I have an SSL cert on a subdomain we have (secure), however if someone attempts to access the folder using this method:
http://www.domain.com/secure
or https://www.domain.com/secure
It shows the SSL error "ssl_error_bad_cert_domain" which is correct, so what I wanted to do was prevent anyone accessing the secure folder directly, instead forcing them to:
https://secure.domain.com
Which then ensures the SSL cert works correctly.
I am assuming this can be done using the .htaccess file in the subdomain folder (which already forces it to use https), but I'm just not sure how to accomplish it.
Many thanks.
Update 1
Including current subdomains .htaccess
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
You won't be able to redirect from https://www.domain.com/secure/, because it will attempt to validate the certificate before it attempts any redirect. You'd need a valid certificate covering "www.domain.com" for that to work.
To cover http://www.domain.com/secure, you can use the following.
Redirect 301 /secure/ https://secure.domain.com/
Related
I have a domain that needs to be redirected in order to use a shared SSL certificate. I can redirect the domain no problem, the issue I have is the way this leaves the URL formatting i.e.:
http://www.example.com is redirecting to https://myhost.secure.com/www.example.com
I'm looking to hide the "myhost.secure.com/" part using htaccess but can't find a valid way to do it (I'm a complete novice, sorry). Redirect is being done via htaccess using code below:
RewriteEngine on
RewriteBase /
RewriteCond %{ENV:https} !=on
RewriteRule ^(.*) https://myhost.secure.com/www.example.com/$1 [R,L]
How can I modify this to only display my domain and not the full redirected URL? The redirect works correctly, I see the site as it sits in the secure area of my FTP, but I don't want visitors to see the hosts redirect in the URL.
I have a whmcs installation in a /whmcs and wanted to force https to my entire website, so i added a .htacess with this code below in the root of my website :
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
The problem is that whmcs have some issues when modifying something, and also my customers could not attach files on their tickets.
Their support told me to add a .htaccess in /whmcs to override the directives in the root .htacess
I tried many times without success, that's why i am here asking for help.
I have two choices :
1- adding a .htaccess to /whmcs to ignore the redirection made in the root .htacess.
2- modify the root .htaccess to ignore the /whmcs subfolder
Any help is welcome.
You can exclude the /whmcs folder from your rule as
RewriteEngine On
RewriteCond %{HTTPS} =off
RewriteRule ^(?!whmcs/) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,NC,L]
As the other response mentioned, you can try to exclude the rewrite from your whmcs folder, and this seems like a plausible solution.
Something you may want to check is in the WHMCS configuration itself. If in WHMCS > Setup > General Settings you have a non-SSL URL for your System URL and an SSL URL for your System SSL URL, you can get looping. To avoid this, if you are wanting to force SSL across the board, change your System URL to be https://yourdomain and hit save. WHMCS should set only the System URL, and every call to WHMCS will be SSL, and if not, WHMCS will handle the redirection.
First I bought a multi-domains SSL certificate that doesn't allow wildcards (ex. *.mydomain.com).
When I want to connect to my website and if I go through https://mydomain.com it works fine. Now, if I go through https://www.mydomain.com I have a nice alert page from my browser saying I've got to add an exception, blahblahbla... So I understand I've got this alert because the SSL certificate doesn't manage www wildcard.
I decided to create a rule in htaccess in order to redirect user from https://www.mydomain.com to https://mydomain.com. But my browser seems not to understand this rule, and each time I go through https://www.mydomain.com I stay on https://www.mydomain.com.
Here is my rule :
RewriteCond %{HTTP_HOST} ^www\.mydomain\.com$ [NC]
RewriteRule ^(.*)$ https://mydomain.com/$1 [L,R=301]
For information, I use Virtualmin to manage my domains.
Thanks!
Unfortunately .htaccess or mod_rewrite won't be of any help here in eliminating browser security warning.
Reason is that the SSL certificate negotiation happens well before mod_rewrite get a chance to kick in.
When you buy SSL cert I believe you get an option for cert being applicable for both www and non-www domains.
I need a combination of redirects to achieve the following:
To redirect http://example.com to http://www.example.com, while redirecting https://www.example.com to https://example.com.
I would like to force the www prefix do the domain name when the site is accessed over http.
However the SSL certificate only works without the www.
When accessed over https, I don't want the domain name to have the www prefix.
The redirection from https://www.mysite.com to https://mysite.com can only happen after the client has made an initial request to https://www.mysite.com.
For this initial connection to work, the server at https://www.mysite.com must have a certificate valid for www.mysite.com, otherwise, this connection won't even happen (and the server won't send a redirection response).
If you still want a redirection, on the same server, your server must present a certificate that is valid for the host names you want to serve. You should get a certificate with two Subject Alternative Name DNS entries: mysite.com and www.mysite.com; this will allow you to serve both hosts with the same certificate (and then use the rewrite rules if needed).
(You could also use Server Name Indication with two distinct certificates, if you expect the clients to support it, but that's usually for completely different host names.)
It's quite common for CAs to issue certificates that are valid for both mysite.com and www.mysite.com when you apply for one of the other, sometimes without an extra fee.
Put this in your .htaccess file in your non-HTTPS document root:
RewriteCond %{HTTP_HOST} ^mysite.com$
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R]
And this in your HTTPS document root:
RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^www.mysite.com$
RewriteRule ^(.*)$ https://mysite.com/$1 [R]
We have a Wildcard SSL Certificate that is supposed to work on any subdomain of a given domain.
So in this server we have this file structure:
/home/DOMAIN/public_html/subdomainx
/home/DOMAIN/public_html/subdomainy
etc...
Now, the Certificate is installed, but when you visit any subdomain over https (example: hxxps://subdomainx.domain.com ) it points to
/home/DOMAIN/public_html/index.php
We need that when you visit a subdomain via https
hxxps://subdomainx.domain.com
That it points to the the same directory that it's http equivalent:
/home/DOMAIN/public_html/subdomainx
Our provider tells us that this is not possible, that the current behaviour is correct, and that we should do some htaccess to achieve this.
I've tried a few things, incluiding this solution, that seems to be what I need: Advice on Configuring .HTaccess file to Redirect HTTP Subdomain to HTTPS Equivalent
But can't get it to work.
Any tips?
Thanks.
You don't want the [R] flag in your rewrite rule, or the hostname in the target. You want to rewrite the URI so that a "subdomainx" is prepended to it. Something along the lines of:
RewriteEngine On
# We don't want the main domain or www
RewriteCond %{HTTP_HOST} ^((?!www).*)\.domain.com$ [NC]
# Make sure that if we rewrite, the destination actually exists (to prevent loops and properly return 404's)
RewriteCond %{DOCUMENT_ROOT}/%1%{REQUEST_URI} -f [OR]
RewriteCond %{DOCUMENT_ROOT}/%1%{REQUEST_URI} -d
# rewrite
RewriteRule ^(.*)$ /%1/$1 [L]
Note that the %{DOCUMENT_ROOT}/%1%{REQUEST_URI} checks have to be made so that proper 404's get returned without information disclosure. This makes it so when you request for http://test.domain.com/badfile.html, the 404 message says "/badfile.html" is not found, instead of "/test/badfile.html" is not found.