As a small side note, Using an .htaccess file is NOT recommended when a sysadmin has access to the server. Htaccess is only used for clients on a host server (such as a godaddy.com website) where the client does NOT have access to configuration files of the server… Although it DOES work, apache themselves do not recommend it in their online documentation.
> On 1 Feb 2019, at 16:09, R. Diez <rdiezmail-te...@yahoo.de.INVALID> wrote: > > Hi all: > > I have very little Apache experience. I just occasionally help with a couple > of websites on 2 different hosting companies of the "inexpensive" variety. I > want to automatically redirect from somesite.com to www.somesite.com, and > from http to https. > > With difficulty, I have managed to put together (by the copy and paste > method) the following .htaccess file, which seems to be working fine: > > RewriteEngine On > > # Redirect from non-www to www, and at the same time to https . > RewriteCond %{HTTP_HOST} !^www\. [nocase] > RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} > [last,redirect=301,noescape] > > # Redirect from all other "http://www.blahblah" auf https . > RewriteCond %{HTTP:X-Forwarded-Proto} =http [ornext] > RewriteCond %{HTTP:X-Forwarded-Proto} ="" > RewriteCond %{HTTPS} !=on > RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} > [last,redirect=301,noescape] > > It is even generic enough to be used unchanged in both websites. > > However, I have heard that it is a bad idea to redirect all http requests to > https like that, because you are actually bypasssing encryption. After all, > the first http request gets sent unencrypted, and the client will never > notice. It is best to let all "deep" http links fail, so that the developers > notice that they are not sending the users to encrypted pages. Only a few, > selected http pages should still automatically redirect to https. > > In my case, that would be just these 2: > > http://www.somesite.com -> https://www.somesite.com > http://somesite.com -> https://www.somesite.com > > All other http addresses should fail with 404. > > http://www.somesite.com/xxx -> 404 error > http://somesite.com/xxx -> 404 error > > All https requests without www should still be automatically redirected: > > https://somesite.com -> https://www.somesite.com > https://somesite.com/xxx -> https://www.somesite.com/xxx > > I have searched around but found no concrete example for this particular > scenario, which I find surprising, for I thought that this would be the > normal case for most simple websites. > > I have no practice dealing with these rules. I fear that any little mistake > can have dire consequences to the website. Or severely impact performance. > > Could someone with more experience tell me how to write such redirection > rules? This is something that will probably benefit many other users too. > > Many thanks in advance, > rdiez > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org >