0

I'm trying to force all content to use HTTPS.

I added the following rule to my htaccess:

RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

It works fine for web pages (wordpress). However images don't get redirected to https. Is there something special about images or other static content? Or is the rule incomplete?

nute
  • 791
  • 2
  • 11
  • 22
  • To confirm... you are behind an SSL proxy? Where exactly are you putting these directives in relation to your existing rules? Please include the contents of your `.htaccess` file (with these directives in-place). – MrWhite Apr 17 '20 at 10:46
  • The website is behind CloudFlare, and indeed I checked they use the ssl proxy feature of CloudFlare – nute Apr 17 '20 at 11:12
  • Ok, so what about the location of these directives in your `.htaccess` file? Do you have any other `.htaccess` files in subdirectories? The directive you posted looks "OK" when used with an SSL proxy (CloudFlare). There is nothing "special about images or other static content" (providing these are located on your site!). Conflicts with existing directives would be the most probable cause. However, since you are using CloudFlare, you should be configuring a Page Rule to manage the redirect. – MrWhite Apr 17 '20 at 19:14
  • Even with this clean htaccess I had the same issue. But I found a workaround, I did 2 things: (1) enable force-ssl in cloudflare, and (2) `Header always set Content-Security-Policy "upgrade-insecure-requests;"`. Both together got rid of all my "mixed content" warnings. Not sure if this is worth a self-answer? – nute Apr 19 '20 at 07:01
  • Yes, I think you should put that as a _self-answer_. "all my "mixed content" warnings" - the "mixed content" _browser_ warning is not a fault of your redirect - this warning would have occurred _before_ the redirect would have had a chance to trigger (protecting the user from sending - potentially private - data over an insecure connection). The "fault" would seem to be that you still had HTTP links to static resources when the page itself was (redirected to) HTTPS? – MrWhite Apr 19 '20 at 22:04
  • Yes I understood that as well... but even when entering the image URL in the browser it would not redirect. At the end though, my goal was indeed to get rid of the mixed content warnings so that works for me. – nute Apr 20 '20 at 11:26

0 Answers0