views:

85

answers:

2

I have a dilemma with this one. With the following code I am able to force SSL on any non SSL url, however when the user (and results from Google) take the user to http://mysite.co.za then we hit an issue as the url is then rewritten to https://mysite.co.za

Due to the fact that my certificate is bound to www.mysite.co.za it immediately throws a security error because of the missing 'www' in the url.

Can someone point out a way to add the www to the domain when the domain starts with HTTPS and not HTTP?

Much appreciated.

And the current code to add the https:// is as follows:

RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
+1  A: 

Can someone point out a way to add the www to the domain when the domain starts with HTTPS and not HTTP?

So you want this:

  • If the host does not start with www:
    • If the connection is secure, do nothing. In this case you're already screwed anyway, because the user has already seen the host mismatch warning.
    • If the connect is not secure redirect to https://www.%{HTTP_HOST}%{REQUEST_URI}

Your current rule:

RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This rule fails on you because it adds www no matter whether the connection is secure or not. Additionally, it keeps plain http the way it is (no forward to https://).

The rule that satisfy your requirements above is

#if the host does not start with www.
RewriteCond %{HTTP_HOST} !^www\.
#and the connection is not secure
RewriteCond %{HTTPS} =""
#forward
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301]

The L flag is unnecessary because a redirect ends the rewriting.

Artefacto
Thanks Artefacto, this code clears some smoke for me, however to be clear I have another .htaccess file present on the non SSL directory which redirects to the https with no problem, even if the www is left out, it will prepend it and send the user to the secure site. The issue still lies with the secure directory.Are you telling me that no amount of rewrite rules can add the www prefix to the url if the user lands on https://mysite.co.za because the browser has checked the certificate before the rules are applied? I need to know if the only solution is to have two SSL Certificates?
webfac
if the user goes to https://mysite.co.za, the certificate will be presented before the user sends the hostname he's requesting, so apache cannot decide certificate to send. You'd need not just another certificate, but another IP address as well. However, you can get a certificate that is valid both for mysite.co.za and www.mysite.co.za. Most current web browsers support those certificates.
Artefacto
@Artefacto: Of course you can have two certificates, one for mysite.co.za and one for www.mysite.co.za as those are theoretically two different domain names. You do not need to have one common certificate that supports both domains.
webfac
@webfac You do need to have a certificate that supports both domains if they resolve to the same IP address.
Artefacto
A: 

This doesn't answer your question, but it's certainly a way around the problem:

SSL certificates from Digicert will by default protect both WWW and non-WWW variants of the same domain. I don't know of any other mainstream certificate authority which does this - Digicert SSL Plus

Gareth
Thanks for this, however the client has just bought a new Thawte certificate a month ago. Besides I'm not sure what the reputation of 'Digicert' is? There are alternatives, Thawte offer a 'Web Server' certificate where you can add variants of a domain name onto the certificate at a fraction of the cost of a new certificate. It's all one big money making market aint it! Thanks for your suggestions however, they don't go unnoticed.
webfac
Fair enough, and it's tough if you've just bought a new certificate (there may be a grace period). If you can take my word for it (I don't work for them, I'm just a webdev), Digicert are pretty top notch. They're supported in all web browsers, they're a fraction of the price of Thawte/Verisign, and they've got the best support in the world (I've never had a question they couldn't answer on the spot in live-chat, and they sent me a t-shirt trans-Atlantic, with a hand-written letter, just because one of our clients tweeted that I'd recommended them to him).
Gareth