docwhat's avatardocwhat's blog

Re: All https, all the time

Will Norris posted a blog post titled All https, all the time.

It’s a good article and I recommend you read it. is now only using https.

I did want to add one note about his apache configuration at the end.

He should be using [L,R=301] instead of just [L,R]

By default, the R is a 302 Found redirect. It was originally a “moved temporarily” but over time became an redirect for unknown reasons.

A 301 Moved Permanently says instead that the old URL isn’t coming back. This helps search engines and other software that tracks pages. Bookmarks can also benefit from this as well.

So the complete rule would be:

UseCanonicalName on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]


Edited: I replaced %{HTTP_HOST} with %{SERVER_NAME} because SSL certificates have specific host names associated with them. %{HTTP_HOST} just returns the host name that was in the request, which may not be the correct FQDN for the SSL certificate. To make it use the canonical name, you must turn on UseCanonicalName, which really should be used on SSL encrypted hosts anyway.

Edit on GitHub