1

I've a problem with my .htaccess file. I want to redirect no-www to www and HTTP to HTTPS.

I've tried these files but they don't work...

RewriteEngine On  
RewriteCond %{HTTP_HOST} ^www.example.com$
RewriteRule ^(.*) http://www.example.com/$1 [QSA,L,R=301]

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]

And 

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301] 

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]

Can you help me?

MrWhite
  • 43,179
  • 8
  • 60
  • 84
Galnash
  • 76
  • 8
  • When you state it "doesn't work", please state exactly what doesn't work - what happens? An error? Undesirable redirect? Nothing? Your second rule block should work. Make sure you've cleared your browser cache as any earlier erroneous 301 redirects are likely to have been cached by the browser. – MrWhite Jan 24 '19 at 16:12
  • @MrWhite Thank you for your response. Nothing happens... If I don't put myself the "s" after http, the redirection doesn't work. I've cleaned cache and cookies for my browsers (Safari and Chrome) and still the same. – Galnash Jan 24 '19 at 16:27
  • Do you have any other directives in your `.htaccess` file? (If so, please post your entire `.htaccess` file in your question - with these directives in-place.) – MrWhite Jan 24 '19 at 16:29
  • @MrWhite No I don't have. Just theses about https and www – Galnash Jan 24 '19 at 16:32
  • Try adding any nonsense to the start of the file - do you get an error? What version of Apache are you running? – MrWhite Jan 24 '19 at 16:35
  • @MrWhite I'm using Apache/2.4.29 (Ubuntu) on a VPS. – Galnash Jan 24 '19 at 16:41
  • And what happens when you type "nonsense" in the file? If you don't get an error then it suggests that `.htaccess` files are not enabled and must be enabled in the server config. eg. `AllowOverride All` in the appropriate `` container. – MrWhite Jan 24 '19 at 17:41
  • Nothing happens. Maybe check the server config like you said @MrWhite – Galnash Jan 24 '19 at 19:06
  • 1
    After change the value off "None" in apache2.conf file (/etc/apache2/apache2.conf), I've this : ` Options Indexes FollowSymLinks AllowOverride All Require all granted ` But, I've an error message when I want to access to my website : **ERR_TOO_MANY_REDIRECTS** I've cleaned my cache and cookies and nothing change. @MrWhite – Galnash Jan 24 '19 at 22:03
  • Is `/var/www/` your DocumentRoot? Do you have any other redirects in the server config? Please confirm the current contents of your `.htaccess` file. Is the SSL cert installed directly on this server? – MrWhite Jan 24 '19 at 22:06
  • I've changed /var/www by /var/www/nameofmywebsite/html. It's in the directory I've my website and my .htaccess. My .htaccess contain : RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://www.mywebsite.com/$1 [L,R=301] RewriteCond %{HTTP_HOST} !^www\. RewriteRule ^(.*)$ https://www.mywebsite/$1 [L,R=301] And yes, directly on the server. (Thank you for your support @MrWhite) – Galnash Jan 24 '19 at 22:43
  • Those directives look OK. As a way to debug this, try temporarily commenting out your existing directives and use the following instead: `RewriteCond %{QUERY_STRING} !^https=` `RewriteRule ^ %{REQUEST_URI}?https=%{HTTPS} [R,L]` (2 lines). You obviously still need the `RewriteEngine` directive at the top. Request a HTTPS URL (not HTTP) on your site, you should see a query string on the URL of the form `?https=` - what follows this? – MrWhite Jan 25 '19 at 11:22
  • @MrWhite It's `?https=off` – Galnash Jan 25 '19 at 22:55
  • Ok, that certainly explains the redirect loop. However, this implies the SSL is managed by a frontend proxy and the SSL cert isn't actually installed directly on the application server (or there is some unusual setup)? Try replacing `%{HTTPS}` in that last `RewriteRule` directive with `%{ENV:HTTPS}` - what do you see now? – MrWhite Jan 25 '19 at 23:11
  • @MrWhite I've change and I've this in my htaccess `RewriteRule ^ %{REQUEST_URI}?https=%{ENV:HTTPS} [R,L]` And I've nothing after `https=` – Galnash Jan 25 '19 at 23:16
  • Ok, that is not unexpected. Try another one... instead of `%{ENV:HTTPS}` try `%{HTTP:X-Forwarded-Proto}`. Now what do you see? – MrWhite Jan 25 '19 at 23:24
  • 1
    @MrWhite I see this : `?https=https` – Galnash Jan 25 '19 at 23:27

1 Answers1

1

The initial problem was that .htaccess files were not enabled in the server config. After setting AllowOverride All in the server config to enable .htaccess files, this resulted in a redirect loop...

You are getting a redirect loop because the HTTPS server variable is reporting "off" when HTTPS is requested. This implies you have a front-end proxy that is handling the SSL connection, and this is confirmed by the fact that the X-Forwarded-Proto HTTP request header (that your application server is seeing) is set to "https". (The X-Forwarded-Proto header is set by the proxy server as the request passes through.)

This implies that the "private" connection between this proxy and your application server is over plain HTTP. But the connection between the proxy and the client is secured by HTTPS. This isn't necessarily a problem, however, it means you need to adjust your directives to check the X-Forwarded-Proto HTTP request header instead of the HTTPS server variable.

For example:

RewriteEngine On

RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L] 

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

Make sure you clear your browser cache before testing. It is often preferable to test with 302 (temporary) redirects and only change to 301 (permanent) when you are sure it's working OK - to avoid caching issues.

MrWhite
  • 43,179
  • 8
  • 60
  • 84