Redirecting unsecured requests (http) to https can be done in different ways. Here's a simple approach via the .htaccess file
You need to add the following code to the .htaccess file
# NEW CODE HERE #
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END NEW CODE #Votre fichier devrait ressembler à :
...
# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on
# NEW CODE HERE #
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END NEW CODE #
# Set "protossl" to "s" if we were accessed via https://. This is used later
# if you enable "www." stripping or enforcement, in order to ensure that
# you don't bounce between http and https.
RewriteRule ^ - [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=protossl:s]
# Make sure Authorization HTTP header is available to PHP
# even when running as CGI or FastCGI.
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
...
Redirecting to a domain using the .htaccess file
To avoid double indexing, it's important to redirect all queries to either www.monsite.com or monsite.com.
For habeuk, we've opted to use habeuk.com 
.
##### NEW CODE HERE
# Redirection www vers non-www
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^www\.monsite\.com [NC]
RewriteRule ^(.*)$ http://monsite.com/$1 [L,R=301]
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^www\.monsite\.com [NC]
RewriteRule ^(.*)$ https://monsite.com/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^www\.monsite\.com [NC,OR]
RewriteCond %{HTTP_HOST} ^monsite\.com [NC,OR]
RewriteCond %{HTTP_HOST} ^www\.monsite\.fr [NC]
RewriteRule ^(.*)$ https://monsite.fr/$1 [L,R=301]- The [NC] flag: inssencible to the box
- The [L] flag: ignore the following rules.
How to make changes to .htacss files persistent
The changes you made earlier will disappear when you use compose.
...
Scaffolding files for drupal/core:
- Copy [web-root]/.htaccess from assets/scaffold/files/htaccess
...There are 2 approaches to solving this problem:
- Disable .htaccess file updates by adding: "[web-root]/.htaccess": false
This approach is not recommended, as security updates will no longer be applied. ... "extra": { "drupal-scaffold": { "locations": { "web-root": "web/" }, "file-mapping": { "[web-root]/.htaccess": false } }, ...- Custom code is added after each execution: composer install, composer update, and composer require.
Create a file for custom requests: nano web/htaccess_custom.confAdd the following content:
# ============================================= # Règles de réécriture personnalisées pour Drupal # Ce fichier est inclus dans .htaccess après "RewriteEngine on" # ============================================= # ------------------------------------------------------------------------ # 1. Redirections HTTPS + Suppression des www (SEO-Friendly) # ------------------------------------------------------------------------ # Redirige TOUTES les variantes vers https://monsite.fr RewriteCond %{HTTP_HOST} ^(www\.)?monsite\.com$ [NC,OR] RewriteCond %{HTTP_HOST} ^www\.monsite\.fr$ [NC] RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^(.*)$ https://monsite.fr/$1 [L,R=301] # ------------------------------------------------------------------------ # 2. Protection contre l'exploration des dossiers sensibles # ------------------------------------------------------------------------ # Bloque l'accès aux dossiers cachés (ex: .git, .env) RewriteRule ^(\.git|\.env|node_modules|vendor)/ - [F,L,NC] # ============================================= # FIN DU FICHIER # =============================================Explication
- Checks if the requested domain is monsite.com with or without www. and the following condition will be evaluated as an alternative
- Checks if the domain is exactly www.monsite.fr
- Checks if the connection is not HTTPS and the following condition will be evaluated as an alternative
- Checks if the site is behind a proxy (e.g. Cloudflare, AWS ELB) and the protocol used is not https
- Then redirect to the /monsite.fr domain
Creating a bash file :nano scripts/post-update-htaccess.shAdd the following content:
#!/bin/bash # Variables HTACCESS_FILE="web/.htaccess" CUSTOM_RULES_FILE="web/htaccess_custom.conf" TEMP_FILE="web/.htaccess.tmp" # Vérifie si les fichiers existent if [ ! -f "$HTACCESS_FILE" ]; then echo "Erreur: $HTACCESS_FILE introuvable!" >&2 exit 1 fi if [ ! -f "$CUSTOM_RULES_FILE" ]; then echo "Erreur: $CUSTOM_RULES_FILE introuvable!" >&2 exit 1 fi # Supprime les anciennes règles si elles existent (évite les doublons) sed '/# CUSTOM_RULES_START/,/# CUSTOM_RULES_END/d' "$HTACCESS_FILE" > "$TEMP_FILE" # Insère les nouvelles règles après "RewriteEngine on" awk ' /RewriteEngine on/ { print $0 print "# CUSTOM_RULES_START" while ((getline line < "'"$CUSTOM_RULES_FILE"'") > 0) { print line } print "# CUSTOM_RULES_END" next } { print } ' "$TEMP_FILE" > "$HTACCESS_FILE" # Nettoie le fichier temporaire rm -f "$TEMP_FILE" echo "✓ Règles personnalisées injectées dans $HTACCESS_FILE"Let's add execution rights:
chmod +x scripts/post-update-htaccess.shLet's modify the composer.json file:
... "scripts": { "post-install-cmd": [ "scripts/post-update-htaccess.sh" ], "post-update-cmd": [ "scripts/post-update-htaccess.sh" ] }, ...This approach is recommended as it allows you to benefit from security updates.
Stephane K
