SSL/TLS conflicts with htaccess rules

Website, Application, Performance Security
1

Hello,

Does enabling any of the following settings in Edge Certificates run into problems when corresponding set and rules in a htaccess file?

  • Always Use HTTPS
  • HTTP Strict Transport Security (HSTS)

I have these rules in my htaccess file

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;"

# FORCE HTTPS
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [r=301,l]

Thanks

2

When you say “run into problems” do you see a redirect loop? If so that makes me think you’re choosing Flexible as your SSL mode when you ought to try Full or Full Strict if your origin is allowing an SSL connection:

1 Like
3

Enabling the “Always Use HTTPS” and “HTTP Strict Transport Security (HSTS)” settings in Edge Certificates should not cause any issues with the corresponding rules in your htaccess file. These settings are designed to work together with similar rules in the htaccess file to ensure that all traffic to your website is securely encrypted using HTTPS.

The “Header always set Strict-Transport-Security” rule in your htaccess file specifies that the server should include the HSTS header in all responses, with a maximum age of 31536000 seconds (1 year) and the “includeSubDomains” directive. This is consistent with the “HTTP Strict Transport Security (HSTS)” setting in Edge Certificates, which also enables HSTS with a 1-year max-age and the includeSubDomains directive.

The “RewriteCond” and “RewriteRule” directives in your htaccess file are used to redirect all HTTP traffic to HTTPS. This is consistent with the “Always Use HTTPS” setting in Edge Certificates, which also forces all traffic to be redirected to HTTPS.

In summary, enabling the “Always Use HTTPS” and “HTTP Strict Transport Security (HSTS)” settings in Edge Certificates should not cause any issues with the corresponding rules in your htaccess file, and they should work together to ensure that all traffic to your website is securely encrypted using HTTPS.

If the “Always Use HTTPS” and “HTTP Strict Transport Security (HSTS)” settings in Edge Certificates are enabled and the corresponding rules in your htaccess file are correctly configured, but you are still experiencing issues with HTTPS traffic to your website, there could be several possible causes. Some possible causes of HTTPS issues include:

  • Incorrectly configured SSL certificate: If the SSL certificate on your server is not properly installed or configured, it can cause issues with HTTPS traffic to your website. This can include problems with the certificate itself (e.g. expired, not trusted, etc.), or with the way the certificate is configured on the server (e.g. incorrect server name, incorrect certificate chain, etc.).
  • Misconfigured redirect rules: If the redirect rules on your server are not properly configured, they can cause issues with HTTPS traffic to your website. This can include redirect loops, where the server keeps redirecting the client to the same URL, or redirects to the wrong URL, causing the client to be unable to access the correct page.
  • Network or connectivity issues: If there are issues with the network or connectivity between the client and the server, it can cause HTTPS traffic to your website to fail. This can include problems with the client’s internet connection (e.g. unstable, slow, etc.), or issues with the server’s network connectivity (e.g. high latency, packet loss, etc.).
  • Server-side issues: There could be other issues with the server itself that are causing HTTPS traffic to your website to fail. This could include problems with the server’s software or hardware, or with the server’s configuration.
4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.