I'm working on a website locally that contains https links, so when I click on one of these links it takes me to https://localhost/... which doesn't exist as there is no SSL certificate installed.
Is there anything I can add to .htaccess that checks if I'm on localhost and if so redirects https to http? The .htaccess file is used in both local development and production on our server so anything I add mustn't affect the live website.
Nope.
Reason is any rules you put in your htaccess file will only get applied once the request has been made, which means it'll only get applied once the https://localhost/ request is made. If there's nothing listening to the HTTPS port (443) on localhost, then the rules will never get applied.
If port 443 is listening for requests on localhost, but it's just a matter of lacking an SSL certificate, the rules still won't get applied until after the SSL handshake is performed, which means, you're still going to get the security warning about your certificate.
That being said, the rules you'd want if you had apache listening to port 443 and have a certificate installed is this:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^localhost$ [NC]
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [L,R]
Related
I am using AWS Elastic Beanstalk to host my website with Load Balancer over some EC2 instances.
I am using OctoberCMS (a flavour of laravel as a framework)
I have setup SSL Certificate over my ELB via AWS Certificate Manager and all is working fine.
But there is a problem.
I want to redirect HTTP to HTTPS.
According to AWS, I got a small .htaccess snippet to do the job:
Redirect to HTTPS
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
However, when a user gets to http://mywebsitesite.com it takes them to https://mywebsitesite.com/index.php hence they start browsing in the manner of https://mywebsitesite.com/index.php/someresource.
Also if you go to http://mywebsitesite.com/someresource, you are redirected back to https://mywebsitesite.com/index.php.
This is not a good experience and I know someone must have encountered this before and is able to redirect to resource properly and remove the index.php
My ELB listener is configured by default to 80 --> 80 and 443 --> 80
Note: I am not encountering a redirect loop.
I'll preface this answer with saying that this is code from the Tomcat Elastic Beanstalk but I believe that it should still work.
I had in my configuration code file:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]
This was part of a .ebextensions file that configured the Apache proxy which, in my case, was in front of Tomcat.
You can add the following line in .htaccess to hide the index.php from the url after the redirect configuration.
RewriteRule ^(.*)$ /index.php?/$1 [L]
Got a vServer and plesk installed on it (Apache backend, Nginx reverse proxy), plesk is listening on port 8443.
I use the hostname as a domain for easier accesss and SSL certificate domain. So I would like to redirect ALL traffic to specific one:
What I got so far is this rule
return 301 https://www.DOMAIN.com:8443/;
which leads everything to the Plesk Panel URL but if someone is using this
https://DOMAIN.com:8443
he won't be redirected to
https://www.DOMAIN.com:8443
and the SSL certificate won't work (domain based). How can I force every traffic (http and https with the ports 80 and 8443) to
https://www.DOMAIN.com:8443
Thanks in advance
You could HTACCESS to do it:
The Code
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI}:8443 [R=301,L]
What this does is check if the user is trying to access the site without using www and if so redirect to www on the specific port that you wanted.
If you already have your port 80 traffic redirecting to port 8443 and you just want to redirect the rule for www, what I have listed above will work. You can also have mod rewrite redirect based on the port used.
It would look like this:
The Code
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{SERVER_PORT} ^80$
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI}:8443 [R=301,L]
You would just need to make sure that each virtual host you are using has the mod rewrite rule in place. You might have to create a virtual host for the extra ports you want to use. The only thing these virtual hosts would have is the redirect rule. Otherwise you might get 404 errors.
First I bought a multi-domains SSL certificate that doesn't allow wildcards (ex. *.mydomain.com).
When I want to connect to my website and if I go through https://mydomain.com it works fine. Now, if I go through https://www.mydomain.com I have a nice alert page from my browser saying I've got to add an exception, blahblahbla... So I understand I've got this alert because the SSL certificate doesn't manage www wildcard.
I decided to create a rule in htaccess in order to redirect user from https://www.mydomain.com to https://mydomain.com. But my browser seems not to understand this rule, and each time I go through https://www.mydomain.com I stay on https://www.mydomain.com.
Here is my rule :
RewriteCond %{HTTP_HOST} ^www\.mydomain\.com$ [NC]
RewriteRule ^(.*)$ https://mydomain.com/$1 [L,R=301]
For information, I use Virtualmin to manage my domains.
Thanks!
Unfortunately .htaccess or mod_rewrite won't be of any help here in eliminating browser security warning.
Reason is that the SSL certificate negotiation happens well before mod_rewrite get a chance to kick in.
When you buy SSL cert I believe you get an option for cert being applicable for both www and non-www domains.
I have a few servers behind a Load Balancer running Apache with PHP we're finding that people can't hold an SSL session. You can access any page on the site using https by adding https:// to the URL but when you click a link even though that link will show https you get redirected back to a standard http page.
On the Load Balancer listener page I have it set up as:
HTTP 80 to HTTP 80
TCP (SSL) 443 to TCP 80
I've tried non-TCP and using https and I've tried 443 to 443 but that throws a Server 503 error (server overload). I've added a *:443 VirtualHost on the servers but that didn't work.
I also even tried a:
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} ^mydomain\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) https://www.mydomain.com/$1 [R=301,L]
as an .htaccess rule. But users are still being redirected back to HTTP when navigating.
Any ideas?
I would guess the right track is having HTTPS 443 to HTTP 80, not TCP. Can you provide more details about what happens when you configure it this way?
I need a combination of redirects to achieve the following:
To redirect http://example.com to http://www.example.com, while redirecting https://www.example.com to https://example.com.
I would like to force the www prefix do the domain name when the site is accessed over http.
However the SSL certificate only works without the www.
When accessed over https, I don't want the domain name to have the www prefix.
The redirection from https://www.mysite.com to https://mysite.com can only happen after the client has made an initial request to https://www.mysite.com.
For this initial connection to work, the server at https://www.mysite.com must have a certificate valid for www.mysite.com, otherwise, this connection won't even happen (and the server won't send a redirection response).
If you still want a redirection, on the same server, your server must present a certificate that is valid for the host names you want to serve. You should get a certificate with two Subject Alternative Name DNS entries: mysite.com and www.mysite.com; this will allow you to serve both hosts with the same certificate (and then use the rewrite rules if needed).
(You could also use Server Name Indication with two distinct certificates, if you expect the clients to support it, but that's usually for completely different host names.)
It's quite common for CAs to issue certificates that are valid for both mysite.com and www.mysite.com when you apply for one of the other, sometimes without an extra fee.
Put this in your .htaccess file in your non-HTTPS document root:
RewriteCond %{HTTP_HOST} ^mysite.com$
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R]
And this in your HTTPS document root:
RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^www.mysite.com$
RewriteRule ^(.*)$ https://mysite.com/$1 [R]