Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Correct way to redirect HTTP to HTTPS?

Discussion in 'Security' started by Rogerio, Jul 26, 2018.

  1. Rogerio

    Rogerio Active Member

    Joined:
    Sep 26, 2016
    Messages:
    41
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Sao Paulo, Brazil
    cPanel Access Level:
    Root Administrator
    Hello,

    I want to redirect all HTTP sites to HTTPS. No more insecure accesses. So, http://example.com/bar/?x=2 goes to https://example.com/bar/?x=2 (all folders + parameters).

    About .htaccess, I found

    Code:
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
    But now I'm concerned about SSL cert renews, Comodo & Let's Encrypt... so I found on Google:

    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^ https://www.example.com%{REQUEST_URI} [L,R=301]
    So, what's the correct way to do this? cPanel can do this automatically?

    Thanks
     
    #1 Rogerio, Jul 26, 2018
    Last edited by a moderator: Jul 26, 2018
  2. Peter Smith

    Peter Smith Registered

    Joined:
    Jul 1, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi

    The .htaccess doesn't care where you get the SSL cert from. The best way I have found to use only SSL is
    Code:
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{HTTP_HOST} ^(www\.)?foo\.com
    RewriteRule ^(.*)$ https://www.foo.com/$1 [R,L]
    RewriteEngine On
    Thanks
    Peter
     
  3. Nate Reist

    Nate Reist Member

    Joined:
    Jul 20, 2018
    Messages:
    8
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Michigan
    cPanel Access Level:
    Root Administrator
    The second one looks to be doing pretty much the same thing as the first, just excluding requests that start with the directories for SSL verification purposes, assuming %{HTTP_HOST} and www.foo.com are the same. I would think you could use a hybrid of the two, or just the second one. You'd need to test this, but it might work:

    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    If you where to translate that to plain english, I would think this says:

    If HTTPS is not on AND the request isn't in a directory starting with this regex [0-9]+\..+\.cpaneldcv AND isn't in the directory path starting with .well-known/pki-validation then redirect this request permanently ( 301 ) to the https version of this request.

    Does that make sense?
     
    Peter Silver and Rogerio like this.
  4. Rogerio

    Rogerio Active Member

    Joined:
    Sep 26, 2016
    Messages:
    41
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Sao Paulo, Brazil
    cPanel Access Level:
    Root Administrator
    Hey there, thanks.

    Yes, I agree, %{HTTP_HOST} can replace the domain directly.

    Probably the 2 lines are necessary. "cpaneldcv" for some cPanel service and ".well-known" to renew the SSL cert(s).

    There is no way to cPanel do this automatically? cPanel will fail to renew the SSL cert if I use the first one?
     
  5. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi guys,


    With cPanel v74 which is now in CURRENT, we are also implementing a fallback to DNS DCV checks in the event the HTTP DCV check fails. This should alleviate any issues where the .htaccess exception added to the redirect doesn't allow the DCV check to complete.

    @Rogerio

    The exception rule you're referencing should be added automatically to redirects in the .htaccess when AutoSSL runs.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Rogerio likes this.
  6. Peter Silver

    Peter Silver Registered

    Joined:
    Aug 2, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Website Owner
    So as a complete newbie in this area can I just confirm with cPanel V72 that I copy and insert the code into the beginning of .htaccess file (after making it visible!) and websites with subdomains all change from http to https access?
     
  7. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Peter Silver

    Yes, that's correct you would just paste the rewrite into your .htaccess file and it will redirect http -> https
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Peter Silver

    Peter Silver Registered

    Joined:
    Aug 2, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Website Owner
    Hi Guys, many thanks, implemented it and everything seems fine. With your permission I'd like to make a short video tutorial to help others. If anybody would like to document the various lines functionality for newbies it would be most helpful!! Within the tutorial I'd also like some practical guidance on accessing the newly accessible secured site when clearing the browser cache is pretty daunting or doesn't seem to work. For my circumstances the easiest way was to include www.
     
  9. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Peter Silver

    We appreciate that but there is quite a bit of information on this already and while you're more than welcome to create a tutorial for your own purposes I don't think it will be necessary to link it here. We also do like to keep links to outside sources to a minimum.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice