Redirection from http to https - infinite loop

Question

I am working on a Java web app hosted on a Tomcat server. I have to set up redirects from www to non-www and from http to https. I want the following three URLs:

• http://example.com
• http://www.example.com
• https://www.example.com

to redirect to

• https://example.com

For this purpose, I am using UrlRewriteFilter version 4.0.3 by tuckey.org. Here is my urlrewrite.xml file:

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 4.0//EN" "http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd"> 
<urlrewrite> 
  <rule> 
    <name>Redirect www to non-www and http to https</name> 
    <condition type="request-url" operator="equal">(^http://example.com|^http://www.example.com|^https://www.example.com)</condition> 
    <from>^(.*)$</from> 
    <to type="permanent-redirect" last="true">https://example.com$1</to> 
  </rule> 
</urlrewrite> 

The redirects work but the website does not load and the browser shows message:

This page isn’t working
example.com redirected you too many times.

I used a redirect checker and found out that after the initial redirect to https://example.com/, another redirect to https://example.com/ followed and then another one and so on – the URL redirects to itself. I don't understand what produces this infinite loop. Any help would be appreciated!

Update: I have no solution yet. If I remove the first URL from the condition element, the other two redirects work and things are OK but the question is how to set up the redirect from http://example.com.

I tried another approach – setting up the redirect to https in the web.xml file by pasting the following code:

<security-constraint> 
  <web-resource-collection> 
    <web-resource-name>all</web-resource-name> 
    <url-pattern>/*</url-pattern> 
  </web-resource-collection> 
  <user-data-constraint> 
    <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
  </user-data-constraint> 
</security-constraint> 

The result is the same – https://example.com redirects to itself in an infinite loop. The only difference in this case is that the redirects are with status code 302. Any ideas about what causes this problem and how to solve it?

Update: Here is the output of the curl command when using the UrlRewriteFilter:

---

Results from running: curl http://example.com

Response Header

HTTP/1.1 301 Moved Permanently   
Server: nginx admin   
Date: Fri, 04 May 2018 13:24:16 GMT   
Content-Type: text/plain   
Content-Length: 0   
Connection: keep-alive   
Location: https://example.com/   
X-Cache: HIT from Backend  

---

Results from running: curl https://example.com/

Response Header

HTTP/1.1 301 Moved Permanently   
Date: Fri, 04 May 2018 11:58:51 GMT   
Server: Apache-Coyote/1.1  
Location: https://example.com/   
Content-Length: 0   
Content-Type: text/plain

---

Answer 1

It seems, Response from https://example.com always has below headers:

Location: https.example.com
response Code: 301

It is browser's behavior to act on and redirect. You may need find a way to remove these headers. Hope this helps to some extent.

Answer 2

My knowledge of curl might be a bit outdated, but I thought you have to do curl -L url to follow redirects.

Also, are you sure the issue is not with your client?

Answer 3

I would simplify the rule like below

<rule>
   <name>Ensure HTTPS</name>
   <condition type="scheme" operator="notequal" next="or">https</condition>
   <condition name="host" operator="notequal">www.example.com</condition>
   <from>^/(.*)$</from>
   <to type="redirect">https://example.com/$1</to>
</rule>

Also make sure the certificate is valid for example.com as well as pointed out in below thread

UrlRewriteFilter: www and https redirect