Opened 8 years ago

Last modified 7 years ago

#396 new enhancement

Better documentation for HTTPS redirects

Reported by: geofft Owned by:
Priority: normal Milestone:
Component: documentation Keywords:
Cc:

Description

Apparently the process of making your site automatically redirect from HTTP to HTTPS is way too complicated even by itself, and gets more awful when it interacts with pre-existing .htaccess files. See RT #2670510, which quotes the following configuration:

RewriteEngine On
# Redirect basically everything to https://feed.mit.edu/
RewriteCond %{SERVER_NAME}
^(feed|feed\.scripts|feed\.scripts\.mit\.edu|scripts|scripts\.mit\.edu|scripts-cert|scripts-cert\.mit\.edu)$
[NC]
RewriteRule ^(.*)$ https://feed.mit.edu/$1 [B,noescape,redirect=301]

# Force everything to HTTPS, so we don't rely on application-level
# redirects, which can fail
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [B,noescape,redirect=301]

It'd be pretty useful to make this part of official documentation, either by writing it up as an FAQ, or setting up something vaguely along the lines of the /__scripts/needcerts trick to handle redirections. (I suppose that won't work directly, but can we direct users to include a global .htaccess snippet from some path, or something?) In particular, the way in which that code incorporates implementation details of scripts (the scripts and scripts-cert URLs) would be nice to encapsulate from users, if possible

It's worth noting that this is in practice a prerequisite for turning on HSTS on your site and having it be useful to anyone. Possibly this documentation should also tell you how to enable HSTS via a command in your .htaccess.

See also #187, which is WordPress-specific, and brings up the point that this gets even more complicated when trying to use it in concert with certificate authentication.

Change History (3)

comment:1 Changed 8 years ago by andersk

Unfortunately, that configuration is buggy. For example, https://feed.scripts.mit.edu/foo/bar redirects to https://feed.mit.edu/foo%2fbar. I still don’t know of a way to do this correctly with Apache 2.2.13’s mod_rewrite.

In 2.4.7, things seem to work correctly without [B,noescape] (so just plain [redirect=301]), but in 2.2.13 that results in the query string being double-escaped.

comment:3 Changed 7 years ago by andersk

Screw mod_rewrite. With Apache 2.4, here’s what we actually want to document.

<If "%{HTTPS} != 'on' || %{SERVER_NAME} in {'feed', 'feed.scripts', 'feed.scripts.mit.edu', 'scripts', 'scripts.mit.edu', 'scripts-cert', 'scripts-cert.mit.edu'}">
RedirectPermanent / https://feed.mit.edu/
</If>
Note: See TracTickets for help on using tickets.