Redirect https not working as expected - .htaccess

I have a site which is configured to run on https:
https://www.domain.com.au/
I added the following to htaccess right at the top to redirect all non-https queries:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
But, when I access http://www.domain.com.au/ it doesn't redirect as expected an instead I get a 302 redirect to a page that says:
Found
The document has moved here.
Additionally, a 302 Found error was encountered while trying to use an
ErrorDocument to handle the request.
"here" is just a link to the same http URL in the address bar
I was using cloudflare so I have grey clouded the domain to remove
additional confusion and it's been switched off for a day now.
It's a WordPress site and I have W3TC installed which I have also deactivated to remove confusion
I don't know where to look or how to debug? Any advice on where to start looking would be appreciated.

I think you might need to add the [L,R=301] flags to your rule?
Also - you can achieve this within CloudFlare automatically by enabling "Always use HTTPS" (if you have an active CloudFlare SSL certificate) and the 'orange cloud' enabled.

Related

Trying to redirect all traffic on site to HTTP (non secure) via .HTACCESS but my rule always causes "The page can't be displayed"

I need to redirect all traffic for my domain to HTTP (non-SSL) and I've found various samples of how to do this, like this:
RewriteEngine On
RewriteCond %{HTTPS} on
#RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
But no matter what I try the page will not load with using the Rewrite rule, getting "The page cannot be displayed".
The HTTP URL that it redirected to in the address bar is correct.
This is a Drupal 7 website.
I've tried placing the rewrite code in the top, bottom and middle of the .HTACCESS file with the same results every time.
I'm out of ideas as to why it won't work. Any ideas?

Some users reporting site not secure

I have a client who just installed an SSL certificate. I added this to the .htaccess file to force users to redirect to https and force them to www:
# Redirect bare domain to www and HTTPS
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.twentyteninc.com/$1 [R=301,L]
# Redirect HTTP to HTTPS
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
I also addressed all the mixed content warnings. Now, everything redirects to https and I get the beautiful lock symbol in all browsers I test with.
Unfortunately, though, some users are still seeing the "Not Secure" messages:
If I run a Qualys SSL Test, it comes back with an A score:
What could be causing this? Why does everything look secure for me but not for some?
My problem was that the WordPress theme the client is using was pulling the favicon over HTTP instead of HTTPS and for whatever reason, my browser (and all the other browsers I tested with) was simply choosing not to load it at all.
This caused me never to get a mixed content warning.
After staring at the screenshot above for long enough, I noticed that the favicon was loading and that it wasn't for me which tipped me off to go digging through the theme for it.

Website self-referral

Google Analytics is showing my own root domain is the referral for a large portion of my website's traffic.
So, mywebsite.com is showing as the referrer for www.mywebsite.com.
I have tried adding a referral exclusion within Analytics with no success. I have cleaned my .htaccess which also hasn't been successful
.htaccess code
RewriteEngine On
Options +FollowSymLinks
# Redirects mywebsite/uk/anypage to mywebsite.eu/anypage
RewriteRule ^uk/(.*)$ /$1 [NC,R=302,NE,L]
# Redirect 404 to index
ErrorDocument 404 /
# Use www version
RewriteCond %{HTTP_HOST} ^mywebsite.eu [NC]
RewriteRule ^(.*)$ http://www.mywebsite.eu/$1 [L,R=301,NC]
This is what it looks like in Analytics:
I've put a lot of time into trying to find the cause so any suggestions, .htaccess related or otherwise, are very welcome
Did you migrate recently to Universal Analytics? It migrates the previous utmz cookie values that stored traffic source, so if your users had self-referrals prior to upgrading to UA, this will persist int your data. Could you check if there are new sessions in this traffic?
Make sure to add to the referral exclusion list your domain with and without the www.
For some reason certain sites it likes to have it while on others it does not, I would definitely try this and then see if the future sessions are any more clean before changing too much with the .htaccess.

Redirecting old HTTPS site with htaccess

I've searched quite thoroughly and can't find an answer to this...
So basically I have a website set up, www.supersaturated.co.uk all working great with https and the relevant htaccess redirects.
The client has an old website which was secure, www.supersaturated.net. This is now a parked domain on a new hosting account.
The problem I'm having is that the SSL certificate on the new site is only for that .co.uk domain. If someone goes to http://www.supersaturated.net it redirects to the secure .co.uk as it should. But if someone goes to https://www.supersaturated.net it gives the browser warning for an untrusted connection. Is there a way to redirect this or is the browser just seeing the lack of SSL for the .net before even attempting a redirect?
Here is the relevant part of my htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.supersaturated\.co\.uk$
RewriteRule (.*) https://www.supersaturated.co.uk/$1 [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Any help is much appreciated.
Yes it is true that browser is seeing the lack of SSL for the .net before even attempting a redirect rule. This is due to the fact that cert negotiation between web server and browser happens before mod_rewrite is invoked (due to security reasons).

Removing www when using https protocol in htaccess

First I bought a multi-domains SSL certificate that doesn't allow wildcards (ex. *.mydomain.com).
When I want to connect to my website and if I go through https://mydomain.com it works fine. Now, if I go through https://www.mydomain.com I have a nice alert page from my browser saying I've got to add an exception, blahblahbla... So I understand I've got this alert because the SSL certificate doesn't manage www wildcard.
I decided to create a rule in htaccess in order to redirect user from https://www.mydomain.com to https://mydomain.com. But my browser seems not to understand this rule, and each time I go through https://www.mydomain.com I stay on https://www.mydomain.com.
Here is my rule :
RewriteCond %{HTTP_HOST} ^www\.mydomain\.com$ [NC]
RewriteRule ^(.*)$ https://mydomain.com/$1 [L,R=301]
For information, I use Virtualmin to manage my domains.
Thanks!
Unfortunately .htaccess or mod_rewrite won't be of any help here in eliminating browser security warning.
Reason is that the SSL certificate negotiation happens well before mod_rewrite get a chance to kick in.
When you buy SSL cert I believe you get an option for cert being applicable for both www and non-www domains.

Resources