www\.example\.com site:webmasterworld.com// [google.com]

After you finish reading a few hundred of those 36,800 posts, come back and tell us what happens when you use your existing rule. (Not "It doesn't work." You know what that means, but we don't.) The wording you've got isn't perfect, but it isn't flat-out wrong. It just doesn't cover all possibilities.

For better coverage of non-canonical URLs to redirect

^www\.example\.com$ [NC]

should be

!^(example\.com)?$

Did you add

RewriteEngine On

before the redirect code?

Thanks everyone for their replies. By not working, I mean that www.example.com is not redirecting to example.com and none of the subpages are either, so www.example.com/page1.html does not redirect to example.com/page1.html. I'll double check with the webmaster about the RewriteEngine On line, that should be there, though.

The line

RewriteEngine On

needs to be in each individual .htaccess file that uses mod_rewrite. Unlike some directives, you can't just turn it on "at the top" and let it trickle down to the bottom.

Ok, thanks again to everyone for their replies.

The issue I am having at present is that the code is working fine otherwise but not working properly on the secure version of example.com. It causes the secure site to prompt, that some items on the page may not be secure, etc.

When the rewrite script is removed the error goes away. Is the issue now with the security certificate (which was issued to example.com and not www.example.com).? Do I need to get a certificate for the subject of the rewrite, www.example.com as well, or is there a coding solution to this?

Thanks again for your help and your patience.

You're redirecting some requests that should remain as HTTPS to HTTP. This is what triggers the "mixed security" warnings in your browser.

Jim wrote several very long posts on this topic a while ago. Those posts contain lots of example code and were repeated on a regular basis.

Thanks g1smd. I'll go look for those posts.

Actually, I think I can solve this problem if I make sure no secure pages are being indexed. If I take all the secure pages out of the index, will that solve the problem? Any thoughts? Thanks.

You can add something in your RewriteConds to exclude anything using https. Not totally clear on whether you want SERVER_PROTOCOL or HTTPS, but a Forums search should set you straight.

%{HTTPS} sounds as if it's missing a piece, doesn't it? Everything else is two or three words.

Will contain the text "on" if the connection is using SSL/TLS, or "off" otherwise. (This variable can be safely used regardless of whether or not mod_ssl is loaded).

Try %{SERVER_PORT} for wider compatibility. Test for ^443$ and !^443$.

Perhaps this code will work?

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

What are your thoughts? I still have the issue of there being both [example.com...] and [example.com...] pages but that shouldn't be an issue really if robots.txt excludes secure pages from being indexed, correct?

Thanks for all your help.

Hi everyone,

My code above is still creating problems for the secure pages on the site. When the code is in place, Internet Explorer displays the message, "some items may not be secure." Do you have any thoughts on what could be causing this issue?

Thanks again.

Seems far-fetched, but any chance that some of your https: pages are coming in through a different port? What happens if you add the condition

RewriteCond %{SERVER_PROTOCOL} !HTTPS

to cover all bases?

There's also this [httpd.apache.org], cross-referenced from SERVER_PORT under RewriteCond:

With UseCanonicalPhysicalPort On Apache will, when constructing the canonical port for the server to honor the UseCanonicalName directive, provide the actual physical port number being used by this request as a potential port. With UseCanonicalPhysicalPort Off Apache will not ever use the actual physical port number, instead relying on all configured information to construct a valid port number.

Weird. Sounds as if you'd want it to be on, but it's off by default. Am I reading it backward?

Do any of your links on the page hard code the protocol and hostname?

Hi g1smd -

Yes, the code for the security seal is coded to include "hostname=example.com." It's a GoDaddy security seal and also includes code lines such as

var sealServer=document.location.protocol+"//seals.websiteprotection.com/sealws/127474571171717171.gif";

Not sure what to do, maybe this is specific to GoDaddy. That's my next area of research I suppose.

Thanks for your help.

That code ensures a http link appears on a HTTP page and a https link appears on a HTTPS page. That code avoids the error you are reporting.

Ok. Maybe it's as simple as checking and seeing that all the images presented on the secure site are in a secure folder. Although there aren't any security issues at present when the canonicalization code is not in place - no issues on the www or non-www version of the site. Hmm. Does that sound like a plausible fix? I mean, if there are no security issues the way it is now I would think the issue had to do with the canonicalization code itself...

So this code is still causing a security error, even though the images are all located in a secure folder. There's only a security issue when this code is implemented.

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{SERVER_PROTOCOL} !HTTPS
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

Otherwise the site is fine.

Should I approach this differently? Maybe set up two different robots.txt files, one for the secure and one for the non-secure version of the site? Basically following the instructions laid out in this article? [agilejam.wordpress.com...]

Thanks...

[edited by: engine at 3:26 pm (utc) on Feb 22, 2012]

Oh, wait. Are you redirecting images? You shouldn't need to. Human visitors-- via their browsers-- only ask for images (also css, javascript etc) after arriving on the page that uses them. And by that time you've already got the correct protocol and hostname, so it will automatically be attached to any request.

The vast majority of redirects can be expressed as

RewriteRule ({blahblah}\.hmtl) http://www.example.com/$1 [R=301,L]

--substituting php or whatever your filenames really use, and adding any appropriate conditions.

Matter of fact, you would only ever need to redirect images if it went in the other direction: if a secure page is calling on non-secure images. If you can keep the whole package together-- https on one side, http on the other, with no shared directories-- it should all run more smoothly.

lucy24 - that's interesting. Maybe that's what is causing the issues...if I exclude Google from redirecting that folder, maybe that will fix it. So perhaps something like this


RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} !^/(store/images/.*)$
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^(.*)$ (example.com...) [L,R=301]

I'll try that out tomorrow.

Or rather,

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} !^/(store/images/.*)$
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

Or rather, I have to go to the exact subfolder the images are located in, correct? So something like

RewriteEngine On
RewriteCond %{REQUEST_URI} ^(imagefolder).*
RewriteRule .* – [L]
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

RewriteCond %{REQUEST_URI} ^(imagefolder).*
RewriteRule .* - [L]

Uh-oh, that hyphen - in your post came through as something odd. An en-dash, maybe. Don't know if Apache would approve.

Try to put as much information as possible into the Rule itself, so Apache doesn't have to go back and check the Condition every single time. In that first rule you don't even need a condition:

RewriteRule ^imagefolder - [L]

Don't need the parentheses since you're not capturing; don't need the trailing .* for the same reason. As written, the rule means "If anyone asks for anything inside /imagefolder/ then don't bother looking for any more Rewrites. Collect $200 and proceed directly to the next module."