Sunday, November 18, 2018

redirect http to https using .htaccess failing



I have a website which uses CloudFlare flexible SLL hosted on HostGator.



I want to redirect all HTTP requests to corresponding HTTPS URL. No exceptions. I intend to put the rule at top with L, so when it’s handled all following rewrite rules should not be tested.




My current code is this:



RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]


But that results in endless redirects to the HTTPS version. Here is FireFox Live HTTP Headers:





https://example.net/



GET / HTTP/1.1
Host: example.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: da,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1



HTTP/2.0 301 Moved Permanently
Date: Wed, 15 Feb 2017 15:20:35 GMT
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: __cfduid=d07edac1644bccce1642d2c845767f9951487172035; expires=Thu, 15-Feb-18 15:20:35 GMT; path=/; domain=.example.net; HttpOnly
Location: https://example.net/
Server: cloudflare-nginx
cf-ray: 3319bea4dd2f3cfb-CPH
X-Firefox-Spdy: h2





http://ocsp.digicert.com/




POST / HTTP/1.1
Host: ocsp.digicert.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: da,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Length: 83
Content-Type: application/ocsp-request
DNT: 1
Connection: keep-alive 0Q0O0M0K0I0 +



HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=172800
Content-Type: application/ocsp-response
Date: Wed, 15 Feb 2017 15:20:35 GMT
Etag: "58a44f61-1d7"
Expires: Wed, 22 Feb 2017 03:20:35 GMT
Last-Modified: Wed, 15 Feb 2017 12:53:53 GMT
Server: ECS (arn/459D)
X-Cache: HIT
Content-Length: 471





https://example.net/



GET / HTTP/1.1
Host: example.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: da,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: __cfduid=d07edac1644bccce1642d2c845767f9951487172035
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1




HTTP/2.0 301 Moved Permanently
Date: Wed, 15 Feb 2017 15:20:35 GMT
Content-Type: text/html; charset=iso-8859-1
Location: https://example.net/
Server: cloudflare-nginx
cf-ray: 3319bea7ddfb3cfb-CPH
X-Firefox-Spdy: h2





https://example.net/



GET / HTTP/1.1
Host: example.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: da,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: __cfduid=d07edac1644bccce1642d2c845767f9951487172035
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1



HTTP/2.0 301 Moved Permanently
Date: Wed, 15 Feb 2017 15:20:36 GMT
Content-Type: text/html; charset=iso-8859-1
Location: https://example.net/
Server: cloudflare-nginx
cf-ray: 3319beaaae7e3cfb-CPH
X-Firefox-Spdy: h2





I have seen other similar questions, but most suggested solutions are a variation of what I currently use, and I have tried them (but do please feel free to recommend whatever worked for you, and I will try it).


Answer




Cloudflare Flexible SSL: secure connection between your visitor and CloudFlare, but no secure connection between CloudFlare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled. Source




Because you redirect to HTTPS from your server, rather than with a Cloudflare page rule, even HTTPS requests by the client will still always trigger the redirect rule. 



1. Client ---> HTTP ----> Cloudflare CDN ----> HTTP ----> Your server

                                                                 | 
                         <-------  Response: Redirect to HTTPS <- 

2. Client ---> HTTPS ----> Cloudflare CDN ----> HTTP ----> Your server
                                                                 | 
                         <-------  Response: Redirect to HTTPS <-

3. Client ---> HTTPS ----> Cloudflare CDN ----> HTTP ----> Your server
                                                                 | 
                         <-------  Response: Redirect to HTTPS <-



Cloudflare doesn't talk HTTPS to your webserver and that creates an Infinite Redirect loop.



To resolve that you'll need to remove the redirect from your .htaccess file and set up a Cloudflare page rule instead.


-

2 comments:

  1. luckysJuly 28, 2020 at 2:43 AM

    I want to redirect all HTTP requests to corresponding HTTPS URL. No exceptions. I intend to put the rule at top with L, so when it’s handled all following rewrite rules should not be tested.

    vumoo

    ReplyDelete
  2. RangextdOctober 26, 2020 at 11:23 PM

    I got valuable information here. rangextd reviews

    ReplyDelete

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...