Support

You can enable both the non-www to www redirection and the HSTS header. This is what we are doing on our site. However, you should also go to Joomla's Global configuration and set Force SSL to Whole Site.

I just tried and I can't reproduce your experience :/

When I visit http://yn3.nl I get redirected to http://www.yn3.nl This makes sense, it's the non-www to www redirection.

IMPORTANT! I do NOT get automatically redirected to the HTTPS version of your site because you have not set up Force SSL to Entire Site in your Joomla Global Configuration page.

When I visit https://yn3.nl I get redirected to https://www.yn3.nl This also makes sense, it's the same non-www to www redirection.

If I now visit http://yn3.nl I do NOT get https://www.yn3.nl because you are using a self-signed certificate, therefore my browser ignores the HSTS header.

My suggestions:

• Install a valid commercial SSL certificate. You can get a free one from Let's Encrypt, either through your host's control panel (most modern hosts support it) or through a site affiliated with the Let's Encrypt foundation such as http://zerossl.com/ Contact your host for the best way to do it. I have used the integrated cPanel solution with Rochen and SiteGround and the ZeroSSL site for our CDN (to get more real world info on HTTPS impact on our CDN before committing to a very expensive EV SSL certificate).
• Go to Joomla's administrator, System, Global Configuration and set Force SSL to Entire Site.
• In Admin Tools .htaccess Maker enable BOTH the non-www to www redirection AND the HSTS header.

You need to do the above in the order presented. Afterwards I strongly recommend clearing your browser's cache, otherwise it "remembers" the wrong redirections.

No. The very fact that we are having this conversation on the https://www.akeebabackup.com site which of course uses HTTPS, Admin Tools and the HSTS option enabled in the .htaccess Maker means that this option works perfectly well as long as you don't screw up the configuration and you're running a site on a decent server.

This option adds the following to the .htaccess:

RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://$httpsHost/$1 [R=302]

Which means:

• IF the server reports that HTTPS is not enabled,
• OR IF the protocol in the X-Forwarded-Proto HTTP header from a proxy server is "http"
• THEN redirect the site to the configured HTTPS host (that's what $httpsHost stands for) plus forward slash plus the query string the server reports

Using the example domain you have used above, this should read

RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://www.website.com/$1 [R=302]

If the last line reads something like

RewriteRule .* https://https://www.website.com/$1 [R=302]

it's because you configured something wrong.

Now go to Admin Tools, .htaccess Maker and scroll all the way to the bottom. Look at the "Host name for HTTPS requests (without https://)" option. What does it read? If you have put https://some.domain.name/ in there instead of some.domain.name then you have told Apache –through .htaccess Maker– to screw up your site. Honestly, that's why we explicitly state "without https://" in this option's title. The same applies if you have entered something other than a bare domain name, e.g. /some.domain.name which I've seen before and it's still very, very wrong. I suspect you've entered the https:// prefix.

IMPORTANT! Please note that this field does not have validation on purpose. Some shared SSL server setups require a special domain and path here, hence validation is not possible.

If you have only entered a domain name in that field then your server is broken. The RewriteRule only catches the query string, not the domain name. If your server puts the domain name in the query string, uh, I have to wonder how can you possibly have a site running on that server since even URL redirections –needed for SEF URLs– would be broken.

www.domain.com is just as valid as domain.com, of course.

Can you try removing these three lines from the .htaccess? If that lets the site load then you should contact the host and show them the three lines you removed from the .htaccess file. The $1 in the third line must only return the query of the request, not the host and protocol.

This line

RewriteRule .* https://www.website2.com/$1 [R=302]

means:
If the above conditions matched (RewriteRule) take the rest of the query from the path onwards (.*) and append it to https://www.website2.com (https://www.website2.com/$1), then send an HTTP 302 redirection to the browser ([R=302]).

But you say it redirects to a DIFFERENT domain name, https://www.website.com (NOT website2.com). This does not come from the HSTS rules and doesn't seem to come from our .htaccess file either unless you've configured something else entirely wrong.

As I already told you, the very fact that we are having this conversation on the https://www.akeebabackup.com site which of course uses HTTPS, Admin Tools and the HSTS option enabled in the .htaccess Maker means that this option works perfectly well as long as you don't screw up the configuration and you're running a site on a decent server. From where I am standing it looks like you have either a DNS or server setup issue that I cannot help you with.

Since this ticket is now outside the scope of our support (we don't provide DNS and server setup help) I am going to close it.