Opened 10 years ago
Last modified 10 years ago
#396 new enhancement
Better documentation for HTTPS redirects
| Reported by: | geofft | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | documentation | Keywords: | |
| Cc: |
Description
Apparently the process of making your site automatically redirect from HTTP to HTTPS is way too complicated even by itself, and gets more awful when it interacts with pre-existing .htaccess files. See RT #2670510, which quotes the following configuration:
RewriteEngine On
# Redirect basically everything to https://feed.mit.edu/
RewriteCond %{SERVER_NAME}
^(feed|feed\.scripts|feed\.scripts\.mit\.edu|scripts|scripts\.mit\.edu|scripts-cert|scripts-cert\.mit\.edu)$
[NC]
RewriteRule ^(.*)$ https://feed.mit.edu/$1 [B,noescape,redirect=301]
# Force everything to HTTPS, so we don't rely on application-level
# redirects, which can fail
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [B,noescape,redirect=301]
It'd be pretty useful to make this part of official documentation, either by writing it up as an FAQ, or setting up something vaguely along the lines of the /__scripts/needcerts trick to handle redirections. (I suppose that won't work directly, but can we direct users to include a global .htaccess snippet from some path, or something?) In particular, the way in which that code incorporates implementation details of scripts (the scripts and scripts-cert URLs) would be nice to encapsulate from users, if possible
It's worth noting that this is in practice a prerequisite for turning on HSTS on your site and having it be useful to anyone. Possibly this documentation should also tell you how to enable HSTS via a command in your .htaccess.
See also #187, which is WordPress-specific, and brings up the point that this gets even more complicated when trying to use it in concert with certificate authentication.
Change History (3)
comment:1 Changed 10 years ago by andersk
comment:2 Changed 10 years ago by andersk
This might be https://issues.apache.org/bugzilla/show_bug.cgi?id=50447.
comment:3 Changed 10 years ago by andersk
Screw mod_rewrite. With Apache 2.4, here’s what we actually want to document.
<If "%{HTTPS} != 'on' || %{SERVER_NAME} in {'feed', 'feed.scripts', 'feed.scripts.mit.edu', 'scripts', 'scripts.mit.edu', 'scripts-cert', 'scripts-cert.mit.edu'}">
RedirectPermanent / https://feed.mit.edu/
</If>
Unfortunately, that configuration is buggy. For example, https://feed.scripts.mit.edu/foo/bar redirects to https://feed.mit.edu/foo%2fbar. I still don’t know of a way to do this correctly with Apache 2.2.13’s mod_rewrite.
In 2.4.7, things seem to work correctly without [B,noescape] (so just plain [redirect=301]), but in 2.2.13 that results in the query string being double-escaped.