Some versions of Chrome automatically add https to my site addres. So I need to redirect https to http, because I don't have SSL certificate. I'm trying this, with no result:
<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
Possible repeat of this question: Nginx redirect to non-https address failes in Firefox. Though they never got round to finding out exactly why this was happening with that person, so hopefully I'll have more luck with you.
So first of all you cannot redirect https to http until after the https connection succeeds - which requires a certificate. To allow this would be a huge security risk and is not the way https works. It's make https connection first, then deliver content over https. And a redirect counts as content.
Secondly you need to find out why Chrome redirects to https. Because, depending why that happens, even if you could redirect back to http if you had a cert, then you might enter a recursive loop. I'd suggest opening Chrome, pressing F12 to open developer tools, going to Network tab, clicking on preserve log, clear the network tab and clicking on "Preserve Log" and then loading the page over http and observing the redirect. If it's a 301 or 302 redirect then it's your server doing it. If it's a 307 redirect then it's due to HSTS. And it it's anything else then it's a front end app issue (i.e. Javascript on the page).
Related
I have a client who just installed an SSL certificate. I added this to the .htaccess file to force users to redirect to https and force them to www:
# Redirect bare domain to www and HTTPS
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.twentyteninc.com/$1 [R=301,L]
# Redirect HTTP to HTTPS
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
I also addressed all the mixed content warnings. Now, everything redirects to https and I get the beautiful lock symbol in all browsers I test with.
Unfortunately, though, some users are still seeing the "Not Secure" messages:
If I run a Qualys SSL Test, it comes back with an A score:
What could be causing this? Why does everything look secure for me but not for some?
My problem was that the WordPress theme the client is using was pulling the favicon over HTTP instead of HTTPS and for whatever reason, my browser (and all the other browsers I tested with) was simply choosing not to load it at all.
This caused me never to get a mixed content warning.
After staring at the screenshot above for long enough, I noticed that the favicon was loading and that it wasn't for me which tipped me off to go digging through the theme for it.
I have a site which is configured to run on https:
https://www.domain.com.au/
I added the following to htaccess right at the top to redirect all non-https queries:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
But, when I access http://www.domain.com.au/ it doesn't redirect as expected an instead I get a 302 redirect to a page that says:
Found
The document has moved here.
Additionally, a 302 Found error was encountered while trying to use an
ErrorDocument to handle the request.
"here" is just a link to the same http URL in the address bar
I was using cloudflare so I have grey clouded the domain to remove
additional confusion and it's been switched off for a day now.
It's a WordPress site and I have W3TC installed which I have also deactivated to remove confusion
I don't know where to look or how to debug? Any advice on where to start looking would be appreciated.
I think you might need to add the [L,R=301] flags to your rule?
Also - you can achieve this within CloudFlare automatically by enabling "Always use HTTPS" (if you have an active CloudFlare SSL certificate) and the 'orange cloud' enabled.
I've searched quite thoroughly and can't find an answer to this...
So basically I have a website set up, www.supersaturated.co.uk all working great with https and the relevant htaccess redirects.
The client has an old website which was secure, www.supersaturated.net. This is now a parked domain on a new hosting account.
The problem I'm having is that the SSL certificate on the new site is only for that .co.uk domain. If someone goes to http://www.supersaturated.net it redirects to the secure .co.uk as it should. But if someone goes to https://www.supersaturated.net it gives the browser warning for an untrusted connection. Is there a way to redirect this or is the browser just seeing the lack of SSL for the .net before even attempting a redirect?
Here is the relevant part of my htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.supersaturated\.co\.uk$
RewriteRule (.*) https://www.supersaturated.co.uk/$1 [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Any help is much appreciated.
Yes it is true that browser is seeing the lack of SSL for the .net before even attempting a redirect rule. This is due to the fact that cert negotiation between web server and browser happens before mod_rewrite is invoked (due to security reasons).
First I bought a multi-domains SSL certificate that doesn't allow wildcards (ex. *.mydomain.com).
When I want to connect to my website and if I go through https://mydomain.com it works fine. Now, if I go through https://www.mydomain.com I have a nice alert page from my browser saying I've got to add an exception, blahblahbla... So I understand I've got this alert because the SSL certificate doesn't manage www wildcard.
I decided to create a rule in htaccess in order to redirect user from https://www.mydomain.com to https://mydomain.com. But my browser seems not to understand this rule, and each time I go through https://www.mydomain.com I stay on https://www.mydomain.com.
Here is my rule :
RewriteCond %{HTTP_HOST} ^www\.mydomain\.com$ [NC]
RewriteRule ^(.*)$ https://mydomain.com/$1 [L,R=301]
For information, I use Virtualmin to manage my domains.
Thanks!
Unfortunately .htaccess or mod_rewrite won't be of any help here in eliminating browser security warning.
Reason is that the SSL certificate negotiation happens well before mod_rewrite get a chance to kick in.
When you buy SSL cert I believe you get an option for cert being applicable for both www and non-www domains.
I have made 301 redirect to redirect http://domain.com to http://www.domain.com with .htaccess,
I have done it this way.
Options +FollowSymlinks
RewriteEngine on
<IfModule mod_rewrite.c>
Rewritecond %{http_host} ^domain.com [nc]
Rewriterule ^(.*)$ http://www.domain.com/$1 [r=301,nc]
</IfModule>
I have written this code months ago it was working fine till now, but now all of a sudden it is showing two url's in browser history while redirecting properly,
1st url is http://domain.com
2nd url is http://www.domain.com
I removed the line Options +FollowSymlinks, but it still shows two url's.
Please suggest why I am getting two url's in browser history when I should be getting just redirected url.
Thanks
You are getting 2 URLs in your browser history now probably because you've upgraded your browser, changed browser settings, or are using a different browser . The FollowSymlinks option doesn't have anything to do with the browser's history. It's to tell the webserver that it is ok to follow symlinks in the directory that the option is turned on in.
The reason why you see both URLs in your browser history is because you are going to both URLs.
When you go to http://domain.com, your browser sends a resolves the domain.com host, then sends a request to that host. The response it gets back is essentially "what you are looking for is not here, go to http://www.domain.com instead, and continue to go there the next time you are looking for http://domain.com". The browser then processes the request for http://www.domain.com, by resolving the www.domain.com host, then sending a request to that host.
Thus, you've got a browsing history for http://domain.com, then http://www.domain.com.