I'm working to set up a website such that certain pages are properly hosted via HTTPS. This involves some redirects should users try to access a page via HTTP that requires HTTPS. To prevent users from being logged out when SSL is required (i.e., if they get redirected from www.example.com to example.com), I'm attempting to canonicalise the url so that all accesses top the site refer to the domain without the 'www'. We need to do it without the 'www' because the security cert is for the bare domain. What's the best way to do this with apache?
I'm considering mod_rewrite but this requires two sets of rules. One for HTTP and one for HTTPS. I am a mediocre mod_rewrite jockey and so would appreciate comments on this approach:
# for NON-https
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L,QSA]
# for https
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L,QSA]
Does that look OK? I seem to recall that simple insertion of https might not be fully secure and that there were more specific SSL parameters which might be necessary here.
