If I have SSL, should someone be able to get to the http version?

Hi, If we go to https://   techgardensdotcom,  we see the lock. A test of the ssl cert shows it's installed correctly. But I can still get to http://   techgardensdotcom.

Am I missing something, maybe an entry in the htacess file? Thanks.
mel200Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You need to enforce redirect.  
https://sg.godaddy.com/help/redirect-http-to-https-automatically-8828

Do consider following code in your .htaccess file.
It automatically redirects visitors to the HTTPS version of your site:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RoninCommented:
http - port 80 TCP
https - port 443 TCP

In order to prevent, which is recommended, from your users to connect over http, the above btan's recommendation should be performed.

On a different web servers this is performed in a different manner.
In some cases, if can performed on the perimeter device, depends how smart it is.
1
mel200Author Commented:
I'm going to upload my current htaccess file, maybe you can help me get it right? Thanks.
.htaccess.txt
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Refer to btan's comment.

You posted your .htaccess file + normally SSL is forced in the Apache config file. Something similar to what btan provided.

Unless you so a 301 from http -> https, both protocols will work.

This will have a negative effect on SEO, as use to Google treated http + https as same site. Now they're treated differently.

The effect is a duplicate content penalty for each page on a site, which means 100% pages with a penalty... which then promotes to a site wide duplicate penalty.

Very bad.... if you're SEOing your site.
0
mel200Author Commented:
Sorry, Btan said: Do consider following code in your .htaccess file.

I was asking for help in doing that, which is why I uploaded it.
0
btanExec ConsultantCommented:
If you have an existing .htaccess file:

Do not duplicate RewriteEngine On.
Make sure the lines beginning RewriteCond and RewriteRule immediately follow the already-existing RewriteEngine On.
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
There's no HTTP -> HTTPS redirection in your .htaccess file.

Here's a copy of the general code I use as a template for setting up client sites I host...

<VirtualHost *:80>
   ServerName  www.WEBSITE
   ServerAdmin support@WEBSITE
   RewriteEngine on
   RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
   RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [NC,L,R=301]
   Include logging.conf
</VirtualHost>

<VirtualHost *:80>
   ServerName  WEBSITE
   ServerAdmin support@WEBSITE
   RewriteEngine on
   RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [NC,L,R=301]
   Include logging.conf
</VirtualHost>

<IfModule mod_ssl.c>

   <VirtualHost *:443>

      ServerName  www.WEBSITE
      ServerAdmin support@WEBSITE

      RewriteEngine on
      RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
      RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [L,R=301]

      Include logging.conf

      SSLEngine on
      SSLUseStapling on

      SSLCertificateFile    /etc/letsencrypt/live/WEBSITE/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/WEBSITE/privkey.pem

      # Enable HTTP Strict Transport Security with a 2 year duration
      Header always set Strict-Transport-Security "max-age=63072000; preload"

   </VirtualHost>

   <VirtualHost *:443>

      ServerName  WEBSITE
      ServerAdmin support@WEBSITE

      DocumentRoot /sites/OWNER/WEBSITE/TYPE

      <Directory /sites/OWNER/WEBSITE/TYPE>
          Options +Indexes +FollowSymLinks
          AllowOverride All 
          Require all granted
      </Directory>

      Include logging.conf

      SSLEngine on
      SSLUseStapling on

      SSLCertificateFile    /etc/letsencrypt/live/WEBSITE/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/WEBSITE/privkey.pem

      # Enable HTTP Strict Transport Security with a 2 year duration
      Header always set Strict-Transport-Security "max-age=63072000; preload"

   </VirtualHost>

</IfModule>

Open in new window

1
mel200Author Commented:
found this, and have rewritten the htaccess file: https://wpcolt.com/force-ssl-htaccess-stop-wordpress-modifying/

Thanks for your help, but I would say it was a bit more technical than I needed. I needed more basic help actually rewriting the htaccess file, because I don't understand the code. Anyway, done now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.