This might sound like a stupid question to some, but I've only just noticed it while trying to implement an SSL certificate to my site.
There's a default value in the 'out of the box' .htaccess file:
# Rewrite "www.example.com -> example.com"
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
Am I right in thinking this code forces the removal of the www. part of the canonical links on my website?
If so - is this really best practice? Is that why the base_url example in the Config/App.php is http://example.com?
Secondly, as I mentioned, I'm trying to add this code to the .htaccess file to implement the SSL certificate and force https for every URL - but it's causing an error if I use www. (whereas it didn't cause an error before) and my speed tests are indicating redirects galore which is slowing everything down:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Is anyone able to point me in the right direction with the correct canonical link structure for the base_url in the Config/App.php file, whether I need to alter (or scrap) the first snippet of code, and how I can force https to work with my SSL certificate (and www. in my URLs).
I would much rather my URLs had the structure of https://www.example.com as opposed to https://example.com
Am I right in thinking this code forces the removal of the www.
Yes, but only for HTTP (not HTTPS) requests, as governed by the first condition %{HTTPS} !=on.
If you are implementing HTTPS then you should remove the first condition and change the RewriteRule substitution string to redirect to https://.... But if you are wanting to redirect to www then you'll need to reverse the logic also:
# Redirect "example.com -> www.example.com"
# (In fact, redirect hostname that does not start "www.")
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Although, this particular method (as I've implied in the comment) will not necessarily work if you have other subdomains, unless you want all subdomains to have www sub-subdomains?!
Note that this is an external "redirect", not an internal "rewrite" as you'd stated in the comment.
If so - is this really best practice?
In terms of SEO or from a technical perspective? In terms of SEO there is no difference. Using a www subdomain can arguably have some technical benefits (isolating cookies and staging sites, etc.) - although this is mostly a matter of opinion and depends on your environment. It is really up to you. For some domain names, using a www subdomain just looks cumbersome.
But what is important is that you choose one or the other and redirect to the canonical URL in order to avoid potential duplicate content issues.
Using the domain apex (ie. no www subdomain) is simply CodeIgniters default.
force https for every URL - but it's causing an error if I use www.
To clarify, the SSL cert you implement must include both the domain apex, ie. exmaple.com and the www subdomain, ie. www.example.com. Otherwise, you will naturally get browser security warnings when requesting the "other" (non-SSL) hostname.
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This code is generally OK to force HTTP to HTTPS (providing the SSL cert is installed on your application server, ie. you're not using a front-end SSL proxy or non-standard implementation). However, the order you put this rule in relation to the rule above will depend on whether you intend to implement HSTS or not.
If you are intending to implement HSTS then you will need to redirect to HTTPS on the same host first, before the redirect to www. This will result in an unavoidable double redirect when requesting the non-canonical http://example.com/ (but that is not "bad").
For example:
# 1. Redirect to HTTPS on the same host
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# 2. Redirect to non-www to www
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
If, however, you are not intending to implement HSTS then you can reverse the two rules above and get at most one redirect for any non-canonical URL request.
You need to update the CodeIgniter base_url to match your preference of www or not.
Related
Site audits (Semrush, Seobility) point out that one of our biggest issues is duplicate content, stating that "This website uses URLs with www and non-www subdomain. This may cause duplicate content and bad links to your website."
So, basically www.oursite.com/about and oursite.com/about are counted as duplicate:
The site is built in PHP with the Slim framework. A middleware handles the use of https across the whole site. In addition, currently we have an .htaccess as follows:
RewriteCond %{HTTP_HOST} ^(www\.)?oursite\.com$ [NC]
RewriteRule ^(?!public)(.*)$ /public/$1 [L]
This code manages the routing of all pages through the public folder.
How can we edit this code in order to avoid www and non-www addresses being counted as duplicates?
Our preference would be without www.
Assuming you're not linking to absolute URLs in your HTML source (which would need to be updated) then you could add something like the following before your existing rewrite:
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule (.*) https://example.com/$1 [R=301,L]
If the requested host starts www. then redirect to the canonical URL.
A middleware handles the use of https across the whole site.
Just to note that this may result in 2 redirects when requesting http://www.example.com/ (HTTP + www). But that isn't necessarily a bad thing.
The following lines prevent .htaccess and .htpasswd files from being
Ex. I open https://cctvinstallationpune.com via browser
I am trying to redirect my site to always open in HTTPS. I am using CloudFlare and they have a setting to "Always use HTTPS". But there is a page on my website where I do not want to use HTTPS as it opens other websites under an iFrame. And if that page also loads in HTTPS then under iFrame any website whose URL hasn't been mentioned with HTTPS doesn't open. Therefore, for that particular page I want to keep the website to be opened under HTTP.
Things I am doing:
In CloudFlare Crypto settings "Always Use HTTPS" is ON.
Then in my page where I want it to opened under HTTP say surf.php
I am using the following PHP code:
if($_SERVER['HTTP_HOST'] != 'localhost'){
if(isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'on'){
if(!headers_sent()){
header("Status: 301 Moved Permanently");
header(sprintf('Location: http://%s%s',$_SERVER['HTTP_HOST'],$_SERVER['REQUEST_URI']));
exit();
}
}
}
Now the page doesn't open and says "The page isn’t redirecting properly". What should I do? Is there any other method to accomplish this? I want to use HTTPS in whole website so "Always use HTTPS" settings in cloudflare should be ON except just surf.php. What should be the best method here?
It sounds like you are in a redirect loop. Where you have a .htaccess file that forces HTTPS, and then you redirect to HTTP using PHP. Then that new request has all the same rules applied to it so that it gets redirected by .htaccess again to HTTPS, and so on (to infinity)
So I would first make sure your not forcing HTTPS in your .htaccess file. If so you can add a RewriteCond to exclude your URL:
#RewriteEngine On #-- if not included elsewhere
#if HTTPS is not on (then continue)
RewriteCond %{HTTPS} !=on
#add this rule in (if not our page, then redirect to HTTPS)
RewriteCond %{REQUEST_URI} !^/surf\.php$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
When mod rewrite hits a Rewrite condition if it fails (is false) it will disregard the next rewrite rule. So with this in place your PHP code could do it's job, but you can also do this in htaccess alone. Because you will have dependence on the URL in there anyway, I don't see an issue doing it all in the .htaccess file.
This would basically be the opposite of the above except you know the url. Something like this:
#if HTTPS is not on (then continue)
RewriteCond %{HTTPS} !=on
#add this rule in (if not our page, then redirect to HTTPS)
RewriteCond %{REQUEST_URI} !^/surf\.php$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#if HTTPS is not off (then continue)
RewriteCond %{HTTPS}!=off
# (if is our page, then redirect to HTTP)
RewriteCond %{REQUEST_URI} ^/surf\.php$
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I can't really test this though, but that's the general idea. If HTTPS is no off, and the %{REQUEST_URI} is our page !^/surf.php$ redirect to HTTP... Basically you have to punch a hole through the HTTPS rule and then force http.
I am pretty sure with %{REQUEST_URI} you only have to check if it starts with your URL (minus the host and protocal).
I'll admit I'm a bit rusty with complex HTACCESS rules, spoiled by MVC routers, so this may very well not be 100% correct. But the general idea is sound.
Anyway hope it helps.
We have a section of our site which uses https to login securely, however when you visit this page and click away, you continue to view the site in HTTPS. This causes display issues on any pages using the http://www.domain.com/news/ URL.
How can we force all pages under the http://www.domain.com/news/ folder to use HTTP rather than HTTPS?
It's the opposite of requiring https, so with the condition of https on, rewrite this specific dir with deeper path to the http version.
RewriteEngine on
RewriteCond %{HTTPS} on
RewriteRule ^news/(.*) http://%{SERVER_NAME}/news/$1 [L]
Instead of SERVER_NAME, you can use HTTP_HOST when your site is accessed with a server-alias and you don't want to change that.
Be aware that links to https-requiring pages should be use https explicitly, or have a rewrite-rule of their own.
Place this 301 redirect rule in /news/.htaccess:
RewriteEngine on
RewriteBase /news/
RewriteCond %{HTTPS} on
RewriteRule ^ http://%{HTTP_HOST}/%{REQUEST_URI} [L,R=301,NE]
My problem is that a particular webpage (where I start a php session) can be loaded either with www.mywebpage.com or just mywebpage.com
And due to how my application works I need it to be an static one. otherwise I can have 2 sessions created (one with www and other without it) and that messes up my data.
I know I can name the session but I wonder if there's a way to force the page to always load with or without the www. prefix? so that the session will always be www.mywebpage.com?
I would suggest that you use a rewrite rule to achieve this result.
Inside of your .htaccess file for the virtual host directory in question add the following:
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
This will validate what protocol you are using, check the host value and redirect in a somewhat dynamic way.
I trust this helps.
P.S Please reference this article: .htaccess - how to force "www." in a generic way?
User clicks link (from their email): http://www.site.com/edit/wih293f73y
Browser window opens and gets them to the correct page.
But now the browser's address bar shows: http://www.site.com/editor.php?editCode=wih293f73y
Extra info:
My rewrite rule is:RewriteRule ^edit/([A-Za-z0-9-]+)/?$ editor.php?editCode=$1 [NC,L]
This problem ONLY occurs when the user has clicked a link. It works perfectly when you just type the pretty url into the address bar.
This problem ONLY occurs for links that include the www. - the link http://site.com/edit/wih293f73y works like a charm.
My .htaccess file includes the following code (from HTML5 boilerplate, which I wasn't aware of previously):
# Rewrite www.example.com → example.com
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
</IfModule>
If it's important, this occurs after my other rewrite rules.
I just took a look and it is apparent that your www rules is causing this. Question is do you want it be fixed? If you do then move this rule on top of all other rules and your problem should be fixed.
Move this to top of all other rules
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
You can use use the redirect directive
redirect 301 ^edit/([A-Za-z0-9-]+)/?$ editor.php?editCode=$1
There are some pros and cons to this strategy. The pros being;
It's super fast. You don't even need to load up your application for this to work.
It's minimal code.
Redirects are an intrinsic part of Apache (or any http server) and aren't going anywhere soon.
The cons being;
It's not part of your application proper. Should you decide to change logic or URLs, you'll have to change this, too.
It's slower, as you need to invoke php, as opposed to just having Apache issue the redirect.