Trying to do https and www redirects together

Forum Moderators: phranque

Message Too Old, No Replies

Trying to do https and www redirects together

ChanandlerBong

2:16 pm on Aug 12, 2019 (gmt 0)

I went over to https today and it's not gone that badly, just a few niggly htaccess issues. I got some code off here but it wasn't working. My host tried to help and said the code I was using was Apache 2 code whereas I'm hosted on Apache 1.3

I'm trying to get both non-www to www AND http-to-https done at the same time and this is what my host sent me:


RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) https://www.example.com%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

I ended up in a white screen of death and deleted immediately.

I current have this, which does the https change but not www:


RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

penders

2:54 pm on Aug 12, 2019 (gmt 0)

....whereas I'm hosted on Apache 1.3

Noooo! Really?! Is this a commercial shared server?

I would be interested to see the code that wasn't working and your host said was "Apache 2 code"?

RewriteRule (.*) https://www.example.com%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Yes, this is wrong (regardless of Apache version). The HTTP_HOST server variable contains the requested hostname, so you are effectively doubling up the hostname in the substitution. eg. https://www.example.comwww.example.com/path/to/foo

To redirect from non-www to www you can add another redirect, following the HTTP to HTTPS redirect. For example:


RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^ https://www.example.com%{REQUEST_URI} [R=301,L]

NB: There is no need to capture the URL-path (ie. "(.*)") since you are not using this in the substitution.

lucy24

4:00 pm on Aug 12, 2019 (gmt 0)

Apache 1.3?! Seriously? What vast benefit--other than incorrect code suggestions--are you getting from a host who is THAT out of date?

I looked it up. Apache 2.0 was released in 2002, with tweaks as recently as 2013. 2.2 was released in 2005, with the last tweaks in 2017. And 2.4 was released in 2012, meaning that it only took my host seven years to catch up. (But they are using this year�s version.) So anyone still using 1.3 is now seventeen years out of date.
The good news is that most aspects of mod_rewrite haven't changed significantly since 1.3. The most common canonicalization redirect for HTTPS and without-www looks something like

RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} !^(example\.com)?$
RewriteRule (.*) https://example.com/$1 [R=301,L]

The second condition can perfectly well be expressed as
!^example\.com$
at a savings of three bytes and a few picoseconds of processing time, because if you�re on shared hosting there has to be a VirtualHost envelope, meaning that a hostname has to be specified. It�s just customary to cover all bases by making it optional. And sure, you can use the {REQUEST_URI} option instead of a capture. But the capture version seems cleaner to me.

Demaestro

4:26 pm on Aug 12, 2019 (gmt 0)

Apache version aside (and yes you want to be on 2.2!)

There is really only 1 way to redirect HTTPS traffic properly without throwing security warnings, and that is to load the cert, then do the redirect.

The reason is that when a user clicks an HTTPS link the browser wants to verify the server even if the server responds with a redirect. The reason is security, browsers doing it this way makes spoofing and man in the middle attacks harder.

I like doing it right in the virtualhost config.

<VirtualHost *:443>
ServerName www.example.com

# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/ssl-certs/example.com.cert
SSLCertificateKeyFile /etc/apache2/ssl-certs/example.com.key
SSLCertificateChainFile /etc/apache2/ssl-certs/example.com.chain.crt

RedirectPermanent / https://example.com/
</VirtualHost>

lucy24

9:30 pm on Aug 12, 2019 (gmt 0)

I like doing it right in the virtualhost config.

I�m sure we all do--or would if we could--but OP did explicitly say �htaccess�.

phranque

9:40 pm on Aug 12, 2019 (gmt 0)

RedirectPermanent / https://example.com/

if you are using mod_rewrite directives anywhere in your .htaccess or server configuration files, you should use mod_rewrite everywhere, avoiding any mod_alias directives for redirect purposes.
this will help avoid chained redirects or exposing internal urls.

The use of RewriteRule to perform this task may be appropriate if there are other RewriteRule directives in the same scope. This is because, when there are Redirect and RewriteRule directives in the same scope, the RewriteRule directives will run first, regardless of the order of appearance in the configuration file.

source: [httpd.apache.org...]

phranque

9:46 pm on Aug 12, 2019 (gmt 0)

So anyone still using 1.3 is now seventeen years out of date.

specifically, the last security update for apache 1.3 was almost 10 years ago.

source: Apache HTTP Server 1.3 vulnerabilities [httpd.apache.org]

lucy24

10:56 pm on Aug 12, 2019 (gmt 0)

almost 10 years ago

Yes, I saw that one too, but figured the key point is that there are three newer whole-number* versions, starting with the one released 17 years ago. Do there exist servers so (physically) ancient, they would melt if you tried to install anything newer than Apache 1.3 on them?

:: vague mental association with Mac System 6.0.8, released purely for those elderly machines that couldn�t handle the move to System 7 ::

* Er, yes, OK, one-decimal-point versions.