ansaurus

Question

Prepend 'www' to an HTTPS url using .htaccess & mod_rewrite

Answer 1

+1 A:

Can someone point out a way to add the www to the domain when the domain starts with HTTPS and not HTTP?

So you want this:

If the host does not start with www:
- If the connection is secure, do nothing. In this case you're already screwed anyway, because the user has already seen the host mismatch warning.
- If the connect is not secure redirect to https://www.%{HTTP_HOST}%{REQUEST_URI}

Your current rule:

RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This rule fails on you because it adds www no matter whether the connection is secure or not. Additionally, it keeps plain http the way it is (no forward to https://).

The rule that satisfy your requirements above is

#if the host does not start with www.
RewriteCond %{HTTP_HOST} !^www\.
#and the connection is not secure
RewriteCond %{HTTPS} =""
#forward
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301]

The L flag is unnecessary because a redirect ends the rewriting.

Artefacto 2010-05-25 11:36:52

Thanks Artefacto, this code clears some smoke for me, however to be clear I have another .htaccess file present on the non SSL directory which redirects to the https with no problem, even if the www is left out, it will prepend it and send the user to the secure site. The issue still lies with the secure directory.Are you telling me that no amount of rewrite rules can add the www prefix to the url if the user lands on https://mysite.co.za because the browser has checked the certificate before the rules are applied? I need to know if the only solution is to have two SSL Certificates?

webfac 2010-05-26 06:52:42

if the user goes to https://mysite.co.za, the certificate will be presented before the user sends the hostname he's requesting, so apache cannot decide certificate to send. You'd need not just another certificate, but another IP address as well. However, you can get a certificate that is valid both for mysite.co.za and www.mysite.co.za. Most current web browsers support those certificates.

Artefacto 2010-05-26 10:42:11

@Artefacto: Of course you can have two certificates, one for mysite.co.za and one for www.mysite.co.za as those are theoretically two different domain names. You do not need to have one common certificate that supports both domains.

webfac 2010-05-26 13:00:14

@webfac You do need to have a certificate that supports both domains if they resolve to the same IP address.

Artefacto 2010-05-26 13:57:08

Answer 2

A:

This doesn't answer your question, but it's certainly a way around the problem:

SSL certificates from Digicert will by default protect both WWW and non-WWW variants of the same domain. I don't know of any other mainstream certificate authority which does this - Digicert SSL Plus

Gareth 2010-05-26 07:17:26

Thanks for this, however the client has just bought a new Thawte certificate a month ago. Besides I'm not sure what the reputation of 'Digicert' is? There are alternatives, Thawte offer a 'Web Server' certificate where you can add variants of a domain name onto the certificate at a fraction of the cost of a new certificate. It's all one big money making market aint it! Thanks for your suggestions however, they don't go unnoticed.

webfac 2010-05-26 07:34:52

Fair enough, and it's tough if you've just bought a new certificate (there may be a grace period). If you can take my word for it (I don't work for them, I'm just a webdev), Digicert are pretty top notch. They're supported in all web browsers, they're a fraction of the price of Thawte/Verisign, and they've got the best support in the world (I've never had a question they couldn't answer on the spot in live-chat, and they sent me a t-shirt trans-Atlantic, with a hand-written letter, just because one of our clients tweeted that I'd recommended them to him).

Gareth 2010-05-26 15:14:21

ansaurus

tags:

views:

answers:

Prepend 'www' to an HTTPS url using .htaccess & mod_rewrite

related questions