If you have ever had a SSL certificate for a website but needed to redirect a subdomain so it did not throw a security warning, this is the post for you. I have had issues with mail.domain.com and other subdomains that were needing to be accessed non-securely, but didn’t want visitors to see the warning.
The bottom line is that the web browser throws the security warning before it gets to .htaccess rules. So don’t bother wasting time on this. I have done this twice now because I forgot that I went through this a year ago. Hence, writing a short blog post to save others time.
The best solution is to just secure the subdomain. You can do this by upgrading to a wildcard SSL for the domain or just getting a cheap separate one for the subdomain. You can get free ones through OpenSSL software or “Let’s Encrypt” if your hosting offers those tools. You can also get a basic Comodo for about $10/year on NameCheap.com.
Now if you are not getting the security warning and do want a true redirect with domain HTTPS and subdomain HTTP (or switch the statements for the reverse), here is the code to add to htaccess:
RewriteEngine On
### FORCE HTTPS ###
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^subdomain\.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
### FORCE HTTP ###
#RewriteCond %{HTTPS} on
#RewriteCond %{HTTP_HOST} ^subdomain\.
#RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
### non-www to www ###
RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{HTTP_HOST} !^subdomain\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
For these, substitute the “subdomain” for yours, so if it was mail.example.com, it would look like ^mail\.
