My web server is in the cloud, a VPS on Vultr. I have added the following lines to my apache.conf file:
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.(.*)
RewriteRule ^.*$ https://%1/$1 [R=301,L]
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www. [NC]
RewriteCond %{HTTP_HOST} ^(?:www.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
These lines will redirect an http://www.example.com
or an http://example.com
to an https://example.com
. It works very well. I do not use htaccess files.
I always try to think how a user could mess things up and in this case, I think they could enter https://www.example.com
. And sure enough, it messes things up.
I want to add that I only have a LetsEncrypt certificate for the example.com
domain. I do not have one for the www.example.com
subdomain, like many others add to their server.
In the sites available file for the domain /etc/apache2/sites-available/example.com.conf
I have:
<VirtualHost example.com:80>
ServerAdmin [email protected]
ServerName example.com
ServerAlias example.com
# above line eliminates www.example.com
DocumentRoot /var/www/example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I do not use a VirtualHost file for the 443 port.
I have read other stackoverflow comments and questions about the issue of https://www.example.com
. I reference a near identical request that does not eliminate my problem, but maybe they have a certificate for the www subdomain, allowing the proposed solution there to work. Best Practice: 301 Redirect HTTP to HTTPS (Standard Domain)
My assumption is that possibly:
- My apache.conf code has an error.
- I need an additional certificate for the www subdomain.
- Some other solution.
What is the best way to proceed here? Or do others just ignore this since it will be overshadowed by the browser screaming about how unsafe the site is?
2
Answers
If you want to access the site by
https://www.example.com
then you need a certificate exactly for this exact domain, i.e.www.example.com
and not justexample.com
. There is no way around this since any redirects can only be issued by the server once the TLS connection is established, i.e. after the certificate validation.After much research, I have decided to go back to the
https://www.example.com
approach. There are several reasons.Most websites would not notice the difference between using www and not using it. Large websites would, since they would need additional subdomains to be able to properly utilize cookies.
The other issue is the CNAME in the DNS settings. It is consdiered best practice to not use a bare domain with the CNAME. For example, Namecheap doesn’t allow it. You must use the www subdomain with the CNAME entry.
Another concern is email. I don’t know all of the details but email can get messed up by not using the www subdomain.
Some browsers actually remove the www from the URL even though it is there when they display the address. And some talk exists of a future where the www will be removed entirely.
But as of today, there is a consensus that the DNS system would have to be changed at a very basic level to accomodate no www in the address.
These things make me wary of staying with a non-www address domain URL. For now, I will return to the old school
https://www.example.com
.