It sounds like all your cases can be summed up as: redirect if the protocol is _not_ HTTPS, *or* if the domain is _not_ example.com.

RewriteCond %{SERVER_PROTOCOL} !=HTTPS [OR]
RewriteCond %{HTTP_HOST} !=example.com
RewriteRule (.*) https://example.com/$1 [R=301,L]

> and for the trailing slash being absent in Firefox 20.0.1
> and Chrome 26 (it shows in Explorer 9).

Do you mean the slash after the domain name? Whether the browser's address bar shows this or not is purely a cosmetic decision by the browser, and there isn't any way for us to control that.

What is this line intended to do?

RewriteCond %{HTTP_HOST} .

On the face of it, it means "If the http_host exists" --but there's always a host. The only question is who/what the host is.

The protocol ("http" or "https") is not part of the hostname. But it's the most obvious omission in your existing conditions. There are a couple different ways to extract the protocol; the simplest is the single word HTTPS as in

RewriteCond %{HTTPS} on

(note that it's "off: on", not "true: false")
... or in your case "off", since you want to redirect requests that are already asking for the correct hostname, but need the other protocol. This rule comes after the rule covering requests for other hostnames.

You can collapse them into a single rule, with [OR] in the conditions, if-and-only-if the condition looking at hostname is positive (HTTP_HOST is...) rather than negative (HTTP_HOST is not...). Technically you can combine them anyway, since the conditions are looking at different values. But the combination of [OR] and a negative is just asking for trouble :)

welcome to WebmasterWorld, Chris!


the reason the second attempt didn't work is that HTTP_HOST will not include the protocol.
you might try adding another RewriteCond using %{SERVER_PROTOCOL} as the TestString.

Thanks for your help guys.

Dideved, I tried your solution but I get an internal server error. I'll check it again tomorrow. Yes, I did mean the slash after the domain name.

Lucy 24, I got the first rewrite condition in a post from jdMorgan:

The first RewriteCond is only needed if your server is accessible via HTTP/1.0. True HTTP/1.0 requests do not include the hostname header, so this RewriteCond prevents (big) problems if the request is HTTP/1.0 and the hostname is blank. You can remove this line if you are on a shared name-based server, since such servers cannot be reached with a blank hostname.

I thought I'd leave that condition in the code since I don't see it causing any problems.

I will try to come up with a rule based on your advise and I will get back to you. it's already late here in Australia so I will do that tomorrow.

I got the first rewrite condition in a post from jdMorgan:

D'oh! As soon as I saw the name I remembered that there is one situation where the host is empty-- and I should know this perfectly well because it's part of the usual domain-name-canonicalization redirect. "Exactly such-and-such or exactly nothing."

using %{SERVER_PROTOCOL}

Bingo. That's one of the six alternatives I'd gone blank on :)

Sooner or later you'll have to figure out what to do with people who are using 1.0, though. Some proxies, possibly some satellite connections. I looked it up recently; humans with 1.0 do still exist, though they're not common.

> Dideved, I tried your solution but I get an internal server
> error. I'll check it again tomorrow. Yes, I did mean the
> slash after the domain name.

That's interesting... I tested it on my local server before I posted. Can you let me know what version of Apache you're on? And can you let me know what your error log said after trying this solution?

Didevid,

My Apache version is 2.2.21. As for what the error log said, I was not able to find out. When I check the error log in my cPanel, it does not show any entries! (I will lodge a support ticket with my web host to find out why)

I installed Apache 2.2.21. All default config except that I enabled mod_rewrite and created virtual hosts for the various domains... but the rewrite rules from my first post still worked. :/

So at this point, I can only figure that there's something else in the htaccess or in the main config that's causing a conflict. If you want, you can try to post your whole htaccess and main config, and one of us might be able to spot the issue. Or you can get your host to start logging errors (which is probably a good thing to do anyway).

I have used the following code and it redirects all http domains properly to [example.com:...]

RewriteEngine On
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^example\.com\.au [OR]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://example.com.au/$1 [R=301,L]

If you have any comments about the syntax in the above code, please let me know.

Whilst I was checking if the redirects were working, I found another problem. If the address I enter is [example2.com...] then I get an SSL certificate error message (the SSL certificate is for example.com). If I click on "continue to this website", I am then correctly redirected to [example.com....] Is there a way to avoid the SSL certificate error?

Didevid, there was nothing else in my htaccess so there must be something in the main config that prevents your code to work (I do not have access to that config file).

[edited by: engine at 9:46 am (utc) on May 10, 2013]
[edit reason] examplified [/edit]

RewriteCond %{HTTP_HOST} !^example\.com\.au

Did you intentionally leave off the closing anchor? If a specific port number is required, include it before the closing anchor. If it's optional, the form would be

!^example\.com\.au(:1234)?$

Whenever a rule has more than one condition, list them in order of "most likely to fail". For testing it may be convenient to put them in some other order so it makes intuitive sense-- easier for you to read and debug. But once it's working, go for efficiency. For example, if most of your visitors are already https, put that condition first.

Is there a way to avoid the SSL certificate error?

the secure handshake must occur before the web connection is made, so there's no way to redirect first to avoid that message.

if you are accepting secure connections for example2.com you should have a secure certificate for that hostname.

lucy24,

No, I did not leave off the closing anchor intentionally. My knowledge of htaccess is quite limited. I wrote the code based on code snippets I found on the net and they did not have closing anchors. What is the significance of the closing anchor?

As for the order of my conditions, they were already in the right order (again, not intentionally! :-)) but thanks for the tip. It will certainly be useful in the future.

phranque,

example2.com, example3.com, etc are all domains I bought to prevent competitors from buying them. They do not have a secure certificate. I will ask my web host if there is any way to refuse secure connections for these domains.

Opening and closing anchors are basically what the name says.

foobar = text contains "foobar"
^foobar = text begins "foobar"
foobar$ = text ends "foobar"
^foobar$ = text begins and ends (i.e. is exactly) "foobar"

In the particular case of testing for hosts, leaving off the closing anchor means "there may or may not be a port number here". It's generally only for insurance, since the chances are very small that someone will come in asking for any specific port number, let alone the wrong one. Opening anchors on the other hand are essential because that's where you determine whether the host does or does not include "www." or perhaps a subdomain name.

Anchors aren't specific to htaccess. It's how Regular Expressions work everywhere. The most important .htaccess-specific feature of Regular Expressions is that you have to escape literal spaces, even inside grouping brackets, because a space has syntactic meaning almost everywhere in Apache. Sometimes you also have to escape / slashes, but luckily not in mod_rewrite or mod_alias.

lucy24,

Thank you for the explanation. I will leave the closing anchor off. Nothing wrong with insurance!

Thank you to everyone for the advice. I would not have been able to get my domain redirects working without your help.