I am trying to redirect incoming requests to https://www.domain.com/ and all https://www.domain.com/{all pages} and having little trouble. Methods I tried:
Adding this line: Redirect permanent / https://www.domain.com/ to my httpd.conf is causing too many redirect
Using .htaccess to redirect with mod_rewrite is ending in 302 Moved page with a broken link.
What I want is:
Redirect all requests to https://www.domain.com/, including http://www.domain.com/signup and pages like that to https version
I've searched many threads on this but they don't seem to apply to my setup. How should I approach this?
There's a distinct problem with this approach - if you do a automatic non-SSL redirect to an SSL webpage, you lose the security that SSL should provide. i.e. If someone can MITM your non-SSL web server, they can redirect to their own valid SSL server (with a real certificate), and the browser won't know the difference.
i.e. http://www.example.com redirects to https://www.example.com, can be subverted by a man in the middle attack where fake http://www.example.com redirects to https://i-will-steal-your-credit-card.com, and as long as i-will-steal-your-creditcard.com has a valid certificate, the browser won't alert the user that anything is awry, the user will see the little lock icon and think everything's cool and start putting in credit card numbers.
It's a better practice to have a page that explains that what they really want is the SSL version of the URL and a clickable link. Of course, bad-guy could do the same exact thing, but paranoid people always verify the link they're clicking actually links to what it says.
Granted, most people aren't paranoid and will be grumpy about the extra step - so if you have any marketing people making decisions about this upstream from you - odds are you'll end up doing it http->https automatic redirect. This is because Marketing and customers usually don't understand SSL.
It goes like:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Source: http://systembash.com/content/force-https-ssl-access-url-apache/
RewriteEngine On
RewriteCond %{HTTPS} Off
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]
Notice the $1 which appends the path information
Related
I have a heroku application with a domain from godaddy.
My site is built with node and express.
My website is www.juanitacalendar.de and I want it to always redirect to HTTPS (no matter if the users types the www or not).
Should I handle this within Heroku? Within node/express? In my index.html?
I've read in another answer that I'm suppose to use this code that has to do with apache. I am clueless on where to put this piece of code though.
RewriteEngine On
RewriteCond %{HTTPS} !^on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
There are many ways you could achieve this.
In your situation, it looks like you can get Node/Express.js to redirect for you. See this answer for more information: Heroku NodeJS http to https ssl forced redirect.
I am attempting to rewrite the URL displayed in a browser to eliminate the https:// portion. Not being familiar with Apache coding, I have tried many different ways of tweaking other code to achieve the result, but without success.
My .htaccess file includes 310 redirect rules, as well as some rewrite conditions, all of which are presently working:
# Force browswer to use SSL, even when referring URL is non-secure
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Catch-all for any potential 404 error (file not found) will
# redirect to the index (/) page
Options +SymLinksIfOwnerMatch
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . / [L,R=301]
Any help on this front is greatly appreciated!
I am attempting to rewrite the URL displayed in a browser to eliminate the https:// portion.
I would be curious to see your "attempts". And why you are wanting to do this?
Basically, you can't.
You have no control over how the browser displays the protocol (ie. https, or http), or any part of the URL for that matter, in the browser's address bar. And any attempt to "rewrite" the URL to remove https:// is only likely to stop your site serving content over SSL - which is not your intention. The only way to change the physical appearance of the URL in the browser's address bar is by changing the physical URL. This is basic browser security - the website should not be able to control this behaviour. You don't want the website to be able to pretend to be something it is not (ie. phishing).
However, some browsers do allow the user to control this behaviour to some extent. For example, Opera will show a more friendly URL by default, omitting the HTTP protocol and even the query string. However, this "friendly" display format can be disabled in settings to instead show the complete "real" URL.
Generally, by default, browsers tend to hide the protocol when serving over plain HTTP and show it only when serving over HTTPS - an additional indication to the user that the site is secure. Any attempt to remove the protocol is only going to disturb user trust.
checked the Forum but could not find an ideal answer. I have recently installed a SSL Certificate on my site and in the process of creating 301 redirects via the .htaccess file for nearly 400 page urls (to keep Google happy). I thought of using;
redirect 301 /contact.php https://www.mydomainname.co.uk/contact.php
but it breaks the site. The only solution I have seen is;
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^contact\.php$ https://www.mydomainname.co.uk/contact.php [L,R=301]
The above seems a lot of code to use for each of the 400 pages! is there a quicker way with less code I can use in the .htaccess file?
Many thanks. Hope someone can advise.
There are two basic ways of redirecting pages with Apache: Redirect (of mod_alias) and RewriteRule etc. (of mod_rewrite).
Redirect is very simple: it will just redirect a single URL to another. It can be useful sometimes, but it's usefulness is limited to its simplicity: in the case of HTTP-to-HTTPS redirection, it can't differentiate between HTTP and HTTPS connections, so it will just try to redirect to HTTPS even if you're already on HTTPS (and thus you end up in an infinite redirect loop).
RewriteRule, on the other hand, is more advanced and flexible. You can use RewriteCond to conditionally redirect requests; in your case, you'd want to redirect requests only if they're on a HTTP connection.
As you mentioned, you want to redirect to HTTPS for many (I presume all) requests; you can easily do this with only a single rule:
# Enable rewrites
RewriteEngine on
# Only run next RewriteRule on HTTP connections (not HTTPS)
RewriteCond ${HTTPS} off
# Redirect any page to the same URL with https:// schema
RewriteRule (.*) https://${SERVER_NAME}/$1 [L,R=301]
(The ${SERVER_NAME} variable will automatically be equal to your domain name, so you can even use this on web servers with multiple domain names.)
WE have a whole bunch of subdomains from another domain that are pointing to our server. So I am trying to do a 301 redirect from any subdomain at that domain to point to ours
eg.
sub1.domain.com 301 redirect to ourdomain.com
sub2.domain.com 301 redirect to ourdomain.com
There could be any number of subdomains pointing to it.
What should the 301 redirect look like for this?
I have this:
RewriteCond %{HTTP_HOST} *\.domain\.net\.au$ [NC]
RewriteRule ^ https://ourdomain.com%{REQUEST_URI} [R=301,L,NE]
but this returns a internal error, if I replace the * with an actual domain it sort of works.
PArt two of this question is about https, our site is always https, when you click on a link in google that goes to one of these domains, its tries to take them to https://sub1.domain.com
Even when I put in the redirect , it still tries to go to https://sub1.domain.com, which causes the browser to give a "this is not safe" error, is there any way via the 301, to make it so it goes directly to our domain without it giving the https error on the other domain first?
Here is part one:
RewriteCond %{HTTP_HOST} [^.]+\.domain\.net\.au$
RewriteRule ^ https://ourdomain.com%{REQUEST_URI} [R=301,L]
As for part two, no, that can't be done. HTTPS certificate negotiation has to happen before the connection is established to issue the redirect. All you can do is get a wildcard SSL certificate or provide a valid certificate for the subdomains in some other way. It can't be done without a valid certificate unless you accept the "not safe" errors, which most visitors won't. But once the redirects are in place for a while, the listings will be dropped by Google anyway.
I need to have https by default on my site, so I used this .htaccess code to redirect all http traffic to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Everything works great, except that website receives many POST requests coming to old http:// address, and POST data is lost when 301 is used. I can NOT stop POST requests from coming to old http:// address because they come from PHP-based scripts (installed on clients' servers), so my only possible options seem to be 307 or 308 redirects (because they keep POST data).
However, redirect 307 is considered as temporary, while I plan to use https permanently, so it doesn't seem to be the best choice? Of course, I can use 308, but this one seems to be "new" and isn't properly supported by all browsers (according to many comments I found on stackoverflow). Maybe someone knows a better rewrite rule to be used in .htaccess?
P.S. I know the best idea is to use 301 redirect and modify scripts to post data to https by default (and I did so already), but it may take a very long time while all clients will update scripts on their servers, that's why another workaround is needed too.
Keep the 301, change your conditions to these:
RewriteCond %{HTTPS} =off
RewriteCond %{REQUEST_METHOD} !=POST
If your clients' legacy scripts use any other method, you will have to change the second condition to include it, e.g.:
RewriteCond %{REQUEST_METHOD} !^(?:POST|PUT)$
Normal requests/crawling will always start with GET or HEAD thus be forced to use https, so subsequent requests will also use it. Make sure all the URLs in your site's content are relative or root-relative.