HTTP to HTTPS Redirect via htaccess not working

Boneshanks

Member
Nov 15, 2015
7
0
1
Canada
cPanel Access Level
Root Administrator
After scouring the web for several days, I've finally decided to create a thread (my first!) here...

I am at a loss.
I have a php-based website (say, example.com) set up in its own public_html directory, with SSL certification for both "example.com" and "www.example.com".
The https-prefixed version works great across the entire site, without issue.
However, since I advertise my website as simply "example.com", I want people to be able to simply type that in, and not the full "Example Domain" to be able to access the secure site.

I also have SSLv3 (for POODLE vulnerability) disabled via the include editor in WHM, as suggested by whynopadlock.com's analysis.

Unfortunately, now all users who enter the web address without the "https://" prefix get sent to a page saying nothing more than "Index of" with links to "cgi-bin/" and "www/" below, with the error "Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 Server at www.example.com Port 80" below that.

I have tried every combination of rules & rewrites I've found for htaccess, with absolutely no change.
I have attempted to add PHP code for redirection at the top of web pages, but they do not even get loaded.
I have used cPanel's built-in Redirects tool, with absolutely no difference made (though I see the changes made within htaccess file). Clicking on the directory "/" in the listed redirects sends me to the same "Index of" page.

Should I ditch the SSLv3 disabling, and just use a redirect function in PHP to ensure all pages are the https version? Or would that then be opening the POODLE vulnerability again.

I'm not a server-admin expert, at all. Any suggestions would be appreciated.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hello,

Can you please try to disable old .htaccess code and try with following code.

Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
I have tried every combination of rules & rewrites I've found for htaccess, with absolutely no change.
Hello :)

Could you let us know which rules were added that do not work as intended?

Thank you.
 

Boneshanks

Member
Nov 15, 2015
7
0
1
Canada
cPanel Access Level
Root Administrator
Hello,

Can you please try to disable old .htaccess code and try with following code.

Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
Hi, thanks for the reply.
I just tried your code, with nothing else in htaccess, and still get sent to that "Index of" page when I try either variant of the domain (without the https prefixed)...

Code:
[SIZE=6][B]Index of /[/B][/SIZE]
[LIST]
[*][URL='http://domain.ca/cgi-bin/']cgi-bin/[/URL]
[*][URL='http://domain.ca/www/']www/[/URL]
[/LIST]
Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 Server at domain.ca Port 80
 
Last edited by a moderator:

Boneshanks

Member
Nov 15, 2015
7
0
1
Canada
cPanel Access Level
Root Administrator
Hello :)

Could you let us know which rules were added that do not work as intended?

Thank you.
Hi, thanks for replying.
I honestly can't recall every combination that I've tried, but it's been a LOT, from many sources/forums/blogs.
Each one has been attempted independently of others though, with no other competing code in htaccess.
I'm almost convinced that the htaccess isn't even being used. Only when I put in some code that forces a redirect loop do I see something other than that stupid "Index of" page...
I will happily try any combo again that people suggest here, though, or any other thing.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hello,

I can see you have root access of your server, so can you please let me know following command out from your server.

Code:
cd /home/cPanel_User/public_html/
ls -la
Note: use your cPanel user name instead of cPanel_User in above command.
 

Boneshanks

Member
Nov 15, 2015
7
0
1
Canada
cPanel Access Level
Root Administrator
Hello,

I can see you have root access of your server, so can you please let me know following command out from your server.

Code:
cd /home/cPanel_User/public_html/
ls -la
Note: use your cPanel user name instead of cPanel_User in above command.
Hi, thanks.
That command lists all the web files & subdirectories for my website, including the index.php which gets loaded normally when the domain name is entered with the https prefix. The htaccess file in (attempted) use is also listed in that same public_html directory.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Could you verify that with no redirect rules at all, non-secure pages load as they should?

Thank you.
 

Boneshanks

Member
Nov 15, 2015
7
0
1
Canada
cPanel Access Level
Root Administrator
Could you verify that with no redirect rules at all, non-secure pages load as they should?

Thank you.
Hi, thanks.

No, with no redirect rules in htaccess, pages do NOT load as they should. Without the "https" prefix, users get sent to that "Index of" page regardless of whether there are redirect rules in the htaccess or not.
The only thing that ever changes that is if I put in something that causes a redirect loop. Otherwise, it's always "Index of".
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Are you sure there are no rules in the .htaccess file within the public_html directory or the account's home directory when the index page appears? Is the "Indexes" option enabled for "Directory “/” Options" in "WHM Home >> Service Configuration >> Apache Configuration >> Global Configuration"?

Thank you.
 

Boneshanks

Member
Nov 15, 2015
7
0
1
Canada
cPanel Access Level
Root Administrator
Are you sure there are no rules in the .htaccess file within the public_html directory or the account's home directory when the index page appears? Is the "Indexes" option enabled for "Directory “/” Options" in "WHM Home >> Service Configuration >> Apache Configuration >> Global Configuration"?

Thank you.
Hi, thanks for the help.
I just checked WHM>Service Configuration>Apache Configuration>Global Configuration and the section for Directory "/" Options has ExecCGI, FollowSymLinks, IncludesNOEXEC, Indexes, and SymLinksIfOwnerMatch all checked, with both Includes & Multiviews unchecked.
The account's home directory IS public_html, if that helps clarify anything.
There is currently NOTHING in that directory's htaccess. Empty file. No other htaccess files hiding anywhere else in public_html or its subdirectories.
The thing that makes it so baffling to me is that as long as you type in the "https://" prefix along with the domain (with or without www), the index page loads fine, along with everything else in the website, all of it under SSL.
Any combination of "domain.com", "www.domain.com", "http:// domain . com", or "http:// www . domain . com" results in the "Index of" page (without the spaces of course).

Frustrating. Thanks for the continued help, though. Don't give up on me!