When implementing SSL/TLS on Apache servers, proper redirection from HTTP to HTTPS while simultaneously handling www/non-www variants is crucial for both security and SEO. The common pitfalls include:
- Infinite redirect loops
- Mixed content warnings
- Canonicalization issues
- SSL certificate mismatches
For optimal performance, implement these rules in your Apache configuration file (httpd.conf or virtual host file) rather than .htaccess:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
RewriteEngine On
# Force HTTPS and remove www
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,R=301]
</VirtualHost>
For environments where server configuration isn't accessible:
RewriteEngine On
RewriteBase /
# Remove www and force HTTPS
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
# Force HTTPS for remaining requests
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
For complex deployments with multiple domains or subdomains:
RewriteEngine On
# Handle main domain
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$ [NC]
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,R=301]
# Handle subdomains
RewriteCond %{HTTP_HOST} ^(www\.)?sub\.example\.com$ [NC]
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://sub.example.com%{REQUEST_URI} [L,R=301]
- Always use 301 (permanent) redirects for SEO benefits
- Minimize the number of redirect rules
- Test with curl -v to verify no redirect chains
- Consider implementing HSTS header after HTTPS is confirmed working
Infinite redirect loop: Check certificate covers both www and non-www variants
Mixed content warnings: Ensure all assets use protocol-relative URLs (//example.com/image.jpg) or absolute HTTPS URLs
Partial redirection: Verify RewriteEngine is enabled and .htaccess is being read
Forcing HTTPS while removing www prefixes is a fundamental security practice. Here's the canonical solution that works in both .htaccess and virtual host configurations:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,R=301]The ruleset combines three critical operations:
- Activates the rewrite engine (required)
- Checks for either non-HTTPS requests OR www-prefixed domains
- Performs a 301 permanent redirect to the canonical HTTPS version
For better performance, implement this at the server config level:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,R=301]
</VirtualHost>For complex environments with multiple domains:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]Always test redirects with curl before deployment:
curl -I http://www.example.com
curl -I http://example.com
curl -I https://www.example.comRemember that 301 redirects are cached by browsers. For development environments, consider using 302 (temporary) redirects first:
RewriteRule ^ https://example.com%{REQUEST_URI} [L,R=302]- Missing
RewriteEngine Ondirective - Incorrect regex patterns (note the escaping of dots)
- Forgetting to clear browser cache during testing
- Not accounting for different port numbers in HTTPS detection
For simpler cases, you might use:
Redirect permanent / https://example.com/However, this doesn't handle www removal and offers less flexibility than mod_rewrite.