Needless to say, every web has actually four different addresses where it can potentially be opened without any special effort. Two of those are created by presence or absence of “www” in a URL. Another two are formed by combining the address with the standard http or the secure https protocol.
If your hosting allows also a temporary address, make sure that in Drupal you have set Trusted Host Pattern and allowed a primary domain only. It has to be done before a search engine starts to index the web on the temporary address.
To prevent the web from opening on various combinations of URL address, for example because of search engines and their way of assessing duplicate content on multiple URLs, you probably edit the file .htaccess in Drupal.
Everyone has been doing it this way since the day Drupal was created. In many comments at the beginning of the file you can even find an example of how to redirect the www version to a non-www version, alternatively the other way around.
In regard to redirecting to the secure protocol https you will not find any help in the default version of the file. I use the following lines. You just insert them at the beginning of the file .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA,NE]
This solution is perfect, this will redirect all the http addresses via 301 redirect to their variant with https.
It is ideal when this is taken care of this by a hosting or a server and you don’t have to deal with it in Drupal anymore. For example Virtualmin which I personally use for web administration can do this merely by ticking off one box.
.htaccess will often be overwritten in Drupal
There can occur a problem when you edit the .htaccess file with your own setting and the time will come for Drupal to be updated.
- With a standard hosting you should keep an eye on the update whether it is changing .htaccess or not. If it is, you should include your editing to the new one additionally. Otherwise just don’t overwrite it.
- In case of web running via Composer .htaccess will unfortunately be always overwritten by scaffolding with a current default version.
Most of my webs built with Drupal are already running via Composer and because I edit .htaccess quite often and those changes are larger than just adding some redirects, I use a patch that will launch after the Composer updates has been done and will add any necessary edits into the fresh file.
Redirecting in Drupal even without editing .htaccess
Last year in autumn maybe needlessly overlooked module HTTPS and WWW Redirect appeared. Because it is able to ensure redirecting to a required variant of a web without the necessity of editing any configuration file.
Of course, we can theoretically talk about the issue whether it is quicker to redirect instructions for a webserver before launching Drupal (which is, in fact, quicker) or the option where the redirecting is done by launched Drupal. But in a situation when the web is running with the standard installation and without Composer, it is a great hack.
- Install the module in a standard way via administration and then continue to the administration section Settings > System > HTTPS/www settings.
- With the first option you launch redirecting. In the following section you can set up the www version or non-www version as the primary. Then you change the settings to forced https, save and you’re done.
During the next updates you won’t have to deal with a question whether .htaccess was overwritten or not. At least not because of redirecting.
