0

I am using CloudFlare and I want to force HTTPS and Non-WWW by using .htaccess

I know there are many examples online already, but for CloudFlare users, normal redirect may cause redirect loops.

The closest answer is this one: https://stackoverflow.com/a/34065445/1254581

But it only force HTTPS and I need to force non-WWW too. Please help to edit this rules: 

RewriteEngine On

# If we receive a forwarded http request from a proxy...
RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]

# ...or just a plain old http request directly from the client
RewriteCond %{HTTP:X-Forwarded-Proto} =""
RewriteCond %{HTTPS} !=on

# Redirect to https version
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Put the rest of your rewrite rules here`enter code here`
Croises
  • 18,570
  • 4
  • 30
  • 47
RRN
  • 1,127
  • 1
  • 12
  • 37
  • RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC] RewriteRule ^(.*)$ https://%1/$1 [R=301,L] – Adam Aug 21 '18 at 14:39
  • The trick is to use CF's SSL='FULL' setting and turn off their "Always use HTTPS". – Jules Aug 21 '18 at 21:30
  • @Jules Can you explain more why this can fix the redirect loops issue? – RRN Aug 22 '18 at 17:21
  • Because if you use "Flexible" you get this loop: `CF sends the request as http. Your server sends back a 301 for https. Your browser requests https.` So don't use Flexible. Instead install their free origin certificate on your server and establish https through the entire chain. – Jules Aug 22 '18 at 21:44
  • @Jules So if we set SSL=FULL, CF will always send request as HTTPS? Why we need to turn off the "Always use HTTPS" then? – RRN Aug 23 '18 at 15:31
  • Because then CF will be managing the rewrites and not your server. It can cause more loops in other areas. The performance gain of saving one round trip on one http page per session is not worth the hassle. – Jules Aug 23 '18 at 15:35

1 Answers1

1

With Cloudflare, you can use:

RewriteEngine On
# www -> https without www
RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [NE,L,R=301]
# http -> https
# # With Cloudflare
RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"'
# # Without Cloudflare
# RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,L,R=301]
Croises
  • 18,570
  • 4
  • 30
  • 47
  • Do you know why normal redirect would cause redirect loops? – RRN Aug 21 '18 at 16:29
  • Yes, because you receive the request from the Cloudflare server, not the user, and (depending on the options) they are not necessarily https – Croises Aug 21 '18 at 17:28
  • Because I test with `CF-Visitor` a Cloudflare parameter – Croises Aug 23 '18 at 00:07
  • But it will fail if we change or turn off the CDN, not a perfect solution. – RRN Aug 23 '18 at 16:19
  • You can activate a Cloudflare mode Full SSL. And add "normal test" for SSL `RewriteCond %{HTTPS} off` and `RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,L,R=301]` That should never cause a loop, because in strict mode, Cloudflare will never connect without SSL – Croises Aug 23 '18 at 17:23
  • Yes, @Jules also suggest to use FULL and turn off their "Always use HTTPS" , but I still don't understand why turning off their "Always use HTTPS" would help. – RRN Aug 24 '18 at 03:39
  • FULL SSL Has nothing to do with "Always use HTTPS". Full is a strict mode between your server and Cloudflare (you can also continue to view all the content of the site in http). While "Always use HTTPS" regards the exchange between the user and Cloudflare. – Croises Aug 24 '18 at 06:23
  • Do you know why Jules suggested me to turn OFF "Always use HTTPS" too? – RRN Aug 24 '18 at 15:52
  • I think he did not quite understand these Cloudflare options. But as you said, it is sometimes easier to correct everything on the site, and therefore not to rely on CDN options like this. – Croises Aug 24 '18 at 15:58
  • Just notice that you updated the answer, why don't you use "X-Forwarded-Proto" instead of "CF-Visitor"? It seems to work fine on all CDNs, not just CF. – RRN Aug 26 '18 at 07:35