Welcome to WebmasterWorld Guest from 3.234.210.89

Forum Moderators: Ocean10000 & phranque

Trying to do https and www redirects together

     
2:16 pm on Aug 12, 2019 (gmt 0)

Preferred Member from GB 

10+ Year Member Top Contributors Of The Month

joined:Sept 29, 2009
posts:511
votes: 46


I went over to https today and it's not gone that badly, just a few niggly htaccess issues. I got some code off here but it wasn't working. My host tried to help and said the code I was using was Apache 2 code whereas I'm hosted on Apache 1.3

I'm trying to get both non-www to www AND http-to-https done at the same time and this is what my host sent me:


RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) https://www.example.com%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


I ended up in a white screen of death and deleted immediately.

I current have this, which does the https change but not www:


RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
2:54 pm on Aug 12, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3153
votes: 7


....whereas I'm hosted on Apache 1.3


Noooo! Really?! Is this a commercial shared server?

I would be interested to see the code that wasn't working and your host said was "Apache 2 code"?

RewriteRule (.*) https://www.example.com%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


Yes, this is wrong (regardless of Apache version). The HTTP_HOST server variable contains the requested hostname, so you are effectively doubling up the hostname in the substitution. eg. https://www.example.comwww.example.com/path/to/foo

To redirect from non-www to www you can add another redirect, following the HTTP to HTTPS redirect. For example:


RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^ https://www.example.com%{REQUEST_URI} [R=301,L]


NB: There is no need to capture the URL-path (ie. "(.*)") since you are not using this in the substitution.
4:00 pm on Aug 12, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15936
votes: 889


Apache 1.3?! Seriously? What vast benefit--other than incorrect code suggestions--are you getting from a host who is THAT out of date?

I looked it up. Apache 2.0 was released in 2002, with tweaks as recently as 2013. 2.2 was released in 2005, with the last tweaks in 2017. And 2.4 was released in 2012, meaning that it only took my host seven years to catch up. (But they are using this year’s version.) So anyone still using 1.3 is now seventeen years out of date.
The good news is that most aspects of mod_rewrite haven't changed significantly since 1.3. The most common canonicalization redirect for HTTPS and without-www looks something like
RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} !^(example\.com)?$
RewriteRule (.*) https://example.com/$1 [R=301,L]
The second condition can perfectly well be expressed as
!^example\.com$
at a savings of three bytes and a few picoseconds of processing time, because if you’re on shared hosting there has to be a VirtualHost envelope, meaning that a hostname has to be specified. It’s just customary to cover all bases by making it optional. And sure, you can use the {REQUEST_URI} option instead of a capture. But the capture version seems cleaner to me.
4:26 pm on Aug 12, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 15, 2003
posts:2645
votes: 7


Apache version aside (and yes you want to be on 2.2!)

There is really only 1 way to redirect HTTPS traffic properly without throwing security warnings, and that is to load the cert, then do the redirect.

The reason is that when a user clicks an HTTPS link the browser wants to verify the server even if the server responds with a redirect. The reason is security, browsers doing it this way makes spoofing and man in the middle attacks harder.


I like doing it right in the virtualhost config.

<VirtualHost *:443>
ServerName www.example.com

# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/ssl-certs/example.com.cert
SSLCertificateKeyFile /etc/apache2/ssl-certs/example.com.key
SSLCertificateChainFile /etc/apache2/ssl-certs/example.com.chain.crt

RedirectPermanent / https://example.com/
</VirtualHost>
9:30 pm on Aug 12, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15936
votes: 889


I like doing it right in the virtualhost config.
I’m sure we all do--or would if we could--but OP did explicitly say “htaccess”.
9:40 pm on Aug 12, 2019 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11873
votes: 245


RedirectPermanent / https://example.com/

if you are using mod_rewrite directives anywhere in your .htaccess or server configuration files, you should use mod_rewrite everywhere, avoiding any mod_alias directives for redirect purposes.
this will help avoid chained redirects or exposing internal urls.

The use of RewriteRule to perform this task may be appropriate if there are other RewriteRule directives in the same scope. This is because, when there are Redirect and RewriteRule directives in the same scope, the RewriteRule directives will run first, regardless of the order of appearance in the configuration file.

source: [httpd.apache.org...]
9:46 pm on Aug 12, 2019 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11873
votes: 245


So anyone still using 1.3 is now seventeen years out of date.

specifically, the last security update for apache 1.3 was almost 10 years ago.

source: Apache HTTP Server 1.3 vulnerabilities [httpd.apache.org]
10:56 pm on Aug 12, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15936
votes: 889


almost 10 years ago
Yes, I saw that one too, but figured the key point is that there are three newer whole-number* versions, starting with the one released 17 years ago. Do there exist servers so (physically) ancient, they would melt if you tried to install anything newer than Apache 1.3 on them?

:: vague mental association with Mac System 6.0.8, released purely for those elderly machines that couldn’t handle the move to System 7 ::


* Er, yes, OK, one-decimal-point versions.