[users@httpd] Redirection to https only for the top-level page

["R. Diez" <rd...@yahoo.de.INVALID>]

Hi all:

I have very little Apache experience. I just occasionally help with a couple of websites on 2 different hosting companies of the 
"inexpensive" variety. I want to automatically redirect from somesite.com to www.somesite.com, and from http to https.

With difficulty, I have managed to put together (by the copy and paste method) the following .htaccess file, which seems to be working fine:

RewriteEngine On

# Redirect from non-www to www, and at the same time to https .
RewriteCond %{HTTP_HOST}  !^www\.  [nocase]
RewriteRule ^  https://www.%{HTTP_HOST}%{REQUEST_URI}  [last,redirect=301,noescape]

# Redirect from all other "http://www.blahblah" auf https .
RewriteCond %{HTTP:X-Forwarded-Proto} =http [ornext]
RewriteCond %{HTTP:X-Forwarded-Proto} =""
RewriteCond %{HTTPS} !=on
RewriteRule ^  https://%{HTTP_HOST}%{REQUEST_URI}  [last,redirect=301,noescape]

It is even generic enough to be used unchanged in both websites.

However, I have heard that it is a bad idea to redirect all http requests to https like that, because you are actually bypasssing 
encryption. After all, the first http request gets sent unencrypted, and the client will never notice. It is best to let all "deep" http 
links fail, so that the developers notice that they are not sending the users to encrypted pages. Only a few, selected http pages should 
still automatically redirect to https.

In my case, that would be just these 2:

http://www.somesite.com -> https://www.somesite.com
http://somesite.com     -> https://www.somesite.com

All other http addresses should fail with 404.

http://www.somesite.com/xxx -> 404 error
http://somesite.com/xxx     -> 404 error

All https requests without www should still be automatically redirected:

https://somesite.com     -> https://www.somesite.com
https://somesite.com/xxx -> https://www.somesite.com/xxx

I have searched around but found no concrete example for this particular scenario, which I find surprising, for I thought that this would be 
the normal case for most simple websites.

I have no practice dealing with these rules. I fear that any little mistake can have dire consequences to the website. Or severely impact 
performance.

Could someone with more experience tell me how to write such redirection rules? This is something that will probably benefit many other 
users too.

Many thanks in advance,
   rdiez

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Redirection to https only for the top-level page

[Frank Gingras <th...@apache.org>]

If you're stuck with .htaccess, then mod_rewrite is likely your only
recourse.
I would recommend debugging mod_rewrite on your development / staging
server with the rewrite log, too.

Lastly, look up the "http2https" recipe on the httpd wiki.

On Sat, 2 Feb 2019 at 12:51, R. Diez <rd...@yahoo.de.invalid>
wrote:

> First of all, thanks for your answer.
>
> > [...]
> > Htaccess is only used for clients on a host server (such as a
> godaddy.com website)
> > where the client does NOT have access to configuration files of the
> server…
>
> That is exactly my case.
>
> HSTS does not seem suitable either.
>
> I hope someone can help me with that kind of .htaccess rules. Most people
> on that sort of cheap server tariff should be using the rules I am looking
> for, so it is not something that would help me alone.
>
> Best regards,
>    rdiez
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] Redirection to https only for the top-level page

["R. Diez" <rd...@yahoo.de.INVALID>]

First of all, thanks for your answer.

> [...]
> Htaccess is only used for clients on a host server (such as a godaddy.com website)
> where the client does NOT have access to configuration files of the server…

That is exactly my case.

HSTS does not seem suitable either.

I hope someone can help me with that kind of .htaccess rules. Most people on that sort of cheap server tariff should be using the rules I am looking 
for, so it is not something that would help me alone.

Best regards,
   rdiez

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Redirection to https only for the top-level page

[angel Hall-Coulston <ra...@me.com.INVALID>]

As a small side note,
Using an .htaccess file is NOT recommended when a sysadmin has access to the server. Htaccess is only used for clients on a host server (such as a godaddy.com website) where the client does NOT have access to configuration files of the server… Although it DOES work, apache themselves do not recommend it in their online documentation. 

> On 1 Feb 2019, at 16:09, R. Diez <rd...@yahoo.de.INVALID> wrote:
> 
> Hi all:
> 
> I have very little Apache experience. I just occasionally help with a couple of websites on 2 different hosting companies of the "inexpensive" variety. I want to automatically redirect from somesite.com to www.somesite.com, and from http to https.
> 
> With difficulty, I have managed to put together (by the copy and paste method) the following .htaccess file, which seems to be working fine:
> 
> RewriteEngine On
> 
> # Redirect from non-www to www, and at the same time to https .
> RewriteCond %{HTTP_HOST}  !^www\.  [nocase]
> RewriteRule ^  https://www.%{HTTP_HOST}%{REQUEST_URI}  [last,redirect=301,noescape]
> 
> # Redirect from all other "http://www.blahblah" auf https .
> RewriteCond %{HTTP:X-Forwarded-Proto} =http [ornext]
> RewriteCond %{HTTP:X-Forwarded-Proto} =""
> RewriteCond %{HTTPS} !=on
> RewriteRule ^  https://%{HTTP_HOST}%{REQUEST_URI}  [last,redirect=301,noescape]
> 
> It is even generic enough to be used unchanged in both websites.
> 
> However, I have heard that it is a bad idea to redirect all http requests to https like that, because you are actually bypasssing encryption. After all, the first http request gets sent unencrypted, and the client will never notice. It is best to let all "deep" http links fail, so that the developers notice that they are not sending the users to encrypted pages. Only a few, selected http pages should still automatically redirect to https.
> 
> In my case, that would be just these 2:
> 
> http://www.somesite.com -> https://www.somesite.com
> http://somesite.com     -> https://www.somesite.com
> 
> All other http addresses should fail with 404.
> 
> http://www.somesite.com/xxx -> 404 error
> http://somesite.com/xxx     -> 404 error
> 
> All https requests without www should still be automatically redirected:
> 
> https://somesite.com     -> https://www.somesite.com
> https://somesite.com/xxx -> https://www.somesite.com/xxx
> 
> I have searched around but found no concrete example for this particular scenario, which I find surprising, for I thought that this would be the normal case for most simple websites.
> 
> I have no practice dealing with these rules. I fear that any little mistake can have dire consequences to the website. Or severely impact performance.
> 
> Could someone with more experience tell me how to write such redirection rules? This is something that will probably benefit many other users too.
> 
> Many thanks in advance,
>  rdiez
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

Re: [users@httpd] Redirection to https only for the top-level page

[Dan Ehrlich <da...@ehrlichserver.com.INVALID>]

You’ll want to look into HSTS

https://https.cio.gov/hsts/

Basically it will let the user’s browser know “in advance” to always connect via HTTPS, eliminating the vulnerability of first connecting to a site over HTTP before being redirected.


> On Feb 1, 2019, at 8:09 AM, R. Diez <rd...@yahoo.de.invalid> wrote:
> 
> Hi all:
> 
> I have very little Apache experience. I just occasionally help with a couple of websites on 2 different hosting companies of the "inexpensive" variety. I want to automatically redirect from somesite.com to www.somesite.com, and from http to https.
> 
> With difficulty, I have managed to put together (by the copy and paste method) the following .htaccess file, which seems to be working fine:
> 
> RewriteEngine On
> 
> # Redirect from non-www to www, and at the same time to https .
> RewriteCond %{HTTP_HOST}  !^www\.  [nocase]
> RewriteRule ^  https://www.%{HTTP_HOST}%{REQUEST_URI}  [last,redirect=301,noescape]
> 
> # Redirect from all other "http://www.blahblah" auf https .
> RewriteCond %{HTTP:X-Forwarded-Proto} =http [ornext]
> RewriteCond %{HTTP:X-Forwarded-Proto} =""
> RewriteCond %{HTTPS} !=on
> RewriteRule ^  https://%{HTTP_HOST}%{REQUEST_URI}  [last,redirect=301,noescape]
> 
> It is even generic enough to be used unchanged in both websites.
> 
> However, I have heard that it is a bad idea to redirect all http requests to https like that, because you are actually bypasssing encryption. After all, the first http request gets sent unencrypted, and the client will never notice. It is best to let all "deep" http links fail, so that the developers notice that they are not sending the users to encrypted pages. Only a few, selected http pages should still automatically redirect to https.
> 
> In my case, that would be just these 2:
> 
> http://www.somesite.com -> https://www.somesite.com
> http://somesite.com     -> https://www.somesite.com
> 
> All other http addresses should fail with 404.
> 
> http://www.somesite.com/xxx -> 404 error
> http://somesite.com/xxx     -> 404 error
> 
> All https requests without www should still be automatically redirected:
> 
> https://somesite.com     -> https://www.somesite.com
> https://somesite.com/xxx -> https://www.somesite.com/xxx
> 
> I have searched around but found no concrete example for this particular scenario, which I find surprising, for I thought that this would be the normal case for most simple websites.
> 
> I have no practice dealing with these rules. I fear that any little mistake can have dire consequences to the website. Or severely impact performance.
> 
> Could someone with more experience tell me how to write such redirection rules? This is something that will probably benefit many other users too.
> 
> Many thanks in advance,
>  rdiez
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>