Redirecting traffic between HTTP and HTTPS on Acquia Cloud

When you're attempting to use redirects for HTTP or HTTPS traffic, it's common to write rules into the .htaccess file. However, with Acquia Cloud's setup and Varnish sitting in front of user or customer web servers, the typical .htaccess snippets found using a Google search to redirect from either HTTP to HTTPS or HTTPS to HTTP won't always work as expected.

All of the following code examples are intended to be placed in your .htaccess file after the line:

RewriteEngine On

Redirecting all HTTP traffic to HTTPS

In the following example, the server variable HTTP_X_FORWARDED_PROTO is set to https if you're accessing the website using HTTPS, the following code will work with your Acquia-hosted website:

# Redirect HTTP to HTTPS
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirecting all HTTPS traffic to HTTP

In addition, if visitors to a customer's website are receiving insecure content warnings due to Google indexing documents using the HTTPS protocol, traffic may need to be redirected from HTTPS to HTTP.

The rule is basically the same as the preceding example, but without the first Rewrite condition. If no SSL certificate is installed, the value of %{HTTPS} is always set to off, even when you are accessing the website using HTTPS. Use the following rule set in this case:

# Redirect HTTPS to HTTP
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirecting from a bare domain to the www subdomain

SSL certificates can not cover the bare domain for Acquia Cloud Professional websites unless you are using Route 53 or some other similar provider. This is because the SSL certificates for Acquia Cloud Professional websites are placed on an Elastic Load Balancer (ELB). While ELBs require CNAME records for domain name resolution, bare domains require an IP address in an A-record for the domain name (DNS) configuration and cannot have CNAME records. Therefore, it's not possible to terminate traffic to bare domains on the ELB where your SSL certificate is located without Route 53.

Even if all requests for the bare domain are redirected to www, visitors to Acquia Cloud Professional websites that explicitly request the bare domain using the HTTPS protocol, like https://mysite.com, will always receive a security warning in their browser before being redirected to https://www.mysite.com. For a more detailed explanation of why this happens, refer to the An example of how the requests work section.

# Redirect http://domain.com to http://www.domain.com
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirecting all traffic to the www SSL domain

You can force all of your traffic to go to the www domain, and to use SSL, even if they did not request it initially.

# ensure www.
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ensure https
RewriteCond %{HTTP:X-Forwarded-Proto} !https 
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirecting all traffic to the bare SSL domain

Acquia Cloud Enterprise customers with dedicated load balancers or who have purchased a slot on the UCC certificate on our shared load balancers have the option of redirecting all traffic to the bare domain using the HTTPS protocol:

# Redirecting http://www.domain.com and https://www.domain.com to https://domain.com
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [L,R=301]

# Redirecting http://domain.com to https://domain.com
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Excluding Acquia domains and non-production environments

To exclude the default Acquia domains from your redirects, or specific environments (such as Dev and Stage), add one or more of the following conditionals to the top of any group of rewrite rules:

 

RewriteCond %{ENV:AH_SITE_ENVIRONMENT} prod [NC] # only prod
RewriteCond %{ENV:AH_SITE_ENVIRONMENT} !prod [NC] # not prod
RewriteCond %{HTTP_HOST} !\.acquia-sites\.com [NC]  # exclude Acquia domains

As an example, if you wanted to ensure that all the domains were redirected to https://www. except for Acquia domains, you would use something like this:

# ensure www.
RewriteCond %{HTTP_HOST} !prod\.acquia-sites\.com [NC]  # exclude Acquia domains
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ensure https
RewriteCond %{HTTP:X-Forwarded-Proto} !https 
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

An example of how the requests work

The preceding examples of how and when you would use a rewrite are complex; here's a breakdown of the scenarios, which may help you determine what your website really needs.

A security warning will occur on a bare domain only if the request specifically includes the https protocol, like https://mysite.com, and there's no SSL certificate on the load balancer that covers the bare domain. A request for http://mysite.com using the http protocol, however, will not produce a security warning because a secure connection to the bare domain has not been requested.

 

Domain DNS record type IP/Hostname
www.mysite.com CNAME dc-2459-906772057.us-east-1.elb.amazonaws.com
mysite.com A 123.45.67.89

For Acquia Cloud, www.mysite.com has a CNAME record that points to the hostname of the elastic load balancer (ELB), because that's where the SSL certificate is installed when it's uploaded using the self-service UI. But, bare domains/non-FQDNs like mysite.com can't have CNAME records without something like Route 53, so it must point to the elastic IP address of the balancer pair behind the ELB.

If there's a redirect in the .htaccess file that will take all requests for the bare domain and redirect them to www, due to how the DNS records are set up, this is what happens if you request http://example.com:

  1. The request for http://mysite.com hits the load balancers behind the ELB.
  2. The .htaccess rule 301 redirects request to https://www.mysite.com.
  3. A new request for https://www.mysite.com hits the ELB where the certificate lives and everything is happy, secure, and green.

But, if a specific request is sent to https://mysite.com with the https protocol, here's what happens:

  1. A request for https://mysite.com hits the load balancers behind the ELB.
  2. Your browser displays the normal security warning.
  3. You examine the certificate and decide to move ahead.
  4. The .htaccess rule 301 redirects request to https://www.mysite.com.
  5. A new request for https://www.mysite.com hits the ELB where the cert lives and everything is happy, secure, and green.

Acquia Cloud Professional with shared balancers

In the case of Acquia Cloud Professional with shared balancers, only a bare domain service like Route 53 or CloudFlare will be helpful in removing the security warning. This is because with a bare domain service you are able to use a CNAME record for the bare domain, which allows you to point the bare domain at the hostname of the ELB.

Acquia Cloud Enterprise

In the case of Acquia Cloud Enterprise, however, you have one of three options for resolving this, depending on the balancer situation:

  • If you have shared balancers, you can purchase a slot on our shared Unified Communications Certificate (UCC) for mysite.com, so that requests that hit the balancer before being redirected to the ELB won't show the security warning.
  • If you have dedicated balancers, and if the existing certificate already covers at least both www.mysite.com and mysite.com, you can contact Acquia Support and request to have the certificate (which you've uploaded using the self-service UI) installed on to the dedicated balancers as well. If this is done, requests that hit the balancer before being redirected to the ELB also will not receive the security warning.
  • Use Route 53, CloudFlare, or another bare domain service.

Add new comment

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
By submitting this form, you accept the Mollom privacy policy.

Contact supportStill need assistance? Contact Acquia Support