httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "R. Diez" <>
Subject [users@httpd] Redirection to https only for the top-level page
Date Fri, 01 Feb 2019 16:09:37 GMT
Hi all:

I have very little Apache experience. I just occasionally help with a couple of websites on
2 different hosting companies of the 
"inexpensive" variety. I want to automatically redirect from to,
and from http to https.

With difficulty, I have managed to put together (by the copy and paste method) the following
.htaccess file, which seems to be working fine:

RewriteEngine On

# Redirect from non-www to www, and at the same time to https .
RewriteCond %{HTTP_HOST}  !^www\.  [nocase]
RewriteRule ^  https://www.%{HTTP_HOST}%{REQUEST_URI}  [last,redirect=301,noescape]

# Redirect from all other "http://www.blahblah" auf https .
RewriteCond %{HTTP:X-Forwarded-Proto} =http [ornext]
RewriteCond %{HTTP:X-Forwarded-Proto} =""
RewriteCond %{HTTPS} !=on
RewriteRule ^  https://%{HTTP_HOST}%{REQUEST_URI}  [last,redirect=301,noescape]

It is even generic enough to be used unchanged in both websites.

However, I have heard that it is a bad idea to redirect all http requests to https like that,
because you are actually bypasssing 
encryption. After all, the first http request gets sent unencrypted, and the client will never
notice. It is best to let all "deep" http 
links fail, so that the developers notice that they are not sending the users to encrypted
pages. Only a few, selected http pages should 
still automatically redirect to https.

In my case, that would be just these 2: ->     ->

All other http addresses should fail with 404. -> 404 error     -> 404 error

All https requests without www should still be automatically redirected:     -> ->

I have searched around but found no concrete example for this particular scenario, which I
find surprising, for I thought that this would be 
the normal case for most simple websites.

I have no practice dealing with these rules. I fear that any little mistake can have dire
consequences to the website. Or severely impact 

Could someone with more experience tell me how to write such redirection rules? This is something
that will probably benefit many other 
users too.

Many thanks in advance,

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message