I am working on a GoDaddy VPS (Apache, CentOS, cPanel). I have an SSL certificate valid for example.com
but NOT www.example.com
.
I want to use a .htaccess
file to forward any requests to https://example.com/<pages>
.
My code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.*)$ [NC]
RewriteRule ^(.*) https://example.com/$1 [L,R=301]
The problem:
All tested browsers (Chrome, Edge, Opera) work fine for all combinations of http, https, www, and specific pages. However, Firefox does NOT forward https://www.example.com
(with or w/out pages).
I get a security warning stating that www.example.com
is not on the cert.
I have tried numerous other code snippets but none seem to work.
CodePudding user response:
Firefox may seem like the oddball, but actually it's the other browsers doing it "wrong" - to be forgiving with other peoples' server misconfiguration in favor of the user's convenience. (Also, it will look less odd once you realize that all three browsers you mentioned - Chrome, Edge, Opera - are forks of Chromium.)
If you look in the Chrome devtools, you'll see this:
Redirecting navigation
www.example.com
->example.com
because the server presented a certificate valid for example.com but not for www.example.com. To disable such redirects launch Chrome with the following flag:--disable-features=SSLCommonNameMismatchHandling
So, even though you didn't present a valid certificate for https://www.example.com
, Chrome was nice enough to execute the redirect anyway, because you did present a certificate that was valid for the target domain of the redirect (example.com
), even though technically the redirect response was returned over a connection that wasn't properly secured (with a certificate not matching the requested domain).
The solution would be to have a proper SSL certificate in the first place, including all the domains that you want your site to be reachable under, in that case probably just example.com
and www.example.com
. (Some certificate issuers will even include the www
subdomain for free if you purchase a certificate for the naked domain.)