83

I'm trying to redirect https://www.example.com to http://www.example.com. I tried the following code in the .htaccess file

RewriteEngine On RewriteCond %{HTTP_HOST} ^example\.com$ [NC] RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

This code successfully redirects https://example.com to http://www.example.com. However when I type in https://www.example.com then it gives me a "web page not available" error in the browser.

I have also tried the following 2 codes without success

Attempt 1

RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/(.*):NOSSL$ http://www.example.com/$1 [R=301,L]

Attempt 2

RewriteEngine On RewriteCond %{HTTPS} on RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

Both above attempts failed. Any suggestions?

Improve this question

7 Answers 7

Reset to default
136

Attempt 2 was close to perfect. Just modify it slightly:

RewriteEngine On RewriteCond %{HTTPS} on RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

UPDATE:

Above solution works from a technical point of view. BUT:

Since a few years now the user will receive a huge warning indicating that the connection is not private. That is to be expected: none of today's browsers will silently switch from an encrypted to a not encrypted connection, for obvious reasons ... You cannot get around that behavior of standard browsers. That however has nothing to do with the redirection itself. It is how the web works today, how users are protected from criminal intents.

Improve this answer
Sign up to request clarification or add additional context in comments.

16 Comments

Will be good to use R=302 if you don't wish to make permanent. This landed me in trouble when my SSL expired and I wanted to temporarily move back to http before I go through the painful renewal procedures.
Painful renewal? Should be either a flip of certificare files or a simple script execution... The issue with 302 is that clients have to follow it each time, so you raise the number of requests for client and server side.
@arkascha Just wanted to understand, the RewriteCond will act as a if statement write? I mean only where it finds https it will run next rewrite rule. I am asking since Google has automatically taken a couple of https url in its index without us linking them from anywhere. Hence to rule out any miscong we are using the code above to 302 all https url
You are basically correct. It certainly does make sense for you to take a look into the excellent documentation:httpd.apache.org/docs/current/mod/mod_rewrite.html
@arkascha, Yes, I read the comment. Can you update the same in the post? You can check the above comment. I also commented the same in 2020. So better for every once just updates your answer. It will help everyone.
|
39

However, if your website does not have a security certificate, it's on a shared hosting environment, and you don't want to get the "warning" when your website is being requested through https, you can't redirect it using htaccess. The reason is that the warning message gets triggered before the request even goes through to the htaccess file, so you have to fix it on the server. Go to /etc/httpd/conf.d/ssl.conf and comment out the part about the virtual server 443. But the odds are that your hosting provider won't give you that much control. So you would have to either move to a different host or buy the SSL just so the warning does not trigger before your htaccess has a chance to redirect.

Improve this answer

5 Comments

Thank you for this answer. As our existing site don't have an SSL certificate so that's why no matter how correct my .htaccess is, it will not work.
@arkascha I've tried the various methods shared here but none worked. Yes I tested in on a shared environment. SSL is not active though a shared SSL is free. The https link in question was historic/inherited from a previously SSL-enabled environment. I don't mind the browser warning (in dev mode) but I needed the redirect at least to happen. Any one able to offer any more leads?
Valid answer. I wanted to redirect IE9 from https to http, because of incompatible security protocols (TLS 1.0 is not maintained anymore). But whatever I did, it didn't work. Caused by the fact that the security protocol comes into effect before the .htaccess commands.
I found out that the new Microsoft Edge works even on a shared host site. Firefox and Chrome continue to give the warning but the new Edge sees the .htaccess information before redirecting to a warning. The new Edge browser with the Chromium engine is awesome!
Just for reference...I was looking for the solution because of the "false" https when the user types https on non-https site. The only way to redirect to http that worked for me was using JS.
12

You can use the following rule to redirect from https to http :

 RewriteEngine On RewriteCond %{HTTPS} ^on$ RewriteRule ^(.*)$ http://example.com/$1 [NC,L,R]

Explanation :

RewriteCond %{HTTPS} ^on$

Checks if the HTTPS is on (Request is made using https)

Then

RewriteRule ^(.*)$ http://example.com/$1 [NC,L,R]

Redirect any request (https://example.com/foo) to http://example.com/foo .

  • $1 is part of the regex in RewriteRule pattern, it contains whatever value was captured in (.+) , in this case ,it captures the full request_uri everything after the domain name.

  • [NC,L,R] are the flags, NC makes the uri case senstive, you can use both uppercase or lowercase letters in the request.

L flag tells the server to stop proccessing other rules if the currunt rule has matched, it is important to use the L flag to avoid rule confliction when you have more then on rules in a block.

R flag is used to make an external redirection.

Improve this answer

Comments

10 
RewriteEngine On RewriteCond %{SERVER_PORT} 443 RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Improve this answer

Comments

3

The difference between http and https is that https requests are sent over an ssl-encrypted connection. The ssl-encrypted connection must be established between the browser and the server before the browser sends the http request.

Https requests are in fact http requests that are sent over an ssl encrypted connection. If the server rejects to establish an ssl encrypted connection then the browser will have no connection to send the request over. The browser and the server will have no way of talking to each other. The browser will not be able to send the url that it wants to access and the server will not be able to respond with a redirect to another url.

So this is not possible. If you want to respond to https links, then you need an ssl certificate.

Improve this answer

Comments

0

Your code is correct. Just put them inside the <VirtualHost *:443>

Example:

<VirtualHost *:443> SSLEnable RewriteEngine On RewriteCond %{HTTPS} on RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} </VirtualHost>
Improve this answer

Comments

0 
RewriteCond %{HTTP:X-Forwarded-Proto} =https
Improve this answer

3 Comments

this help me a lot.
This solution worked well in a specific server hosting (ergonet.it) when the others mentioned above cause the error "Too many redirects", thank you!
Checking against the X-Forwarded-Proto HTTP request header would be required if your application server is behind a front-end proxy that manages the secure connection.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.