Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By BobNL on
I am rebuilding my website in Drupal 8. Is it correct that HTTPS rewriting is not included in the default .htaccess file?
Comments
=-=
incorrect. https is indeed included in the D8 .htaccess file. perform search in the .htaccess file for https and insure you read the comments for the two sections that its discussed.
I've read the full .htaccess
I've read the full .htaccess file and see some SSL/HTTPS, but don't understand what to change for HTTPS enforcing.
For now, I pasted my own code, but I would like to use the original.
Insure the lines below are
Insure the lines below are uncommented:
Then remove the # from one of the two directives in:
Thank you. Step 1: they are
Thank you. Step 1: they are uncommented by default. I did not change anything.
Step 2: my website is on a sub domain, so I should use the second option, don't I? I uncommented the last two rules.
This doesn't enforce me to HTTPS yet.
=-=
neither of the options are subdomain specific. Merely, whether you want www. or not.
are you sure you have an active SSL cert on the site?
Perhaps reviewing the already existing discussions and documentation page will aid.
https://www.youtube.com/watch?v=rj-21p1nNJQ
https://www.fastcomet.com/tutorials/drupal8/enable-ssl
OK, well, I don't want www.
OK, well, I don't want www. on a subdomain so I unmarked the second option.
Yes, I'm sure there is an SSL certificate. This code in .htaccess makes it working. I'm OK with that of course, but most like to use the original code from Drupal.
In your case the snippet to use is simply this
Make sure the www. redirect examples mentioned before are all commented out, and paste the snippet either before or after into your .htaccess.
The code you refer to is spread all over the internet, and while it effectively does the same, it includes a regexp that is slightly more expensive to evaluate than the one I pasted (I took the actual RewriteCond from the Apache manual).
Sorry, but you're wrong.
Your first quite is the correct quote from .htaccess in Drupal, but it DOES NOT ENFORCE a redirect to https. All this snippet does is to set a flag in case the site has been accessed via https
The second snippet - depending which one you uncomment - enforces redirecting to either www.example.org or to example.org while respecting the original request's http or https status.
Depending on what is required - enforcing HTTPS without redirects, or enforcing HTTPS with redirects - the actual .htaccess code will look different.
A) Just enforce HTTPS
B) Enforce HTTPS with host rewrites
This is a more complicated situation, and requires deciding which type of redirection you want. The following example is based on redirection to www.example.org.
The following decision table illustrates the cases .htaccess needs to consider. The cell values indicate the Apache Rewrite clauses given further below
B.1) Rewrite clause 1
This clause covers both cases of redirecting to www.example.org and to enforce https: Regardless of being accessed via http or https, a redirect is always necessary. Hence:
B.2) Rewrite clause 2
This snippet is in fact the same as for case A) when placed after clause 1, because at this point in interpreting .htaccess the HTTP request includes the www. particle, and the only thing to do is a https rewrite.
Complete code (for redirecting to www.example.org scenario):
To use this snippet, ensure that the original redirect example in .htaccess are commented out (i.e. kept in their original state), and paste this snippet before or after it. It will redirect any domain served by the Apache host to https://www.your.tld
The code for rewriting to https://example.org is similar but needs deriving from the second part of the quoted .htaccess code.
I just tested this on my server and it works like a charm.
what about code for drupal 7?
what about code for drupal 7?
I have ome serious issues going on with google....my htaccess code works....but something is preventing google to index it properly or I dont know what is going on.....
Google comes to my site (i see google bot indexing my site) but I get no traffic.....
before HTTPS switch I got like 80 visitory per day....now 0.....this has been going on now for 2 weeks.....
Is there something wrong with the code i use?
It is the same for D7 and D8
Drupal relies on Apache for web service and HTTP/HTTPS handling, hence the config code we are discussing is Apache, not Drupal. However, D7 may give you a different default .htaccess than D8.
I had a look at your .htaccess and I remember having had the same problem on my cpanel hosting with LetsEncrypt. Without knowing more about your hosting environment I think the problem is convoluted as follows:
Your .htaccess has three Rewrite blocks that are interpreted in order for each request. All three blocks mess with the request if it is NOT targeting the LetsEncrypt stuff in .well-known (that is important)
Removing the LetsEncrypt-specific lines (dealing with that later) your config looks like this:
In itself this doesn't look bad, but blocks 2 and 3 are superfluous because all they do is to set a flag, not cause an actual HTTP redirect. Only block 1 causes a redirect to HTTPS if the request came in using HTTP.
Without knowing what is going on in the rest of your .htaccess file (especially the remainder of the rewrite statements) my suspicion is that the LetsEncrypt situation is the culprit.
Can you check your .htaccess file and see whether it has the following line in it? If it does, where is it? Before your code you posted, or after?
If that line is present and uncommented, then it is most likely contributing to the situation.
Can you check and see whether the domain your D7 is serving actually has valid certificates? If it doesn't then people will get warnings about your site and be directed away - and so will Google.
My general advice would be to talk to your provider and reconfigure how LetsEncrypt is validating your certificate(s) - a HTTP challenge is only one way to do so, but LetsEncrypt can also do a DNS challenge, which requires you to modify your DNS Zone accordingly - your hosting support should be able to help you with that. Once reconfigured, you can ditch all the complicated .well-known exceptions you have in your .htaccess file - they never really worked for me and I resolved to have DNS challenges for LetsEncrypt. Then your HTTPS enforcing could be as simple as this:
HTH,
Michel
Sorry I have no clue.....I
Sorry I have no clue.....I updated my .htaccess code before....and it seems to work, all I want that search bots can normally crawl my site..... can you check and see if this htaccess is any good?
Bluehost is totally horrible host....support has no idea how to help....they always tell me to get developer....
few years back they always helped.....now not anymore....
#
# Apache/PHP/Drupal settings:
#
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
</IfModule>
</FilesMatch>
# Don't show directory listings for URLs which map to a directory.
Options -Indexes
# Follow symbolic links in this directory.
# For security reasons, Option followsymlinks cannot be overridden.
#Options +FollowSymLinks
Options +SymLinksIfOwnerMatch
# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php
# Set the default handler.
DirectoryIndex index.php index.html index.htm
# Override PHP settings that cannot be changed at runtime. See
# sites/default/default.settings.php and drupal_environment_initialize() in
# includes/bootstrap.inc for settings that can be changed at runtime.
# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
php_flag magic_quotes_gpc off
php_flag magic_quotes_sybase off
php_flag register_globals off
php_flag session.auto_start off
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_flag mbstring.encoding_translation off
</IfModule>
# Requires mod_expires to be enabled.
<IfModule mod_expires.c>
# Enable expirations.
ExpiresActive On
# Cache all files for 2 weeks after access (A).
ExpiresDefault A1209600
<FilesMatch \.php$>
# Do not allow PHP scripts to be cached unless they explicitly send cache
# headers themselves.
Otherwise
all scripts would have to overwrite the
# headers set by mod_expires if they want another caching behavior. This may
# fail if an error occurs early in the bootstrap process, and it may cause
# problems if a non-Drupal PHP file is installed in a subdirectory.
ExpiresActive Off
</FilesMatch>
</IfModule>
# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on
#
# Rewrite http(s)://example.com to https://www.example.com
#
RewriteCond "%{HTTP_HOST}" "!^www\." [NC]
RewriteCond "%{HTTP_HOST}" "!^$"
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#
# Rewrite http://www.example.com to https://www.example.com
#
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Make sure Authorization HTTP header is available to PHP
# even when running as CGI or FastCGI.
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. Files whose names begin with a period, as well
# as the control files used by
CVS,
are protected by the FilesMatch directive
# above.
#
# NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
# not possible to block access to entire directories from .htaccess, because
# <DirectoryMatch> is not allowed here.
#
# If you do not have mod_rewrite installed, you should remove these
# directories from your webroot or otherwise protect them from being
# downloaded.
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule "/\.|^\.(?!well-known/)" - [F]
# If your site can be accessed both with and without the 'www.' prefix, you
# can use one of the following settings to redirect users to your preferred
# URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
#
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/... will be redirected to http://www.example.com/...)
# uncomment the following:
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# (http://www.example.com/... will be redirected to http://example.com/...)
# uncomment the following:
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http%{ENV:protossl}://%1%{REQUEST_URI} [L,R=301]
# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at http://example.com/drupal uncomment and
# modify the following line:
# RewriteBase /drupal
#
# If your site is running in a VirtualDocumentRoot at http://example.com/,
# uncomment the following line:
# RewriteBase /
# Pass all requests not referring directly to files in the filesystem to
# index.php. Clean URLs are handled in drupal_environment_initialize().
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ index.php [L]
# Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled.
<IfModule mod_headers.c>
#
Serve
gzip compressed CSS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
# Serve gzip compressed JS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
# Serve correct content types, and prevent mod_deflate double gzip.
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
<FilesMatch "(\.js\.gz|\.css\.gz)$">
# Serve correct encoding type.
Header set Content-Encoding
gzip
# Force proxies to cache gzipped & non-gzipped
css
/js files separately.
Header append Vary Accept-Encoding
</FilesMatch>
</IfModule>
</IfModule>
my site works fine...google
my site works fine...google crawled it with HTTPS
if i do site:mysite I see all the new urls crawled....
but google stopped all the traffic..for some reason....and it comes back every 2 days crawling the site again and again.....
Or maybe my traffic counter is wrong...and is not showing any hits because of HTTPS redirect?
My other site that is build in WP works just fine....all the traffic was back after 3 days....but Drupal takes so long....
Somewhat cleaned-up version below
Hi,
I've clean it up a bit, and reordered some rules. Without more info I am afraid I can't really help - I am not a D7 guy...
HTH,
Michel
what do you mean by you are
what do you mean by you are not a D7 guy....you never installed d7 before?
Yes exactly
I started with Drupal 8 :-)
This might help, I got this
This might help, I got this from this page https://www.drupal.org/https-information and it works for my site.
Redirect to HTTPS with settings.php
You can also force SSL and redirect to a domain with or without www in settings.php, the benefit is that it won't get overwritten after updating Drupal. Insert this at the top of settings.php, right after <?php:
The only thing that worked
The only thing that worked for me. Thx for sharing!
sureshot solution.
Just to confirm that this works.. Thanks!
Worked for me. I appreciate
Worked for me. I appreciate the detailed write up. Thanks!
*DELETED*
*DELETED*
Are the .htaccess and settings.php methods equally secure?
The Enabling HTTP Secure (HTTPS) page at https://www.drupal.org/https-information offers two different ways to force https.
One method uses changes to the .htaccess file (recommended by @mdrescher in this forum) and the other method uses changes to settings.php (recommended by @junix33 in this forum).
Are both methods equally secure in Drupal 8 or is one method recommended over the other?
.
.... and? Any answers?
I apply common sense to this
I cannot state whether one way is more secure over the other - I am not a cybersecurity researcher.
What I *can* say is that either works at different levels of the stack, at different processing times: The .htaccess method catches HTTPS enforcement much earlier (pretty much as a first after Apache receives the request) than the settings.php method, which only ever triggers once Drupal (several call stacks past .htaccess) determines which settings.php to process (e.g. serving as a multi-domain environment). In terms of performance, I suspect the .htaccess method being faster (if ever measurable) than settings.php.
An arguably weak argument might be that, in terms of security vulnerabilities in code processing HTTPS enforcement instructions, the Apacke community is by far larger than the Drupal community, and therefore one may deduce that "swarm diligence" on that code might be better in Apache than in Drupal.
As for the argument made earlier that settings.php will not be overridden, that is IMHO *not* the case, at least in the default setting (where the default site serves for the only domain served by the Drupal instance). Likewise, when checking in .htaccess (which I do), you always see that it has changed when you assess upgrading Drupal core (via composer I suggest) and list all git changes. I then quickly merge any changes in .htaccess, if any, and check it in. Done. HTTPS enforcement in source code management.
*I* certainly prefer .htaccess over settings.php.
correct answer
https://www.drupal.org/https-information#settings-php-redirect
this is the correct answer
insert this code right after <?php in settings.php
looks like it won't give any error to drush either but haven't tested it.
non-www sites:
with www sites:
Thanks for this
Thanks for posting this option. It's more maintainable than what I've been doing with .htaccess. I find it embarrassing that someone would have to ready any docs at all to discover the best way to force HTTPS at this point in Drupal's (and the web's) development. IMHO, enabling this is a feature that should be baked into the core of Drupal by now. How hard would it be to put a checkbox somewhere in the main system configuration? Maybe I'll get to the point I can do something about it myself someday.
settings.php worked great
Thanks lennyaspen
You suggestion work great, and the advantage is that it is less that get lost when updating the core and the .htaccess get lost.
I'm on D9.2.6
The ONLY solution that worked for me to force https
The only / only solution that worked for me in .htaccess was the one posted by mdrescher (see snippet below). Simply put, nothing else did the trick. I commented everything else in .htaccess that supposedly was designed to force to https. I have been working with Drupal since its inception 19 years ago and lease a UNiX server.
Thank you jhnnsbstnbch!
Finally something that works!
Thanks
Great jhnnsbstnbch!
Thank you for sharing :-)