Created
August 28, 2018 18:23
-
-
Save CyberPunkCodes/10f264def78fed7f7a681cf85451ef4f to your computer and use it in GitHub Desktop.
htaccess Force HTTPS and WWW - Subdomain friendly - Dynamic
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Options -Indexes | |
| RewriteEngine On | |
| # This goes first! | |
| # Force www prefix | |
| RewriteCond %{HTTP_HOST} !^(www\.)(.*) [NC] | |
| RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L] | |
| # This goes second! | |
| RewriteCond %{HTTPS} !=on | |
| # Exclude SSL validation paths | |
| RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$ | |
| RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$ | |
| RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ | |
| # Force HTTPS | |
| RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
htaccess Force HTTPS and WWW - Subdomain friendly - Dynamic
This htaccess file is intended to sit directly in your webroot. It's goal is to maintain a baseline of minimum expectations. Force
httpsandwwwdynamically (not reliant on hard-coded domains) with only making 1 redirect, and not breaking sub-domains! A lot of code out there make 2 requests, break sub-domains, and/or use a hard-coded domain.This can be placed inside the webroot of your sub-domains as well. In newer cPanel setups, the "Add-on Domains" are being placed above the
public_htmldirectory anyways, so it would be required there too.Today, ALL domains should be
https. There is no excuse for it anymore. Soon, Google will smack all of you who haven't made the switch. I even use it by default on my localhost for dev use. I created a script to really help with creating certs for your local domains, called CertMagic. Check out it's repo here. It is only compatible with the latest Mac OSX right now, but it may be a life saver for those who are.You can use LetsEncrypt to get a free SSL Certificate. If your host doesn't support LetsEncrypt, or provide one to you free of charge, then change hosts. You only need to buy an SSL certificate if the data your handling has sensitive information, like Bank Information, Credit Card info, SSN, etc. Your basic websites don't really need all of that, even if you integrate with a 3rd party like PayPal/Stripe. Unless you handle the CC info on your site directly (your own checkout form, not theirs).
The
Options -Indexesare optional, though it is recommended for production to prevent people from navigating to a folder and seeing all the contents.There are 2 sections, and they are order dependent. The section from the comment
# This goes first!all the way to before they second comment,# This goes second!. From the second comment, all the way to the end of this file.The
.well-knownentries, are for allowing SSL validation. This is done viahttp, so we don't want it redirecting tohttps. It doesn't matter if it gets redirected towww.