Forcing non-www and https redirects correctly

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
urzh
Registered User
Posts: 126
Joined: Mon Aug 05, 2019 1:51 pm
Name: Robert

Re: Forcing non-www and https redirects correctly

Post by urzh » Thu Sep 05, 2019 12:57 am

I'm having a diferent issue now forcing https requests to go to http versions of my site.

I tried to add the following rule:

Code: Select all

# Redirect HTTPS to HTTP
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
But it's not working at all.

My current htaccess:

Code: Select all

## Mod_rewrite in use.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.kingcrabchicago.com [NC]
RewriteRule ^(.*)$ http://kingcrabchicago.com/ [L,R=301]

Any help is appreciated.

User avatar
3Di
Former Team Member
Posts: 14357
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Forcing non-www and https redirects correctly

Post by 3Di » Thu Sep 05, 2019 1:04 am

Oops.. misread
I'm having a diferent issue now forcing https requests to go to http versions of my site.
May I ask you why you want it to be that way?

https://security.stackexchange.com/ques ... ps-website
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
EA117
Registered User
Posts: 1049
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Forcing non-www and https redirects correctly

Post by EA117 » Thu Sep 05, 2019 1:34 am

urzh wrote:
Thu Sep 05, 2019 12:57 am
My current htaccess:

Code: Select all

## Mod_rewrite in use.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.kingcrabchicago.com [NC]
RewriteRule ^(.*)$ http://kingcrabchicago.com/ [L,R=301]
You can change that existing rule to address both situations, such as shown here:

Code: Select all

## Mod_rewrite in use.
RewriteCond %{HTTPS} =on [OR]
RewriteCond %{HTTP_HOST} ^www.kingcrabchicago.com [NC]
RewriteRule ^(.*)$ http://kingcrabchicago.com/ [L,R=301]
Meaning if someone is already using the correct domain but is on an HTTPS connection, or if someone is using an HTTP connection but has included the www subdomain, either case is going to cause a redirect to http://kingcrabchicago.com/. Which ensures neither condition remains true in the redirected URL.

Same as 3Di is probing, "that seems unusual", since the web server is clearly setup for HTTPS access in order for this rule to be of any use. But this is the .htaccess rule that should do what you're asking for, so long as non-HTTPS access to the site is indeed still allowed by your web server configuration.

urzh
Registered User
Posts: 126
Joined: Mon Aug 05, 2019 1:51 pm
Name: Robert

Re: Forcing non-www and https redirects correctly

Post by urzh » Thu Sep 05, 2019 12:19 pm

@3DI, because the site was originally https but for now I've removed it.

@Ea117

I add the below buy when you go to "https://kingcrabchicago.com/" it still does not redirect?

Code: Select all

RewriteCond %{HTTPS} =on [OR]
RewriteCond %{HTTP_HOST} ^www.kingcrabchicago.com [NC]
RewriteRule ^(.*)$ http://kingcrabchicago.com/ [L,R=301]

User avatar
EA117
Registered User
Posts: 1049
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Forcing non-www and https redirects correctly

Post by EA117 » Thu Sep 05, 2019 1:54 pm

urzh wrote:
Thu Sep 05, 2019 12:19 pm
I add the below buy when you go to "https://kingcrabchicago.com/" it still does not redirect?
And you do mean you added just the RewriteCond %{HTTPS} =on [OR] line to the existing rule, correct? And not that this entire block you quoted was added after the existing rule? You previously indicated that this is the only rule that exists in the .htaccess file. Is that still true, or is there a complete .htaccess file that we should be looking at in this case?

What I get when going to https://kingcrabchicago.com/ right now is "The requested URL / was not found on this server." But, I'm getting the same "not found on this server" result even for http://kingcrabchicago.com/menus, http://kingcrabchicago.com/in-the-news, etc. So I'm not sure if that's just something else you have in flux on the server right now.

What I do see is that you actually do not have SSL successfully setup on the server right now. Therefore I'm not sure this "HTTPS =on" redirect is really going to work the way you want.

The server appears to currently have a self-signed certificate installed, which isn't going to be trusted by anyone's web browser. So in order to even make an HTTPS connection, visitors are going to have to first accept this "invalid certificate, connect anyway" prompt before there will be an HTTPS connection to even attempt redirecting.

If your hope was that having this redirect would prevent users of https://kingcrabchicago.com/ from seeing this "certificate invalid"-type condition being reported, unfortunately it cannot work that way. The .htaccess rules can only come into play once someone is successfully connected to your site. And in order to get successfully connected to your site over HTTPS right now, they must first accept the "invalid certificate, connect anyway" prompt.

So if your ultimate goal is to send users from https://kingcrabchicago.com/ to http://kingcrabchicago.com/ "silently" without the user seeing any hassle or "danger prompts", you would need to first return to having a working a publicly-trusted certificate installed for the HTTPS connections to your site.

urzh
Registered User
Posts: 126
Joined: Mon Aug 05, 2019 1:51 pm
Name: Robert

Re: Forcing non-www and https redirects correctly

Post by urzh » Thu Sep 05, 2019 2:04 pm

I added it. My entire .htaccess is below. But I think you answered my question. I can't do an https redirect without installing an SSL to begin with, correct? Because I don't have an SSL on this site.

However, I am going to try and do a redirect at my domain provider next.


Thanks.

##
# @package Joomla
# @copyright Copyright (C) 2005 - 2018 Open Source Matters. All rights reserved.
# @license GNU General Public License version 2 or later; see LICENSE.txt
##

##
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
#
# The line 'Options +FollowSymLinks' may cause problems with some server configurations.
# It is required for the use of mod_rewrite, but it may have already been set by your
# server administrator in a way that disallows changing it in this .htaccess file.
# If using it causes your site to produce an error, comment it out (add # to the
# beginning of the line), reload your site in your browser and test your sef urls. If
# they work, then it has been set by your server administrator and you do not need to
# set it here.
##

## No directory listings
<IfModule autoindex>
IndexIgnore *
</IfModule>

## Can be commented out if causes errors, see notes above.
Options +FollowSymlinks
Options -Indexes

## Mod_rewrite in use.
RewriteCond %{HTTPS} =on [OR]
RewriteCond %{HTTP_HOST} ^www.kingcrabchicago.com [NC]
RewriteRule ^(.*)$ http://kingcrabchicago.com/ [L,R=301]


## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site then comment out the operations listed
# below by adding a # to the beginning of the line.
# This attempts to block the most common type of exploit `attempts` on Joomla!
#
# Block any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root home page
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.

# Extra Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
</IfModule>

## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
## End - Custom redirects

##
# Uncomment the following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root).
##

# RewriteBase /

## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
## End - Joomla! core SEF Section.


urzh
Registered User
Posts: 126
Joined: Mon Aug 05, 2019 1:51 pm
Name: Robert

Re: Forcing non-www and https redirects correctly

Post by urzh » Thu Sep 05, 2019 3:38 pm

Well found out i can't do this on the registrar level either.
It's not a big deal anymore, it's just one referrer site that hasn't update their link to us so I'm going to focus on them doing so.


Thanks for everyones help again here.

Post Reply

Return to “[3.2.x] Support Forum”