Removing www when using https protocol in htaccess - .htaccess

First I bought a multi-domains SSL certificate that doesn't allow wildcards (ex. *.mydomain.com).
When I want to connect to my website and if I go through https://mydomain.com it works fine. Now, if I go through https://www.mydomain.com I have a nice alert page from my browser saying I've got to add an exception, blahblahbla... So I understand I've got this alert because the SSL certificate doesn't manage www wildcard.
I decided to create a rule in htaccess in order to redirect user from https://www.mydomain.com to https://mydomain.com. But my browser seems not to understand this rule, and each time I go through https://www.mydomain.com I stay on https://www.mydomain.com.
Here is my rule :
RewriteCond %{HTTP_HOST} ^www\.mydomain\.com$ [NC]
RewriteRule ^(.*)$ https://mydomain.com/$1 [L,R=301]
For information, I use Virtualmin to manage my domains.
Thanks!

Unfortunately .htaccess or mod_rewrite won't be of any help here in eliminating browser security warning.
Reason is that the SSL certificate negotiation happens well before mod_rewrite get a chance to kick in.
When you buy SSL cert I believe you get an option for cert being applicable for both www and non-www domains.

Related

Redirecting http://example.com to https://www.dummy.com/ via .htaceess

A client of mine wants to change their domain name, but wants to keep their Google ranking. To do this, they've pointed two domain names to the same IP, but we're having an issue where if you visit the site via the old domain, you get a security certificate warning and the page just loads with the old domain name.
What I'd like to do is detect when someone's coming to the site via the old domain and rewrite it to the new domain. For example, if they where to visit example.com/some-page.htm, it would rewrite to https://www.dummy.com/some-page.htm.
I found this code snippet somewhere that purports to do this, but it just brings the site down:
RewriteCond %{HTTP_HOST} !^example.com$ [NC]
RewriteRule ^(.*)$ https://www.dummy.com/$1 [R=301,L]
This is a WordPress site, so I'm using the normal WordPress rewrite rules, and I'm using the HTML5 Boiler Plate .htacess to enable http > https redriects, non-www > www redirects, and force HTTP Strict Transport Security, if any of that makes a difference.
You need to change condition to:
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$ [NC]
RewriteRule ^ https://www.dummy.com%{REQUEST_URI} [NE,R=301,L]
However keep in mind if you visit https://exampl.com and certificate is for dummy.com then SSL cert warning will still be there because SSL handshakes before mod_rewrite is invoked for redirecting to new site.

htaccess redirect from non-www with https to www with https

I hope this is not a duplicated question, but i can't find the answer to my question. I'm already using an http to https htaccess redirect, which is as follows:
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
This resolves almost any case, except this one: if i call this URL:
https://domain.com
The result is a page with an invalid certificate issue, which is correct because i only have bought certificates for domains with the "www".
My question is: is there a way to create an htaccess redirect from https://domain.com to https with "www"? Or the only solution is buying certificates also for non-www domains?
As an additional note, i specify that we are running a multi-domain website.
Thank you!
Changing your configuration to add the redirect https://example.com => https://www.example.com will not fully solve your problem :
The browser will connect to https://example.com and show the certificate error before getting the redirect information.
You must create a certificate (buy or use let's encrypt for example) for the non-www domain.

Redirecting old HTTPS site with htaccess

I've searched quite thoroughly and can't find an answer to this...
So basically I have a website set up, www.supersaturated.co.uk all working great with https and the relevant htaccess redirects.
The client has an old website which was secure, www.supersaturated.net. This is now a parked domain on a new hosting account.
The problem I'm having is that the SSL certificate on the new site is only for that .co.uk domain. If someone goes to http://www.supersaturated.net it redirects to the secure .co.uk as it should. But if someone goes to https://www.supersaturated.net it gives the browser warning for an untrusted connection. Is there a way to redirect this or is the browser just seeing the lack of SSL for the .net before even attempting a redirect?
Here is the relevant part of my htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.supersaturated\.co\.uk$
RewriteRule (.*) https://www.supersaturated.co.uk/$1 [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Any help is much appreciated.
Yes it is true that browser is seeing the lack of SSL for the .net before even attempting a redirect rule. This is due to the fact that cert negotiation between web server and browser happens before mod_rewrite is invoked (due to security reasons).

Redirect https to non-www and http to www

I need a combination of redirects to achieve the following:
To redirect http://example.com to http://www.example.com, while redirecting https://www.example.com to https://example.com.
I would like to force the www prefix do the domain name when the site is accessed over http.
However the SSL certificate only works without the www.
When accessed over https, I don't want the domain name to have the www prefix.
The redirection from https://www.mysite.com to https://mysite.com can only happen after the client has made an initial request to https://www.mysite.com.
For this initial connection to work, the server at https://www.mysite.com must have a certificate valid for www.mysite.com, otherwise, this connection won't even happen (and the server won't send a redirection response).
If you still want a redirection, on the same server, your server must present a certificate that is valid for the host names you want to serve. You should get a certificate with two Subject Alternative Name DNS entries: mysite.com and www.mysite.com; this will allow you to serve both hosts with the same certificate (and then use the rewrite rules if needed).
(You could also use Server Name Indication with two distinct certificates, if you expect the clients to support it, but that's usually for completely different host names.)
It's quite common for CAs to issue certificates that are valid for both mysite.com and www.mysite.com when you apply for one of the other, sometimes without an extra fee.
Put this in your .htaccess file in your non-HTTPS document root:
RewriteCond %{HTTP_HOST} ^mysite.com$
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R]
And this in your HTTPS document root:
RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^www.mysite.com$
RewriteRule ^(.*)$ https://mysite.com/$1 [R]

Force Subdomain to secure.domain.com rather than domain.com/secure

I have an SSL cert on a subdomain we have (secure), however if someone attempts to access the folder using this method:
http://www.domain.com/secure
or https://www.domain.com/secure
It shows the SSL error "ssl_error_bad_cert_domain" which is correct, so what I wanted to do was prevent anyone accessing the secure folder directly, instead forcing them to:
https://secure.domain.com
Which then ensures the SSL cert works correctly.
I am assuming this can be done using the .htaccess file in the subdomain folder (which already forces it to use https), but I'm just not sure how to accomplish it.
Many thanks.
Update 1
Including current subdomains .htaccess
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
You won't be able to redirect from https://www.domain.com/secure/, because it will attempt to validate the certificate before it attempts any redirect. You'd need a valid certificate covering "www.domain.com" for that to work.
To cover http://www.domain.com/secure, you can use the following.
Redirect 301 /secure/ https://secure.domain.com/

Resources