Correct way to redirect HTTP to HTTPS?
Hello,
I want to redirect all HTTP sites to HTTPS. No more insecure accesses. So, (all folders + parameters).
About .htaccess, I found
But now I'm concerned about SSL cert renews, Comodo & Let's Encrypt... so I found on Google:
So, what's the correct way to do this? cPanel can do this automatically? Thanks
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]But now I'm concerned about SSL cert renews, Comodo & Let's Encrypt... so I found on Google:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ https://www.example.com%{REQUEST_URI} [L,R=301]So, what's the correct way to do this? cPanel can do this automatically? Thanks
-
Hi The .htaccess doesn't care where you get the SSL cert from. The best way I have found to use only SSL is RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteCond %{HTTP_HOST} ^(www\.)?foo\.com RewriteRule ^(.*)$ https://www.foo.com/$1 [R,L] RewriteEngine On
Thanks Peter0 -
The second one looks to be doing pretty much the same thing as the first, just excluding requests that start with the directories for SSL verification purposes, assuming %{HTTP_HOST} and www.foo.com are the same. I would think you could use a hybrid of the two, or just the second one. You'd need to test this, but it might work: RewriteEngine On RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
If you where to translate that to plain english, I would think this says: If HTTPS is not on AND the request isn't in a directory starting with this regex [0-9]+\..+\.cpaneldcv AND isn't in the directory path starting with .well-known/pki-validation then redirect this request permanently ( 301 ) to the https version of this request. Does that make sense?0 -
Hey there, thanks. Yes, I agree, %{HTTP_HOST} can replace the domain directly. Probably the 2 lines are necessary. "cpaneldcv" for some cPanel service and ".well-known" to renew the SSL cert(s). There is no way to cPanel do this automatically? cPanel will fail to renew the SSL cert if I use the first one? 0 -
Hi guys, With cPanel v74 which is now in CURRENT, we are also implementing a fallback to DNS DCV checks in the event the HTTP DCV check fails. This should alleviate any issues where the .htaccess exception added to the redirect doesn't allow the DCV check to complete. @Rogerio The exception rule you're referencing should be added automatically to redirects in the .htaccess when AutoSSL runs. Thanks! 0 -
Hi @Peter Silver Yes, that's correct you would just paste the rewrite into your .htaccess file and it will redirect http -> https 0 -
Hi @Peter Silver Yes, that's correct you would just paste the rewrite into your .htaccess file and it will redirect http -> https
Hi Guys, many thanks, implemented it and everything seems fine. With your permission I'd like to make a short video tutorial to help others. If anybody would like to document the various lines functionality for newbies it would be most helpful!! Within the tutorial I'd also like some practical guidance on accessing the newly accessible secured site when clearing the browser cache is pretty daunting or doesn't seem to work. For my circumstances the easiest way was to include www.0 -
Hi @Peter Silver We appreciate that but there is quite a bit of information on this already and while you're more than welcome to create a tutorial for your own purposes I don't think it will be necessary to link it here. We also do like to keep links to outside sources to a minimum. Thanks! 0
Please sign in to leave a comment.
Comments
8 comments