Htaccess file changes to force

I just migrated my site to https, using a Cloudflare SSL. All good here.

Next I want to make sure that I don’t have 2 versions (Http and https) indexed by Google.
I believe the way to do this is a 301 URL redirect in my .htaccess file.
This is what I tried and it cause my site to crash. Suggestions?

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

BEGIN WordPress

RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress

Why use htaccess when Cloudflare could do this for you? :wink: The easiest way would be to use page rules

Plus “Always use Https”

Several aspects here.

  1. The crash - most likely - happens because the redirect will be only sent back to the user and will only affect the request between the user and Cloudflare. Depending on your TLS configuration at Cloudflare the request between Cloudflare and you might be always cleartext HTTP, hence a loop when you forcibly redirect to HTTPS - you can read about that very issue at
  2. As MarkMeyer already wrote, you can simply change that in the control panel, no need to htaccess in this case. And you dont even need page rules and you only need to enable “Always use HTTPS”, which will do the very same thing as your htaccess rule.

As for TLS on your side. Do you have a valid certificate enabled? If so, you should set the “TLS mode” to Full (strict) but assuming that you have Flexible set (and hence the error), you probably do not have a certificate and that would mean traffic is only encrypted between the user and Cloudflare. The connection between Cloudflare and your server will be cleartext again. In the name of security it may be a good thing to encrypt that channel too.

Thanks MarkMeyer & Sandro!

  1. Page rule & HTTP always. My site is set up is
    Is the pattern “” or “”? (seems http:// isn’t optional).

  2. Any combination I type in a browser results in my site loading as Is the “Always HTTP” option needed to steer Google away from indexing http and https versions of the same page, or is this already in by the fact that everything resolves to

  3. TLS is Flexible, as you suspected. Just want to check. Is there anything else I need to do for TLS mode = Full(strict). Or is it just a setting change?

Your help is much appreciated.

  1. No Page rule necessary
  2. This is because their is a redirect (probably due to “Always use HTTPS”). The option is not needed, but it is what you wanted to implement with htaccess.
  3. That would mean everything is unencrypted between Cloudflare and your server. Setting it to “Full (strict)” would be a good idea, but would mean your server needs to be configured for HTTPS too (maybe it already is, cant tell :slight_smile: ) for which it will need a valid certificate (maybe it already has one, cant tell :slight_smile: ).
1 Like

Thanks you Sandro!

My hosting provider set up encryption on the server to Cloudflare side. I don’t think there’s anything else for me to do but wait for Google to index the HTTPS URLs (and send me tons of traffic :))

Thanks again for your clear and prompt help!

This topic was automatically closed after 14 days. New replies are no longer allowed.