Weird htaccess problem (https://www -> https://)

[Alex Zaworski]

I recently set up my first SSL certificate and most things are working fine.

• http://mydomain redirects to https://mydomain
• http://www.mydomain redirects to https://mydomain

etcetera. The issue I’m having is that https://www.mydomain does not redirect to https://mydomain, and instead throws an untrusted content warning. I tried to solve that with .htaccess rewrites but I can’t figure it out (the rewrite doesn’t seem to be having any effect at all).

Here’s my .htaccess file:

<IfModule mod_rewrite.c>
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{HTTPS} on
    RewriteCond %{HTTP_HOST} ^www\.(.*)
    RewriteRule ^.*$ https://%1/$1 [R=301,L]
    Header add Strict-Transport-Security "max-age=300"
</IfModule>

# BEGIN GD-SSL
<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_USER_AGENT} ^(.+)$
RewriteCond %{SERVER_NAME} ^dfaofca\.com$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
Header add Strict-Transport-Security "max-age=300"
</IfModule>
# END GD-SSL

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

#disallow access to config
<Files wp-config.php>
    order allow,deny
    deny from all
</Files>

#disable directory browsing
Options -Indexes

# BEGIN EXPIRES
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access plus 10 days"
    ExpiresByType text/css "access plus 1 year"
    ExpiresByType text/javascript "access plus 1 year"
    ExpiresByType text/plain "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType application/x-javascript "access plus 1 year"
    ExpiresByType application/javascript "access plus 1 year"
    ExpiresByType application/x-icon "access plus 1 year"
</IfModule>
# END EXPIRES

# HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all
</Files>

AddType image/svg+xml .svg
AddOutputFilterByType DEFLATE image/svg+xml

The bit I added to try to combat this was the first part:

<IfModule mod_rewrite.c>
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{HTTPS} on
    RewriteCond %{HTTP_HOST} ^www\.(.*)
    RewriteRule ^.*$ https://%1/$1 [R=301,L]
    Header add Strict-Transport-Security "max-age=300"
</IfModule>

Which I tested with http://htaccess.madewithlove.be/ and it seems like it should be working… Ideas?

[Alex Zaworski]

Turns out you just can’t set this up in such a way that the redirect happens before the browser gets mad :(

[Alen]

@alexzaworski

Check out H5BP apache server config for redirects

[Alex Zaworski]

Thanks @Alen. The issue though is that the browser checks for the cert before handling any of the redirect stuff so you really can’t get around the untrusted content warnings, as far as I’m aware.

[Alen]

@alexzaworski

If you’re performing server redirects, last redirect will be the one that sends response to the browser. If your certificate is valid everything should work.

How did you go about registering for SSL? I’ve used Let’s Encrypt and had to generate one my self via SSH. I had to generate a certificate for both domain.com and www.domain.com could this be your issue. Try making a redirect to the url you know certificate works.

Here’s my Nginx config and the flow is:

1. listen on port 80 for both www and non-www and redirect to https
2. listen on port 443 www and redirect to non-www
3. listen on port 443 for non-www and return response

Hope that helps,
Alen

[Author]

Posts