I've searched quite thoroughly and can't find an answer to this...
So basically I have a website set up, www.supersaturated.co.uk all working great with https and the relevant htaccess redirects.
The client has an old website which was secure, www.supersaturated.net. This is now a parked domain on a new hosting account.
The problem I'm having is that the SSL certificate on the new site is only for that .co.uk domain. If someone goes to http://www.supersaturated.net it redirects to the secure .co.uk as it should. But if someone goes to https://www.supersaturated.net it gives the browser warning for an untrusted connection. Is there a way to redirect this or is the browser just seeing the lack of SSL for the .net before even attempting a redirect?
Here is the relevant part of my htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.supersaturated\.co\.uk$
RewriteRule (.*) https://www.supersaturated.co.uk/$1 [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Any help is much appreciated.
Yes it is true that browser is seeing the lack of SSL for the .net before even attempting a redirect rule. This is due to the fact that cert negotiation between web server and browser happens before mod_rewrite is invoked (due to security reasons).
Related
I have a client who just installed an SSL certificate. I added this to the .htaccess file to force users to redirect to https and force them to www:
# Redirect bare domain to www and HTTPS
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.twentyteninc.com/$1 [R=301,L]
# Redirect HTTP to HTTPS
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
I also addressed all the mixed content warnings. Now, everything redirects to https and I get the beautiful lock symbol in all browsers I test with.
Unfortunately, though, some users are still seeing the "Not Secure" messages:
If I run a Qualys SSL Test, it comes back with an A score:
What could be causing this? Why does everything look secure for me but not for some?
My problem was that the WordPress theme the client is using was pulling the favicon over HTTP instead of HTTPS and for whatever reason, my browser (and all the other browsers I tested with) was simply choosing not to load it at all.
This caused me never to get a mixed content warning.
After staring at the screenshot above for long enough, I noticed that the favicon was loading and that it wasn't for me which tipped me off to go digging through the theme for it.
I have searched the site and thought I may have found code I could use for my issue, but it did not work.
I want to redirect my primary domain http to https (also including any form of url typed www. without www., http://www, http://, and even just the domain name without www or http before it), while Also not effecting my other domain that is sharing the same hosting within my primary directory (as the SSL I have only used for primary domain, but not used on other domains).
At current, I had code to make the redirect for my primary to https, but it would then make my other domain on same hosting account, also redirect to https.
Then I found code to not effect the other domain and not to redirect to https, but then it effected my primary domain to NOT redirect to https either, it would only redirect to https if with www. or http but would not redirect without the www.
This has been very frustrating because I am VERY new to attempting this type of code, so I don't have a clue what I am doing and could surely use the help. My Godaddy hosting would not help but give link to basic redirect code which does not help for other domains sharing hosting, nor did it work for typing domain without www etc. I hope this made sense.
Thank you in advance.
EDITED possible FIX:
Ok, my code might look a bit wonky and I'm sure it may need cleaning up and possible repetitive stuff removed, but this is what I just patched together from other code offerings I've found on this site, along with others I've found elsewhere and I think it might be working. I'm sure there is a cleaner way to format this, but at current it seems to be working.
# redirect http to https Domain
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} www.yoursite.com [OR,NC]
RewriteCond %{HTTP_HOST} yoursite.com
RewriteRule (.*) https://yoursite.com/$1 [R=301,L]
RewriteCond %{HTTP_HOST} ^www.yoursite.com [NC]
RewriteRule ^(.*)$ http://yoursite.com/$1 [L,R=301]
# redirect to http subdomain
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^((?!www).+\.yoursite\.com)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
A client of mine wants to change their domain name, but wants to keep their Google ranking. To do this, they've pointed two domain names to the same IP, but we're having an issue where if you visit the site via the old domain, you get a security certificate warning and the page just loads with the old domain name.
What I'd like to do is detect when someone's coming to the site via the old domain and rewrite it to the new domain. For example, if they where to visit example.com/some-page.htm, it would rewrite to https://www.dummy.com/some-page.htm.
I found this code snippet somewhere that purports to do this, but it just brings the site down:
RewriteCond %{HTTP_HOST} !^example.com$ [NC]
RewriteRule ^(.*)$ https://www.dummy.com/$1 [R=301,L]
This is a WordPress site, so I'm using the normal WordPress rewrite rules, and I'm using the HTML5 Boiler Plate .htacess to enable http > https redriects, non-www > www redirects, and force HTTP Strict Transport Security, if any of that makes a difference.
You need to change condition to:
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$ [NC]
RewriteRule ^ https://www.dummy.com%{REQUEST_URI} [NE,R=301,L]
However keep in mind if you visit https://exampl.com and certificate is for dummy.com then SSL cert warning will still be there because SSL handshakes before mod_rewrite is invoked for redirecting to new site.
First I bought a multi-domains SSL certificate that doesn't allow wildcards (ex. *.mydomain.com).
When I want to connect to my website and if I go through https://mydomain.com it works fine. Now, if I go through https://www.mydomain.com I have a nice alert page from my browser saying I've got to add an exception, blahblahbla... So I understand I've got this alert because the SSL certificate doesn't manage www wildcard.
I decided to create a rule in htaccess in order to redirect user from https://www.mydomain.com to https://mydomain.com. But my browser seems not to understand this rule, and each time I go through https://www.mydomain.com I stay on https://www.mydomain.com.
Here is my rule :
RewriteCond %{HTTP_HOST} ^www\.mydomain\.com$ [NC]
RewriteRule ^(.*)$ https://mydomain.com/$1 [L,R=301]
For information, I use Virtualmin to manage my domains.
Thanks!
Unfortunately .htaccess or mod_rewrite won't be of any help here in eliminating browser security warning.
Reason is that the SSL certificate negotiation happens well before mod_rewrite get a chance to kick in.
When you buy SSL cert I believe you get an option for cert being applicable for both www and non-www domains.
We have a site which was https enabled. After a site revamp we have removed the certificate and https://www.foo.com is not http://www.foo.com.
There are many links in other sites, which link to th old https site, which we have no control. Is there something we can do in out side to redirect these links to home page atleast?
Will url rewriting work in this case?
There were some broken link which we fixed with a custom 404 page and tracking the links.
Does this belong to serverfault?
You're pretty much out of luck - you can do URL rewriting as #Josh says, but before the browser even gets that far, most of them will give the user a big warning message telling them the SSL certificate isn't valid, which will put off most of the visitors.
I'd recommend buying an SSL certificate - they're not so expensive - then doing the rewrite.
using mod_rewrite
# forces everything to non-secure if secure (http)
RewriteCond %{SERVER_PORT} =443
RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [R,L]
Josh
The solution for IIS may be ISAPI_Rewrite 3. Here's the .htaccess:
RewriteBase /
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]