HSTS setup in .htaccess - .htaccess

I am trying to pass the test on https://hstspreload.org/ - However I am getting the following error below:
Error: Subdomain `www.test.com` is a subdomain. Please preload `test.com` instead. (Due to the size of the preload list and the behaviour of cookies across subdomains, we only accept automated preload list submissions of whole registered domains.)
(test.com was added to hide the domain)
My .htaccess file looks as following for HTTPS and HSTS:
RewriteEngine On
RewriteCond %{REQUEST_URI} /(.+)/$
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ https://www.test.com/%1 [R=301,L]
RewriteCond %{REQUEST_URI} !(.+)/$
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+)$ https://www.test.com/$1/ [R=301,L]
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [OR,NC]
RewriteCond %{https} off
RewriteRule ^(.*)$ https://www.test.com/$1 [R=301,L]
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
</IfModule>

Try to set the HTTPS rule before the www rule.
This worked for me :
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Related

Can't redirect http requests to https

Hello I want to redirect my http requests to https. I add some code to .htaccess but still I can access to my website with http. What's wrong and what should I do?
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.html$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule . /index.html [L]
</IfModule>
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteOptions inherit
Header set content-Security-Policy: upgrade-insecure-requests
With your shown attempts, could you please try following htaccess rues set. Since you are using inherit option for Rules, so in case you want to apply https in all URLs then better put your htpps rules in your BASE(very first level folder wise) htaccess file and we need not to put them here, if you want to only apply https to URLs which are covered here then use following style rules.
Please make sure to clear your browser cache before testing your URLs.
<IfModule mod_rewrite.c>
RewriteOptions inherit
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,L,R=301]
RewriteBase /
RewriteRule ^index\.html$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule . /index.html [L]
</IfModule>
Header set content-Security-Policy: upgrade-insecure-requests
The following code redirect any URL of your domain to HTTPS version and set HSTS:
#Redirect HTTP a HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#HSTS
<if "%{HTTPS} == 'on'">
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</if>

Rewritecond by `%{HTTP_HOST}` is ignored?

I have multiple domains that point to the same folder on my server. The code in index.php page recognizes which domain is accessing it and shows different content for each domain.
Now I want that www.domain-a.com\sitemap.xml opens /sitemap-a.xml so that each domain has its own sitemap.
I use the following rule in my .htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^.*domain-a\.com$
RewriteRule ^sitemap.xml$ sitemap-a.xml [NC]
However, if I access www.domain-a.com\sitemap.xml then the content from the file /sitemap.xml is shown instead of the file sitemap-a.xml.
Is the redirecting rule wrong? If so, how can I fix it?
I am using Laravel. This is the full .htaccess file:
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^.*domain-a\.com$
RewriteRule ^sitemap.xml$ sitemap-a.xml [NC]
# browser request: .php to non-php
# https://stackoverflow.com/questions/13222850/redirect-php-urls-to-urls-without-extension
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^\ ]+)\.php
RewriteRule ^/?(.*)\.php$ /$1 [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
# [NC] is a case-insensitive match
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
Can you try this rule just above # Handle Authorization Header line:
RewriteCond %{HTTP_HOST} (?:^|\.)domain-a\.com$ [NC]
RewriteRule ^sitemap\.xml$ /sitemap-a.xml [L,NC]

htaccess: URL with any URI not redirecting to https://www

Currently, this is my .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# Redirect to HTTPS
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule !/status https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
# Send would-be 404 requests to Craft
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/(favicon\.ico|apple-touch-icon.*\.png)$ [NC]
RewriteRule (.+) index.php?p=$1 [QSA,L]
# Custom Redirects
Redirect /investors/reporting/estma /investors/investor-reporting/financial-information#estma
RewriteCond %{HTTP_HOST} ^portal\.arcresources\.com [NC]
RewriteRule ^(.*) https://www\.arcresources\.com/portals [L,R=301]
</IfModule>
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
The redirect works fine if you just type the domain, so arcresources.com properly redirects to https://www.arcresources.com. It also works if you include www and any URI, so www.arcresources.com/investors redirects correctly as well.
The problem is typing just the domain + a URI, so arcresources.com/investors redirects to only https://arcresources.com/investors (no www.), resulting in a connection refusal.
I'm sure I'm missing something simple, but all my attempts so far have either added double "www"s or resulted in too many redirects.
Thanks in advance :)
Try it like this:
RewriteEngine On
RewriteBase /
# Redirect HTTP with www to HTTPS with www
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Redirect HTTP without www to HTTPS with www
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Redirect HTTPS without www to HTTPS with www
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Send would-be 404 requests to Craft
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/(favicon\.ico|apple-touch-icon.*\.png)$ [NC]
#RewriteCond %{REQUEST_URI} !index.php [NC]
RewriteRule (.+) index.php?p=$1 [QSA,L]

.htaccess redirect to HTTPS doesn't work correctly

Redirect works only on the first page, http://example.com to https://example.com.
But it doesn't work on subfolders: http://example.com/news or /news/category etc. redirects me to the https://example.com/index.php (My website is on Laravel 5.5).
Any suggestions pls?
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# ensure https
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
# ensure !www.
RewriteCond %{HTTP_HOST} ^www\.(.*)$
RewriteRule ^(.*)$ https://%1/$1 [L,R=301]
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
Header add Access-Control-Allow-Origin "http://glyphicons.com/"
</IfModule>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
Remember to replace example.com and www.example.com with your actual domain name

RewriteRule one single node to another domain

I want to use one node in Drupal 7 as a landingpage with its own domain.
Both domains are linked to the same folder, showing the same content.
www.domainA.com/landingpage should be www.domainB.com - nothing else ...
RewriteCond %{HTTP_HOST} ^(www.)?domainA.com$
RewriteRule ^landingpage http://www.domainB.com [R=301,L]
And i want domainB.com to show the content of domainB.com/landingpage:
RewriteCond %{HTTP_HOST} ^(www.)?domainB.com$
RewriteRule ^$ /landingpage [P]
This works.
Now I need to redirect all other pages from domainB back to domainA to avoid Duplicate Content:
www.domainB.com/allotherpages should be www.domainA.com/allotherpages
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{REQUEST_URI} !^/landingpage$ [NC]
RewriteCond %{HTTP_HOST} ^(www\.)?domainB\.com$
RewriteRule ^ http://www.domainA.com [R=301,L]
Alltogether it is (part of htaccess-file of Drupal 7):
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^ - [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=protossl:s]
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule "(^|/)\." - [F]
RewriteBase /
# HERE STARTS MY CUSTOM RULE-SET:
# Rewrite one node to new Domain:
RewriteCond %{HTTP_HOST} ^(www.)?domainA.com$
RewriteRule ^landingpage http://www.domainB.com [R=301,L]
# Front page of domainB shows content of one node:
RewriteCond %{HTTP_HOST} ^(www.)?domainB.com$
RewriteRule ^$ /landingpage [P]
# Rewrite all other pages from domainB.com to main domainA.com:
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{REQUEST_URI} !^/landingpage$ [NC]
RewriteCond %{HTTP_HOST} ^(www\.)?domainB\.com$
RewriteRule ^ http://www.domainA.com [R=301,L]
# HERE ENDS MY CUSTOM RULE-SET
<IfModule mod_headers.c>
# Serve gzip compressed CSS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
# Serve gzip compressed JS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
# Serve correct content types, and prevent mod_deflate double gzip.
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
<FilesMatch "(\.js\.gz|\.css\.gz)$">
# Serve correct encoding type.
Header set Content-Encoding gzip
# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding
</FilesMatch>
</IfModule>
</IfModule>
"Works a little bit" – but breaks the layout and everything – i think, because it rewrites everything else (CSS-files), too ...
Can't find a solution for this.
Edit:
This seems to work – thanks to Jon Lin!
RewriteCond %{HTTP_HOST} ^(www.)?domainA\.com$
RewriteRule ^landingpage http://www.domainB.com/ [R=301,L]
RewriteCond %{HTTP_HOST} ^(www.)?www.domainB\.de$
RewriteRule ^$ /landingpage [P]
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{REQUEST_URI} !\.(css|js|png|svg|ico|jpg)$ [NC]
RewriteCond %{REQUEST_URI} !^/$
RewriteCond %{REQUEST_URI} !^/landingpage$ [NC]
RewriteCond %{HTTP_HOST} ^(www\.)?www.domainB\.de$
RewriteRule ^(.*)$ http://www.domainA.com/$1 [R=301,L]
First, I don't think you need the P flag. Since both domains point to the same place, you don't need to proxy the request:
RewriteCond %{HTTP_HOST} ^(www.)?domainB.com$
RewriteRule ^$ /landingpage [L]
For everything else, you need to capture the request and include that as part of the redirect:
RewriteCond %{REQUEST_URI} !^/$
RewriteCond %{REQUEST_URI} !^/landingpage$ [NC]
RewriteCond %{HTTP_HOST} ^(www\.)?domainB\.com$
RewriteRule ^(.*)$ http://www.domainA.com/$1 [R=301,L]
Before, you were redirecting everything to the landing page of www.domainA.com
If you want to outright prevent css and scripts from being redirected, you can add additional conditions to exclude them:
RewriteCond %{REQUEST_URI} !\.(css|js)$ [NC]
RewriteCond %{REQUEST_URI} !^/$
RewriteCond %{REQUEST_URI} !^/landingpage$ [NC]
RewriteCond %{HTTP_HOST} ^(www\.)?domainB\.com$
RewriteRule ^(.*)$ http://www.domainA.com/$1 [R=301,L]

Resources