Support

Admin Tools

#39309 Joomla HTTPS force redirect?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
4.3.3
PHP version
8.1.21
Admin Tools version
7.3.4

Latest post by jjst135 on Thursday, 03 August 2023 13:52 CDT

Thursday, 03 August 2023 08:22 CDT

jjst135

Hi! In our akeeba admin tools htaccess Maker settings we have enabled HSTS. In the htaccess file this results in:

##### HTTP to HTTPS redirection
## Since you have enabled HSTS the first redirection rule will instruct the browser to visit the HTTPS version of your
## site. This prevents unsafe redirections through HTTP.
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://www.DOMAINNAME.nl%{REQUEST_URI} [L,R=301]

I think this means alle request are redirected to https. So when someone uses http in the browser this makes sure the visitor is send to the https version of the page, Correct?

Joomla 4 also has a setting on the 'server' tab that is called 'Force HTTPS'. When we set this to 'whole site' we experience some issues (TO MANY REDIRECTS) when 2-factor authentication is used for logging in to the backend. So i tried turning this option off ('none') in Joomla and it loks like that helps with the 'to many redirects'.

My questions:

  • Can we leave the J4 option 'Force HTPPS' to 'none' an still have visitors redirected to htpps because of the htaccess settings?
  • Could the option 'Force HTPPS'  set to 'whole site' cause issues with redirect when the htaccess also redirect? So that might cause the issue with the 'to many redirects' when log in in to the bakcend?

The 'To many redirects' only showed up a while back. I have not seen this before. Not sure when exactly. I could have als been caused by changes to LastPass... The have done an overhaul of the plugin and maybe the 2-factor page and LastPass don't get along somehow...

But even so, I am still curious about the best settings for the https redirect,

Kind regards,
Jip

Thursday, 03 August 2023 10:50 CDT

nicholas

I think this means alle request are redirected to https. So when someone uses http in the browser this makes sure the visitor is send to the https version of the page, Correct?

Partially correct. It means that any request to any resource of your site made over plain HTTP will be redirected to HTTPS. This does not only apply to page content (either static HTML files, or HTML content generated by Joomla!) but also to static files such as JavaScript, CSS, etc. This prevents mixed content warnings in browsers.

Joomla 4 also has a setting on the 'server' tab that is called 'Force HTTPS'.

Joomla's feature only applies to requests handled by Joomla! itself. It does not apply to requests made to static files.

Moreover, whether this feature works depends on whether your web server correctly reports to PHP (therefore to Joomla!) whether you are accessing the site over HTTPS or not. This is not a given. For example, if you are using an SSL/TLS Terminator in front of the web server then the web server always “sees” a plain old HTTP request; it never sees the request is made over HTTPS.

Can we leave the J4 option 'Force HTPPS' to 'none' an still have visitors redirected to htpps because of the htaccess settings?

Yes.

On top of that, if someone visits your site once then the browser itself will always upgrade all future requests to your site to HTTPS even if they are made as plain HTTP requests. That's what HSTS does and why we use it.

Could the option 'Force HTPPS'  set to 'whole site' cause issues with redirect when the htaccess also redirect? So that might cause the issue with the 'to many redirects' when log in in to the bakcend?

Not in the way you describe it.

The .htaccess redirection kicks in before your web server asks Joomla to handle the request. Joomla! will always be loaded when the request is made under HTTPS, never loaded when the request is plain old HTTP.

However, as I said above, if Joomla cannot see that the site is being accessed under HTTPS it will always try to issue a redirect itself, thus causing a problem.

Therefore, it's not the .htaccess redirection which causes your problem.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 03 August 2023 13:49 CDT

System Task
system
The ticket information has been edited by Jip Jonker (jjst135).

Thursday, 03 August 2023 13:52 CDT

jjst135

Thanks for you quick, extensive and clear reply Nicholas! 

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!