Apache, SSL Certificates, and Domain Rewriting

Michael E. Kirkpatrick ·

This is one of those things I thought I’d figured out years ago — turns out I had another thing or two to learn.

The root of my quandary was this, I wanted all the permutations of my domain mekstudios.com to be redirected to https://mekstudios.com. My test cases (what I typed into a browser window) were as follows:

  • mekstudios.com
  • www.mekstudios.com
  • http://www.mekstudios.com
  • https://www.mekstudios.com
  • http://mekstudios.com

What I found was that some of my test cases weren’t redirecting appropriately. So, notes for future me on how to properly configure things.

Apache Virtual Hosts File

ServerAlias

My first mistake was not to include www.mekstudios.com as a ServerAlias. When properly configured, my VirtualHost file (/etc/apache2/sites-available/mekstudios.com.conf) should include the following:

<VirtualHost *:80>
    ServerName mekstudios.com
    ServerAlias www.mekstudios.com
</VirtualHost>

Be sure your VirtualHost file includes both the ServerName and the www version as the ServerAlias.

Rewriting

I use Certbot to create SSL certificates — sure beats the days of buying SSL certificates from various places online and configuring them.

You can have Certbot add “Redirect” code to your VirtualHosts file which I recommend. Then, go back and check your mekstudios.com.conf file and make sure it looks like this. Remember I want all traffic to redirect to the non www version of the website.

RewriteEngine on
RewriteCond %{SERVER_NAME} =mekstudios.com [OR]
RewriteCond %{SERVER_NAME} =www.mekstudios.com
RewriteRule ^ https://mekstudios.com%{REQUEST_URI} [END,NE,R=permanent]

In the default RewriteRule that Certbot inserts, the last line is: RewriteRule ^ https://%{SERVERNAME}%{REQUESTURI} [END,NE,R=permanent], that’s what I’ve changed.

Certbot

As mentioned above, Certbot is a wonderful tool. If you’re like me and you’ve neglected to add the correct ServerAlias, you can run this handy command — thank you Certbot Command documentation — to get yourself sorted out:

certbot certonly --cert-name mekstudios.com -d mekstudios.com,www.mekstudios.com

htaccess File

Last thing to do from a configuration standpoint is to redirect everything in the htaccess file. Something tells me I could be doing something smarter in the VirtualHost file — tell me if you know what that would be. But I know this works:

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.mekstudios\.com [NC]
RewriteRule ^ https://mekstudios.com%{REQUEST_URI} [L,NE,R=301]
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

My hypothesis is that adding the last three to the VirtualHost file would do the trick, but I’m not going to mess with it any further this evening.

Check Your Work

Your work isn’t done until you’ve checked everything. So run through your test cases again:

  • mekstudios.com
  • www.mekstudios.com
  • http://www.mekstudios.com
  • https://www.mekstudios.com
  • http://mekstudios.com

Each should now point to https://mekstudios.com. If not, go check your work.

Lastly, run your domains through the Qualys SSL Labs checker:

https://www.ssllabs.com/ssltest/analyze.html?d=mekstudios.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.mekstudios.com

You should get an “A+” on the mekstudios.com and an “A” on the www.mekstudios.com domain. Something tells me the “A” for www.mekstudios.com is because I’m not doing Strict-Transport-Security for that subdomain. And the plan is to leave it as is for the moment.

Why?

Why did I write this, and why is it so informal? I was reminded recently that writing is good, and writing can be helpful. So why not write? And perhaps future posts will be less first-person and more instructional, but this is what I have for now.

Want to give me some input or have some feedback? Shoot me an email.

Note: Thanks to the author of this Website for Students page — it was helpful in troubleshooting my issue and realizing some of my errors and misconfigurations.