configured on that port you'll get a timeout.
The best solution would be to create a self-signed certificate for apache running on localhost and create a rule in your web browser to trust the certificate:
Create a self-signed certificate for apache:
http://www.perturb.org/display/entry/754/