the first ruleset does not specify the canonical hostname in the substitution string.
the second ruleset will never fire due to the default/implied [AND].

you should essentially combine those rulesets into one:

RewriteEngine On

RewriteCond %{HTTPS} =off [OR]
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
RewriteRule (.*) https://www.example.com/$1 [R=301,L]

I fixed that linking problem you had, using (quote) instead of (code) was one cause, not using example.com contributed to it.

This line:

RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301]

is leaving off the www. part - if that code was added by the host, maybe they did not understand what you wanted it to do. Changing it to:

RewriteRule (.*) https://www.example.com/$1 [R=301,L]

should add it.

The next 3 lines sort of repeat and repair the first lines.

The part about "RewriteEngine on" only needs to be there once - if at all.

These lines should come after the index\.(html|php) rewrite and after other rules you may have in your htaccess file.

A domain-name-canonicalization redirect is the last place you want to use %{HTTP_HOST}, since the whole point is to get everyone to the same host, no matter what bizarre version of the name (possibly even including port number) was requested.

Although HTTPS is supposed an absolute toggle--it's either on or off, with no ifs, ands, buts or maybes--it doesn't hurt to express the condition as !on to cover all possibilities.

The domain-name condition is expressed as a negative so it is interpreted as “absolutely anything other than this one and only exact name which is the only name I will accept”.

Although it’s customary to make the hostname optional (“either exactly this or exactly nothing”) it isn’t strictly necessary, since a request with no hostname will never get past the VirtualHost envelope. Which I have to assume you’ve got, unless your site dates back to 1993* and you’re still getting visitors using your numerical IP address.


* My fingers attempted to type 1883.

A domain-name-canonicalization redirect is the last place you want to use %{HTTP_HOST}

That depends if you have any plans to implement HSTS [en.wikipedia.org] and submit to the HSTS preload list [hstspreload.org] - in which case it becomes a requirement to first redirect from HTTP to HTTPS on the same host before canonicalising the domain name (with a possible second redirect).

(Although I'd argue that if you are using .htaccess for this redirect then HSTS may not be the way to go.)

RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301]

Bit of an aside, but you should (always) use the "L" flag with external redirects. Without the L flag, processing continues... if it was caught by the second redirect (although with the original code that wouldn't have happened, because of the conflicting conditions as phranque pointed out) then you'd get a malformed redirect for the form:

https://www.example.com/https://example.com/foo

Thanks for the help everyone!
A special thanks to phranque for the code snippet! (you totally nailed it)

I can't follow everything, nor get my head completely around this aspect of rewrites, but I keep reading and perhaps it will click eventually..

Thanks for everyone's time!
Tera

A special thanks to phranque for the code snippet! (you totally nailed it)

I can't follow everything, nor get my head completely around this aspect of rewrites, but I keep reading and perhaps it will click eventually..

the code snippet i provided does the following:
- if the requested protocol is a non-secure protocol
- or if the requested hostname is not exactly the canonical hostname (or nothing)*
- redirect the requested path to the canonical protocol and hostname with a 301 status code

* the "or nothing" covers the rare case of certain HTTP 1.0 requests when you're not on shared hosting