.htaccess - “Too many redirects” when trying to force https

Question

I am trying to force a subfolder (/bbb/) of my root domain to show always as https. Also my .htaccess file take care of the extensions of the pages.

I have

Answer 1

If you have a proxied server or if you're using shared hosting then sometimes you'll get a free SSL via CloudFlare. And if you are using a framework like CodeIgniter or Laravel then you always have a route file. So sometimes the answer I have given above might not work.

In that case when you try to redirect to https you might get unlimited loops. So to resolve that you could try below:

RewriteEngine On

# If we receive a forwarded http request from a proxy...
RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]

# ...or just a plain old http request directly from the client
RewriteCond %{HTTP:X-Forwarded-Proto} =""
RewriteCond %{HTTPS} !=on

# Redirect to https version
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Answer 2

Redirects in the .htaccess File

The .htaccess file is a configuration file used to modify Apache server behavior per directory on a website/server. This is a user-level configuration file, and only some Apache configurations can be edited here, though redirects are common use.

You can have multiple .htaccess files that cascade over a series of directories. If you have a .htaccess in a parent directory, and another in a sub-directory they will both affect the sub-directory. In these instances, it is important to remember where you do and do not have .htaccess files, to prevent conflicts between .htaccess files at different levels.

Below are a series of redirect examples and will aid in identifying redirects in your .htaccess file. These are not the only ways to do these kinds of redirects, but these should show you what the most common redirects look like so that you can recognize them if they are in a .htaccess file you are working with.

Force HTTPS The .htaccess code below first checks if the request came into the server using HTTP or HTTPS. If the request did not use HTTPS, then the configuration will tell the browser to redirect over to the HTTPS version of the same website and URL that was requested before.

RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Force HTTPS: When Behind a Load Balancer or Proxy (CloudFlare/Incapsula/Sucuri/etc.) Sometimes you may be using a proxy, like a load balancer or a web firewall, like CloudFlare, Incapsula, or Sucuri. These can be configured to use SSL on the front end, but not use SSL on the back end. To allow this to work correctly, you need to check not just for HTTPS in the request, but also if the proxy passed the original HTTPS request to the server using just HTTP. This following rule checks if the request was forwarded from HTTPS, and if so does not try to redirect an additional time.

RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteCond %{HTTP:X-Forwarded-Proto} =http
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Force non-www This redirect only checks if the website name was requested with www at the start of the domain name. If the www is included, it rewrites the request and tells the browser to redirect over to the non-www version of the domain name.

RewriteEngine On
 RewriteCond %{HTTP_HOST} ^www\. [NC]
 RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Force www This last redirect checks if the website name was not requested with www at the start of the domain name. If the www is not included, it rewrites the request and tells the browser to redirect over to the www version of the domain.

RewriteEngine On
 RewriteCond %{HTTP_HOST} !^www\. [NC]
 RewriteRule (.*) http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Answer 3

try this:

RewriteEngine On
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Answer 4

Problem is in this rule:

#Force from http to https
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{HTTP_HOST} !^bbb.example.co.uk/$
RewriteRule ^(.*)$ https://bbb.example.co.uk/$1 [R=301]

Change this rule to:

#Force from http to https
RewriteCond %{HTTPS} off 
RewriteCond %{HTTP_HOST} =bbb.example.co.uk
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301]

You have condition reversed due to use of ! at start and have an extra slash at end which will never be matched hence making your condition always return true.

Make sure to clear your browser cache before testing this.

Answer 5

RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Add X-Forwarded-Proto condition instead

Answer 6

Inspired by this answer, I had my domain secured behind Cloudflare's WAF. Within the Cloudflare dashboard for the domain, on the SSL/TSL tab I was using the Flexible SSL/TSL encryption setting, i.e. traffic was encrypted between browser and cloudflare, but not fully end-to-end with my server. Something in this setup was causing the too many redirects.

The solution, without any additional edits to my apache config or htaccess files was to change the setting to 'Full'. This encrypts end-to-end and resolved the redirect issues immediately.