How to force www, SSL and trailing slash in SilverStripe 4?

Question

With the latest versions of SilverStripe they encourage you to use server side rules for URL re-writing and not Director::forceSSL(); and/or Director::forceWWW(); in your _config.php file as it is considered unreliable.

On an Apache server this would logically seem to suggest that it should be managed via an .htaccess file. Unfortunately the snippets shown below can fire a rewrite independently however chaining or combining in a single file seems to skip either the www or https case.

### SILVERSTRIPE START ###
### TRIMMED ROBOT/ERROR CODE ###

<IfModule mod_rewrite.c>

    # Turn off index.php handling requests to the homepage fixes issue in apache >=2.4
    <IfModule mod_dir.c>
        DirectoryIndex disabled
        DirectorySlash On
    </IfModule>

    SetEnv HTTP_MOD_REWRITE On
    RewriteEngine On
    RewriteBase '/'

    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]


    # Deny access to potentially sensitive files and folders
    RewriteRule ^vendor(/|$) - [F,L,NC]
    RewriteRule ^\.env - [F,L,NC]
    RewriteRule silverstripe-cache(/|$) - [F,L,NC]
    RewriteRule composer\.(json|lock) - [F,L,NC]
    RewriteRule (error|silverstripe|debug)\.log - [F,L,NC]


    # Process through SilverStripe if no file with the requested name exists.
    # Pass through the original path as a query parameter, and retain the existing parameters.
    # Try finding framework in the vendor folder first
    RewriteCond %{REQUEST_URI} ^(.*)$
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule .* index.php

</IfModule>
### SILVERSTRIPE END ###

<IfModule mod_rewrite.c>
    ### FORCE TRAILING SLASH ###
    ### Source - https://paulund.co.uk/using-htaccess-to-force-trailing-slash ###
    RewriteCond %{REQUEST_URI} /+[^\.]+$
    RewriteRule ^(.+[^/])$ %{REQUEST_URI}/ [R=301,L]

    ### FORCE WWW ###
    #### Modified from source https://paulund.co.uk/add-www-subdomain-to-all-urls-using-htaccess ###
    RewriteCond %{HTTP_HOST} !^$
    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://www.example.com%{REQUEST_URI} [R=301,L]

    ### FORCE SSL ###
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://www.example.com/$1 [R=301,L]

</IfModule>

Answer 1

We've had the same issue and added the following to the /.htaccess file (not /public/.htaccess)

RewriteEngine On

# Redirect to www 
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Redirect to https
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteRule ^(.*)$ public/$1

Adding the rules to the /public/.htaccess resulted in a redirection to https://www.your-domain.com/public which caused an 404 - Page not found error.

Answer 2

Our approach is to enforce www and https in the Apache virtual host file:

<VirtualHost *:80>
  ServerName www.myexampledomain.com
  Redirect permanent / https://www.myexampledomain.com/
</VirtualHost>
<VirtualHost *:443>
  ServerName myexampledomain.com
  Redirect permanent / https://www.myexampledomain.com/
</VirtualHost>
<VirtualHost *:443>
  ServerName www.myexampledomain.com
  DocumentRoot etc etc
</VirtualHost>

Then finally we use this module to enforce trailing slashes: https://github.com/axllent/silverstripe-trailing-slash . There is a chance of a double redirect with this approach.

Answer 3

You probably want to start with moving your rewrite rules above the SilverStripe ones - they can be last.

Secondly, the [L] flag on your rules means "Last" and will stop any further processing, you may want to try removing them.

Thirdly, from your code you could potentially see 2 redirects (3 requests in totla) for a URL here which (IMO) is a worse experience (thus SEO impact) than a single redirect that doesn't enforce the www and/or the trailing slash.

It looks to me like you could have the following set of redirects just to hit a page:

http://example.com/contact-us
http://example.com/contact-us/
https://www.example.com/contact-us/

The alternative is SS4 is to use a HTTPMiddleware that could enforce this for you in PHP. Whilst not recommended it could be a bit more "transportable"