Welcome to WebmasterWorld Guest from 54.158.248.167

Forum Moderators: Ocean10000 & incrediBILL & phranque

Quick and easy HTTPS htaccess?

     
3:34 pm on Aug 26, 2017 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Aug 16, 2004
posts: 370
votes: 3


After months of changes to my site structurally, I'm finally ready to move to HTTPS.

My entire site is basic HTML with no CMS etc so I'm "hoping" should be fairly simple.

I currently have rules in my htaccess for non-www so would I keep this in and then add the following to the top of my access file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


After this, I'm guessing I just update Webmastertools, Bing, etc and then hope I've not messed something up?

Am I missing something here?
4:50 pm on Aug 26, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3451
votes: 181


There are better methods for this task. The "%{HTTP_HOST}%" does not mean "your domain" it means whatever domain was requested. You can combine a few extra lines to handle incoming and www/non-https requests:

#Redirect invalid and www requests
RewriteCond %{HTTP_HOST} !^(example\.com)?$
RewriteRule (.*) https://example.com/$1 [R=301,L]

RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

You can read more about some "why not" for using the {HTTP_HOST} regex here: [webmasterworld.com...]
5:24 pm on Aug 26, 2017 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Aug 16, 2004
posts: 370
votes: 3


Thanks. If I wanted to redirect to keep the www. how would your code above be different? Just to clarify, I currently have this in my htaccess for the www part:

RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule (.*) http://www.example.com/$1 [R=301,L]


Also...one other thing, throughout my htaccess file, I have multiple other rules, such as removing .php extensions within a specific folder (that Lucy24 kindly helped me with a while ago. Would I also need to change every rule to include the https? For example:

RewriteCond %{THE_REQUEST} \.php
RewriteRule ^folder/([^.]+)\.php$ http://www.example.com/folder/$1/ [R=301,L]
RewriteRule ^folder/([^.]+[^./])$ http://www.example.com/folder/$1/ [R=301,L]


So would the above, and all other rules within my htacccess need to be slightly amended to show "https"?

Thanks in advance for any help.
5:57 pm on Aug 26, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3451
votes: 181


Yes, if the domain is now using SSL and you want to only use https: you should edit those rules. Because there are other rules, be sure that this one for the http requests comes at the end, after those other rewrite rules. To keep www use:
#Redirect invalid and non www requests
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule (.*) https://www.example.com/$1 [R=301,L]

RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]


6:18 pm on Aug 26, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14028
votes: 521


add the following to the top of my access file

No. Add it to the bottom of the Rewrite section of your htaccess, after all other redirects (but before internal rewrites, if you've got any). Like the domain-name-canonicalization redirect--which I hope you've already got--this is a catch-all, to be applied only to requests that have not already been redirected for other reasons. In fact, it should be combined with the canonicalization redirect: two different RewriteCond, separated by [OR].

In your htaccess, make sure all existing redirect targets change from http://example.com to https://example.com. If you have an anti-hotlink rule that spells out "^http://example.com", also change that to https.

If you want to be super efficient, put the RewriteCond involving HTTPS first, before the with/without www, because it is more likely to be matched.

There are a few different ways of expressing the RewriteCond--using port#, https, and one or two more that I've just gone blank on. Mine currently looks like this (for a with-www site):
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule (.*) https://www.example.com/$1 [R=301,L]

Again, this goes after all other external redirects, but before the ones in [L] alone.
7:12 pm on Aug 26, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3451
votes: 181


I just noticed the mention of 'a specific folder' - if, by any chance you have any .htaccess files in folders other than the root, you should test URLs in that folder to be sure they are not accessible via http: because mod_rewrite is not inherited when another .htaccess file is present. If you have htaccess files in folders other than the root directory, you may need to add a rewrite there as well.
7:14 pm on Aug 26, 2017 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Aug 16, 2004
posts: 370
votes: 3


Nope - just the one htaccess file in the website's root.

Maybe I'm over complicating things here. However, seeing as all my current rules are working, could I not just add the "s" to http on all the rules and then add

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

? Again - I'm useless when it comes to this sort of thing so I could be completely wrong here?
7:53 pm on Aug 26, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14028
votes: 521


RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

#1 You do not need to make a whole new rule. You just need to edit your existing "with/without www" rule to add the new RewriteCond, with [OR] flag between the two Conditions.
#2 Change the R to R=301. Otherwise it defaults to 302, although this is clearly a permanent redirect.

afaik, you're fine saying
%{SERVER_PORT} 80
as an alternative to
%{HTTPS} off
or
%{HTTPS} !on
or
(Dang! what is the third variation? I know there's at least one more...)
if that makes you happy. On shared hosting, it is generally safe to assume that nobody is getting in via some obscure alternative port number; the server won't even be listening on other ports.
12:15 am on Aug 27, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9641
votes: 482


@lee_sufc - I noticed in your first post you have: RewriteCond %{HTTPS} off

You want this set to "on" see steps below...

- Generic Steps to Switch from HTTP to HTTPS

Read all info at your host concerning certificates & switching to HTTPS and when applicable, follow those instructions.

Install security certificate.

Have your host enable HTTPS (if needed.) This will enable access from both HTTP & HTTPS allowing normal access while you test.

Go through site, page by page & make sure all file paths are relative (no protocol.) Test by accessing site using HTTPS and look for any browser alerts.

Install 301 code in .htaccess file
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Note: your server may require a different code

Go through site again, page by page, and test. Any remote absolute links will need to be HTTPS including those found in scripts & pluggins. If you publish Adsence or other advertising, links in these scripts need to be HTTPS also (or just remove the protocol altogether.)

Update sitemap.xml (if applicable) and submit to appropriate agencies (Google, Bing, Yandex, etc)

In Google Search Council create a new site using HTTPS (do not use the Change of Address form.) It will take a few days to start populating information. This is normal & traffic to old site (HTTP) will drop off accordingly.

Bing Webmaster Tools, Yandex & others should update automatically once they crawl your new pages. Updating/re-submitting sitemap.xml should speed up this process.
1:20 am on Aug 27, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts: 10980
votes: 84


@lee_sufc - I noticed in your first post you have: RewriteCond %{HTTPS} off

You want this set to "on" see steps below...

this isn't a https "setting", it's a conditional test for which web protocol was requested before firing the following RewriteRule.

RewriteCond %{HTTPS} !=on

this is equivalent.
see lucy24's post above...
1:26 am on Aug 27, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts: 10980
votes: 84


Maybe I'm over complicating things here. However, seeing as all my current rules are working, could I not just add the "s" to http on all the rules and then add...

that's essentially what you want to do but i would combine the conditional as suggested above.
either:
RewriteCond %{HTTPS} =off [OR]
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule (.*) https://www.example.com/$1 [R=301,L]

or:
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule (.*) https://www.example.com/$1 [R=301,L]

or:
RewriteCond %{SERVER_PORT} =80 [OR]
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule (.*) https://www.example.com/$1 [R=301,L]
1:31 am on Aug 27, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts: 10980
votes: 84


RewriteCond %{SERVER_PORT} 80

afaik, you're fine saying
%{SERVER_PORT} 80
as an alternative to
%{HTTPS} off
or
%{HTTPS} !on


http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#RewriteCond
Remember: CondPattern is a perl compatible regular expression with some additions:

1. You can prefix the pattern string with a '!' character (exclamation mark) to specify a non-matching pattern.
2. There are some special variants of CondPatterns. Instead of real regular expression strings you can also use one of the following:
...
'=CondPattern' (lexicographically equal) Treats the CondPattern as a plain string and compares it lexicographically to TestString. True if TestString is lexicographically equal to CondPattern (the two strings are exactly equal, character for character). If CondPattern is "" (two quotation marks) this compares TestString to the empty string.