Support

Admin Tools

#25742 HSTS redirects double

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Friday, 12 August 2016 10:32 CDT

yolknet
When surfing to www.domain.com I'm redirected to https//www.domain.com (with HSTS Header set YES and Redirect non-www to www). But when I type domain.com the server redirects me to https//www.domain.com/https//www.domain.com
Am I mixing the wrong settings?

nicholas
Akeeba Staff
Manager
You can enable both the non-www to www redirection and the HSTS header. This is what we are doing on our site. However, you should also go to Joomla's Global configuration and set Force SSL to Whole Site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

yolknet
I tried, but still the same situation. You can see what I mean at "yn3.nl"

nicholas
Akeeba Staff
Manager
I just tried and I can't reproduce your experience :/

When I visit http://yn3.nl I get redirected to http://www.yn3.nl This makes sense, it's the non-www to www redirection.

IMPORTANT! I do NOT get automatically redirected to the HTTPS version of your site because you have not set up Force SSL to Entire Site in your Joomla Global Configuration page.

When I visit https://yn3.nl I get redirected to https://www.yn3.nl This also makes sense, it's the same non-www to www redirection.

If I now visit http://yn3.nl I do NOT get https://www.yn3.nl because you are using a self-signed certificate, therefore my browser ignores the HSTS header.

My suggestions:
  • Install a valid commercial SSL certificate. You can get a free one from Let's Encrypt, either through your host's control panel (most modern hosts support it) or through a site affiliated with the Let's Encrypt foundation such as http://zerossl.com/ Contact your host for the best way to do it. I have used the integrated cPanel solution with Rochen and SiteGround and the ZeroSSL site for our CDN (to get more real world info on HTTPS impact on our CDN before committing to a very expensive EV SSL certificate).
  • Go to Joomla's administrator, System, Global Configuration and set Force SSL to Entire Site.
  • In Admin Tools .htaccess Maker enable BOTH the non-www to www redirection AND the HSTS header.


You need to do the above in the order presented. Afterwards I strongly recommend clearing your browser's cache, otherwise it "remembers" the wrong redirections.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

yolknet
Thank you for your suggestions Nicholas. We encountered more problems among others, iframe-conflict (https vs http). It made us to decide and run the site without SSL. The target of the iframe first has to make their website ssl-proof. After that we will try it again.

We followed your suggestions, but still ran into the same problems. We will test it later on other sites too. I'll keep you posted.

yolknet
Now I have another website with the same problem. I followed the three suggestions in the last post of Nicholas, but when the HSTS header is enabled I'm redirected to https://www.website.com/https://www.website.com/
If the option is disabled it works fine. So it looks to me the option has a bug?

nicholas
Akeeba Staff
Manager
No. The very fact that we are having this conversation on the https://www.akeebabackup.com site which of course uses HTTPS, Admin Tools and the HSTS option enabled in the .htaccess Maker means that this option works perfectly well as long as you don't screw up the configuration and you're running a site on a decent server.

This option adds the following to the .htaccess:
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://$httpsHost/$1 [R=302]


Which means:
  • IF the server reports that HTTPS is not enabled,
  • OR IF the protocol in the X-Forwarded-Proto HTTP header from a proxy server is "http"
  • THEN redirect the site to the configured HTTPS host (that's what $httpsHost stands for) plus forward slash plus the query string the server reports


Using the example domain you have used above, this should read
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://www.website.com/$1 [R=302]

If the last line reads something like
RewriteRule .* https://https://www.website.com/$1 [R=302]

it's because you configured something wrong.

Now go to Admin Tools, .htaccess Maker and scroll all the way to the bottom. Look at the "Host name for HTTPS requests (without https://)" option. What does it read? If you have put https://some.domain.name/ in there instead of some.domain.name then you have told Apache –through .htaccess Maker– to screw up your site. Honestly, that's why we explicitly state "without https://" in this option's title. The same applies if you have entered something other than a bare domain name, e.g. /some.domain.name which I've seen before and it's still very, very wrong. I suspect you've entered the https:// prefix.

IMPORTANT! Please note that this field does not have validation on purpose. Some shared SSL server setups require a special domain and path here, hence validation is not possible.

If you have only entered a domain name in that field then your server is broken. The RewriteRule only catches the query string, not the domain name. If your server puts the domain name in the query string, uh, I have to wonder how can you possibly have a site running on that server since even URL redirections –needed for SEF URLs– would be broken.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

yolknet
I didn't use https:// in the option field, because between the brackets it says "without https://".
But maybe I've found something. But instead of "www.website.com" I changed the host name to just "website.com". I don't know if I solved it or it just somehow works? From the documentation at https://www.akeebabackup.com/documentation/admin-tools/system-configuration.html I understood "www.website.com" is a valid host name. Maybe I misunderstood it? What should be the right syntax of the host name?

[EDIT]
I'm sorry, I mislooked. It still doesn't work. If it's not in Akeeba I will ask the hoster what's happening. I'll keep you posted

nicholas
Akeeba Staff
Manager
www.domain.com is just as valid as domain.com, of course.

Can you try removing these three lines from the .htaccess? If that lets the site load then you should contact the host and show them the three lines you removed from the .htaccess file. The $1 in the third line must only return the query of the request, not the host and protocol.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

yolknet
Without the HTST the address works. In the htaccess file I brought back the problem to this line:
RewriteCond %{HTTPS} !=on 

I'm not familiar enough with htaccess to know whether the problem is at the side of the website or at the side of the hoster. Do you know maybe if it could be a server setting? Maybe a flag to set?

yolknet
I've found something new. When I edit the url on line 36 to
RewriteRule .* https://www.website2.com/$1 [R=302]
the browser redirects to https://www.website.com/https://www.website.com/
I don't know how to get further with this information, but maybe to you it could be a clue?

[UPDATE]
I think it's a htaccess problem. When I delete all codes from line 37 I'm redirected to website.com.

nicholas
Akeeba Staff
Manager
This line
RewriteRule .* https://www.website2.com/$1 [R=302]

means:
If the above conditions matched (RewriteRule) take the rest of the query from the path onwards (.*) and append it to https://www.website2.com (https://www.website2.com/$1), then send an HTTP 302 redirection to the browser ([R=302]).

But you say it redirects to a DIFFERENT domain name, https://www.website.com (NOT website2.com). This does not come from the HSTS rules and doesn't seem to come from our .htaccess file either unless you've configured something else entirely wrong.

As I already told you, the very fact that we are having this conversation on the https://www.akeebabackup.com site which of course uses HTTPS, Admin Tools and the HSTS option enabled in the .htaccess Maker means that this option works perfectly well as long as you don't screw up the configuration and you're running a site on a decent server. From where I am standing it looks like you have either a DNS or server setup issue that I cannot help you with.

Since this ticket is now outside the scope of our support (we don't provide DNS and server setup help) I am going to close it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!