Apache: Redirect everything from www to non-www using https only (including HSTS)


My goal

Everything results in https://mydomain.tld (non-www and with TLS) and HSTS works correct. I am using the certificates from LE (Let's Encrypt) and so I used their wizard to make my website HTTPS everywhere. But it doesn't seem to work correct.

My current problems

  1. Visiting http://mydomain.tld (non-www, non-tls). The result is
    the Apache-status-page, but I already have a website running with
    content. Reloading the page results in https://mydomain.tld with
    website-content. But it should do that from the first vist on and
    not only after reloading the page.
  2. Visiting http://www.mydomain.tld results in
    https://www.mydomain.tld which is okay from TLS-view, but it
    doesn't redirect to non-www, which is my goal.
  3. Visiting https://www.mydomain.tld resuslts in
    https://www.mydomain.tld. No redirection to non-www.
  4. No problem: Visiting https://mydomain.tld results in the same URL, which is what I want.


.mydomain.tld -> 111.222.333.444
*.mydomain.tld -> 111.222.333.444
www.mydomain.tld -> 111.222.333.444


<VirtualHost *:80>

ServerName mydomain.tld
ServerAlias www.mydomain.tld
ServerAdmin contact@mydomain.tld
DocumentRoot /var/www/mydomain.tld/public_html
Redirect permanent / https://mydomain.tld/

<Directory /var/www/mydomain.tld/public_html>
Options FollowSymLinks
AllowOverride all
Require all granted

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]


<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName www.mydomain.tld
        ServerAlias mydomain.tld
        ServerAdmin contact@mydomain.tld
        DocumentRoot /var/www/mydomain.tld/public_html

        <Directory /var/www/mydomain.tld/public_html>
        Options FollowSymLinks
        AllowOverride all
        Require all granted

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

RewriteEngine on
SSLCertificateFile /etc/letsencrypt/live/mydomain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.tld/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf


As you can see above in the mydomain.tld-le-ssl.conf another file is included, which might doesn't make problems, but just for the records:


# Baseline setting to Include for SSL sites

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"


I have a .htaccess-file in my domain-root which makes the links look better:

  • without: https://mydomain.tld/index.php?page=news
  • with: https://mydomain.tld/news


RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^\w+$ index.php?page=$0 [L]
RewriteCond %{THE_REQUEST} index\.php
RewriteCond %{QUERY_STRING} ^page=(\w+)$
RewriteRule ^index\.php$ /%1? [R=301,L]

I would like to live without the .htaccess-file and add the stuff to the .conf-file(s) if possible, but everything I did, didn't work yet.

Best Answer

It's weird. Yesterday I created new certs and it still worked. Today:

  • Chrome (mobile): http://mydomain.tld redirects correct to https://mydomain.tld

  • Firefox (desktop): http://mydomain.tld doesn't redirect and results in Apache-page

  • Firefox (mobile) which never was on my website: Same as Firefox (desktop)

  • Safari (mobile) which never was on my website: Same as Firefox (desktop)

So, it seems there is still a problem. Would be great to get help to solve this finally.

Solution for this problem:

  • $ sudo a2dissite 000-default.conf
  • Remove the stuff below in mydomain.tld.conf:

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L] RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

Just use: Redirect permanent / https://mydomain.tld

  • $sudo /etc/init.d/apache2 restart

Final files


<VirtualHost *:80>

ServerName mydomain.tld
ServerAlias www.mydomain.tld
ServerAdmin contact@mydomain.tld
DocumentRoot /var/www/mydomain.tld/public_html
Redirect permanent / https://mydomain.tld

<Directory /var/www/mydomain.tld/public_html>
Options FollowSymLinks
AllowOverride all
Require all granted

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined


LoadModule headers_module modules/mod_headers.so

<IfModule mod_ssl.c>
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomain$

ServerName mydomain.tld
ServerAlias www.mydomain.tld
ServerAdmin contact@nmydomain.tld
DocumentRoot /var/www/mydomain.tld/public_html

<Directory /var/www/mydomain.tld/public_html>
Options FollowSymLinks
AllowOverride all
Require all granted

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^\w+$ index.php?page=$0 [L]
RewriteCond %{THE_REQUEST} index\.php
RewriteCond %{QUERY_STRING} ^page=(\w+)$
RewriteRule ^index\.php$ /%1? [R=301,L]


ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
SSLCertificateFile /etc/letsencrypt/live/mydomain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.tld/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]
