Opened 7 years ago

Last modified 7 years ago

#396 new enhancement

Better documentation for HTTPS redirects

Reported by: geofft Owned by:
Priority: normal Milestone:
Component: documentation Keywords:


Apparently the process of making your site automatically redirect from HTTP to HTTPS is way too complicated even by itself, and gets more awful when it interacts with pre-existing .htaccess files. See RT #2670510, which quotes the following configuration:

RewriteEngine On
# Redirect basically everything to
RewriteCond %{SERVER_NAME}
RewriteRule ^(.*)$$1 [B,noescape,redirect=301]

# Force everything to HTTPS, so we don't rely on application-level
# redirects, which can fail
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [B,noescape,redirect=301]

It'd be pretty useful to make this part of official documentation, either by writing it up as an FAQ, or setting up something vaguely along the lines of the /__scripts/needcerts trick to handle redirections. (I suppose that won't work directly, but can we direct users to include a global .htaccess snippet from some path, or something?) In particular, the way in which that code incorporates implementation details of scripts (the scripts and scripts-cert URLs) would be nice to encapsulate from users, if possible

It's worth noting that this is in practice a prerequisite for turning on HSTS on your site and having it be useful to anyone. Possibly this documentation should also tell you how to enable HSTS via a command in your .htaccess.

See also #187, which is WordPress-specific, and brings up the point that this gets even more complicated when trying to use it in concert with certificate authentication.

Change History (3)

comment:1 Changed 7 years ago by andersk

Unfortunately, that configuration is buggy. For example, redirects to I still don’t know of a way to do this correctly with Apache 2.2.13’s mod_rewrite.

In 2.4.7, things seem to work correctly without [B,noescape] (so just plain [redirect=301]), but in 2.2.13 that results in the query string being double-escaped.

comment:3 Changed 7 years ago by andersk

Screw mod_rewrite. With Apache 2.4, here’s what we actually want to document.

<If "%{HTTPS} != 'on' || %{SERVER_NAME} in {'feed', 'feed.scripts', '', 'scripts', '', 'scripts-cert', ''}">
RedirectPermanent /
Note: See TracTickets for help on using tickets.