Login [Register]
Don't have an account? Register now to chat, post, use our tools, and much more.
So, while most minor problems can be solved with a quick Google query, I think I am stuck with this one:
1) I need to rewrite all subdomains to the second level domain
2) I need to force all traffic to go via HTTPS
Example: http://abc.example.com/12345/ -> https://example.com/12345/

I did this:

Code:
RewriteEngine On
RewriteCond %{http_host} ^(.+)\.example.com [nc]
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]


And it seems to work fine, except if I input something like "https://abc.example.com" which somehow totally screws up. (EDIT: Let me elaborate: Using HTTPS and a subdomain makes it rewrite to HTTP and keep the subdomain.)

So, yeah, my knowledge in cryptography is not enough yet to decipher what these configs do, and Google can't help me either. Could someone slap something quick together here?
Quote:
1) I need to rewrite all subdomains to the second level domain
This is generally something that needs to happen in your Apache configuration, not in a .htaccess
Quote:
2) I need to force all traffic to go via HTTPS
A .htaccess will work fine for this, although it's still more expensive than if you were to use the Apache configuration.

I'll also invited people who have more intuition on such things to chime in.
KermMartian wrote:
Quote:
2) I need to force all traffic to go via HTTPS
A .htaccess will work fine for this, although it's still more expensive than if you were to use the Apache configuration.

I'll also invited people who have more intuition on such things to chime in.

HSTS comes to mind
Nik wrote:
1) I need to rewrite all subdomains to the second level domain
If this server only serves the one domain (or others are well-defined by domain name), I'd globally configure the server to redirect to the second level domain and put the actual contents in a virtual host block for the second level.

Quote:
2) I need to force all traffic to go via HTTPS
I agree, HSTS is the easy way to go about doing this; just configure the server to always return a Strict-Transport-Security header regardless of the (sub)domain. This would require that you have a known set of subdomains (to have a certificate for each) or a wildcard certificate.

If you can only have a certificate for HTTPS on the second-level domain, then only force HTTPS for that one.

Partially putting it all together, in the case where subdomains just redirect and don't do HTTPS themselves. HTTPS requests will be treated as for example.com without redirecting, but since the server can't present a valid certificate for those ignore the possibility.

Code:
# First listed vhost matches all requests for hosts that do not have matching ServerName directives,
# so this catches all HTTP and other subdomains.
<VirtualHost *:80>
    ServerName example.com
    Redirect permanent "/" "https://example.com/"
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot "/www"
    Header always set Strict-Transport-Security "max-age=2592000"
    # See also: https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # Other stuff here
</VirtualHost>
Thanks for this advice!

However, since I am unsure how to use all that, would it be possible to do that configuration as a rewrite in the .htaccess file? It would probably be more understandable to me, and I would know how to use it...
Now that I did some more research and read through this again, I seem to understand what my problem was. I am using shared hosting, meaning my server is not mine but I just have a certain folder in it. I have full access to .htaccess but I don't think I can configure Apache itself... Or can I?
Nik wrote:
I don't think I can configure Apache itself... Or can I?
htaccess is a subset of configuration, but the short answer is no. You're limited to those directive that are specifically allowed in htaccess files (if you look at the Apache httpd reference manual every configuration directive says which contexts it's allowed in).

It is still possible to do what you're looking for, and with the clarification that it's a shared host mod_rewrite sounds like the best option despite the ickiness.

Adapting your original rules just slightly

Code:
RewriteCond %{HTTP_HOST} ! ^example.com
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

Untested, but I imagine this will work correctly. I've really only inverted the host match, which didn't work correctly because the leading (greedy) group would always consume the entire hostname and fail to match. It could be correctly expressed as ^[^.]+\.example.com, but I think a simple negative comparison is clearer.

It's possible this won't actually work for other reasons- you were exceedingly vague about what happens when it "somehow totally screws up."
Tari wrote:
It is still possible to do what you're looking for, and with the clarification that it's a shared host mod_rewrite sounds like the best option despite the ickiness.

Adapting your original rules just slightly
Code:
RewriteCond %{HTTP_HOST} ! ^example.com
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
This seems to fail for every test case in different ways. I may list them all if needed.


Tari wrote:
It's possible this won't actually work for other reasons- you were exceedingly vague about what happens when it "somehow totally screws up."

Code:
RewriteCond %{http_host} ^(.+)\.example.com [nc]
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

This (from my first post) seems to work for all cases except if I input an URL with HTTPS and a subdomain. Then it does strip the subdomain but rewrites to HTTP for some reason.
Nik wrote:

Code:
RewriteCond %{http_host} ^(.+)\.example.com [nc]
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

This (from my first post) seems to work for all cases except if I input an URL with HTTPS and a subdomain. Then it does strip the subdomain but rewrites to HTTP for some reason.

I'd guess your host is doing that, and it never hits your configuration. The server needs to present a certificate for any given domain you request and that needs to be configured in a way that you can't do yourself, so they're probably doing something.

What you can do is strongly dependent on what your host exposes for you to adjust.
  
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
Page 1 of 1
» All times are GMT - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum