Force HTTP Redirect - from WHM?

[tptompkins]

Hello,

Inside cPanel in the Domains section, there is an option to "Force HTTPS Redirect". I'm curious if there is an option to control this from the WHM side of things instead of having to go into the cPanel account to turn this on?

Also, is there a way to default this to on for all newly provisioned accounts?

Thanks,

Tommy

 

[cPRex]

Hey there! Currently there is not a way to do this from the WHM level, although that sounds like a great feature request to submit using the link in my signature below.

The redirect button only appears if the domain has an SSL installed. Since the AutoSSL installation doesn't happen instantly when the account is created, as active DNS is required for AutoSSL to run, there isn't a way to ensure that is turned on by default at the time the account is created.

 

[tptompkins]

Thank you for the info. However, I'm having an issue how where if I turn on Force HTTPS Redirect from the Domains section inside cPanel, within a couple minutes of doing this the site starts producing "too many redirects" errors:

ERR_TOO_MANY_REDIRECTS

If I turn off force https redirect, it starts working fine again. This is only happening with one specific account on my server and I'm not sure why. Any ideas?

Thanks,

Tommy

 

[kodeslogic]

Can you let us know the contents of the .htaccess file by replacing references to real domain names with examples

 

[tptompkins]

Can you let us know the contents of the .htaccess file by replacing references to real domain names with examples

I have my hosting provider (LiquidWeb) working on it but they can't seem to figure it out. They ended up putting their own .htaccess file on the account which seems to help but then I'm not using the switch inside cPanel and force https redirect is turned off. This is what they have in there now:

#RewriteEngine On
#RewriteCond %{HTTP_HOST} !^www\.
#RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#RewriteCond %{HTTPS} off
#RewriteCond %{HTTP:X-Forwarded-Proto} !https
#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

But I just checked and it's still not working. You can try yourself by trying to load [REDACTED]

 

[tptompkins]

Now LiquidWeb is telling me that it has something to do with CloudFlare and they pointed me to this:

Removing a domain from Cloudflare

Learn how to remove a domain from your Cloudflare account. Once you remove your domain, your site no longer benefits from Cloudflare’s security, speed, and reliability. Before removing your domain ...

support.cloudflare.com

I honestly don't know anything about CloudFlare. Does this seem accurate to you?

 

[kodeslogic]

Yes, I can see you are using Cloudflare so you may have settings enable for HTTPS rewrite there as well.

Try commenting:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

and turn off "Force HTTPS Redirect" from cpanel interface. let me know how it goes.

 

[tptompkins]

I turned off force https redirect inside cpanel and have this for my .htaccess file contents but I still get too many redirects. If I remove the .htaccess file it loads fine.

#RewriteEngine On
#RewriteCond %{HTTP_HOST} !^www\.
#RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#RewriteCond %{HTTPS} off
#RewriteCond %{HTTP:X-Forwarded-Proto} !https
#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

[kodeslogic]

I think you have taken corrective steps as I see the concerned subdomain loading fine

 

[tptompkins]

I think you have taken corrective steps as I see the concerned subdomain loading fine

Yes and no because I'm back to where I originally started. I want to force https redirects but I still can't :/

 

[cPRex]

Is your site using any tools like WordPress or other CMS software? If so, it's often best to handle the redirection with a plugin designed for that specific software to avoid redirection errors.

 

[kodeslogic]

When I browse your concerned sub-domain without https I am landing to https://your-sub-domain.com/somefolder

Can you give try once by clearing the browser cache or try in another browser?

 

[cPRex]

The subdomain is also loading normally for me at this time, as I get taken to a page with what seems like 11 photo albums.

 

[tptompkins]

Is your site using any tools like WordPress or other CMS software? If so, it's often best to handle the redirection with a plugin designed for that specific software to avoid redirection errors.

Nope, no Wordpress. Just RedCart which is a gallery / shopping cart app for pro photographers. (I'm the developer)

 

[tptompkins]

When I browse your concerned sub-domain without https I am landing to https://your-sub-domain.com/somefolder

Can you give try once by clearing the browser cache or try in another browser?

Yeah I just have an index.php file in the web root that redirects to the /RedCart folder with a simple header() function:

header("Location: RedCart/");

But that's not the issue because you still get the "too many redirects" error even if you land directly inside the RedCart folder or any other page on the site. I have the .htaccess disabled for now just so that we can get it to load.

 

[kodeslogic]

Please check the attached file, this is what I am able to load in my browser without any "too many redirects" error (site loads with https). I have checked this in chrome as well as in firefox.

I have masked the website related to information in the screenshot.

 

[cPRex]

^^^That's what I'm getting at this point as well.

If you get a "Too many redirects" error once you have the .htaccess file in place, there is either an issue in that file or a complication between the .htaccess and your site's software.

 

[tptompkins]

Thanks guys. What you're seeing is working because I have the .htaccess file disabled at the moment. If I turn it back on, the too many redirects error comes back. We can access the site with https:// and http:// without the .htaccess file. But when we force redirect from cpanel where it creates the .htaccess file automatically, that's when the issue comes back.

At this point I'm thinking it some sort of issue with CloudFlare. The exact same application code works fine with hundreds of other photographer's websites. The only difference is how this particular customer pointed their sub domain to their cpanel account on my server. I don't know anything about how CloudFlare works, so I don't know how to instruct my client to fix the issue on her end. She had her "website people" set it up originally so she doesn't even know what CloudFlare is.

If any of you have any other ideas, I'm all ears. Thanks again for the help!

 

[kodeslogic]

Cloudflare has its own option to redirect all requests with scheme “http” to “https”, which in your case I suspect is on. Please check the screenshot for more details.

You will have to either use Cloudflare option or the cPanel option to "Force HTTPS Redirect". If you do not have access to your client's Cloudflare account then consider disabling the cPanel option "Force HTTPS Redirect" for this domain and the below lines can be commented.

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

[Rodrigo Gomes]

Thank you for the info. However, I'm having an issue how where if I turn on Force HTTPS Redirect from the Domains section inside cPanel, within a couple minutes of doing this the site starts producing "too many redirects" errors:

ERR_TOO_MANY_REDIRECTS

If I turn off force https redirect, it starts working fine again. This is only happening with one specific account on my server and I'm not sure why. Any ideas?

Thanks,

Tommy

Hi @tptompkins , this is a cPanel bug when your customer uses this option in conjunction with Cloudflare in Flex mode.


When activating the "Force HTTPS Redirect" option in cPanel, the customer's website enters a redirection loop (ERR_TOO_MANY_REDIRECTS). This is because the redirection rule that cPanel create does not take X-Forwarded-Proto into account, which is sented by all reverse proxies and is extensively documented.

More about it can be read here:
https://aws.amazon.com/pt/premiumsupport/knowledge-center/redirect-http-https-elb/

A simple solution for this would be to just add the rule below along with the existing rule responsible for the redirect inside /etc/apache2/conf/httpd.conf:

RewriteCond %{HTTP:X-Forwarded-Proto} !https

Note, if you are trying to fix this problem yourself, do not edit httpd.conf directly, use "customize the Apache Virtual Host templates" instead. As in this image. https://imgur.com/WWrzCbN

I do not recommend correcting this on your own, because you will need to update the template manually after that. Ask cPanel support to correct the problem instead.


To reproduce this problem, just use a reverse proxy or Cloudflare with the Flex option enabled and activate the option "Force HTTPS Redirect".

I reproduced this problem with Varnish Cache, Nginx as a proxy, Cloudflare and load balancers.

I also tried my best to take it to the development team of cPanel and was created an internal case number CPANEL-36901. @cPRex Could you follow this up for us and update this page if it has any updates?

Thank you.