document alternate redirect scheme

diff --git a/web-conf b/web-conf
index 3373e26bdb9458666538cffd1789d9d1c7d4dc5e..977c8cfb38166ec6099e56999502594eb159c50d 100755 (executable)
--- a/web-conf
+++ b/web-conf
@@ -243,6 +243,19 @@ EOF
 
     if (( port == 443 )); then
       echo "$0: creating $redir_file"
+
+      # note, alternatively:
+      cat >/dev/null <<'EOF'
+#https://webmasters.stackexchange.com/questions/124635/apache-redirect-http-to-https-without-preventing-http
+<If "%{req:Upgrade-Insecure-Requests} == '1'">
+Redirect permanent "/" "https://mydomain.ltd/"
+</If>
+# or, with generic rewrite, we use this on gnu.org
+RewriteEngine on
+RewriteCond %{HTTP:Upgrade-Insecure-Requests} "^1$"
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=307]
+EOF
+
       cat >$redir_file <<EOF
 <VirtualHost *:80>
 ServerName $h
@@ -271,7 +284,7 @@ EOF
 # manually, Certbot will be unable to automatically provide future security
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
-# this file.
+# this file. Contents are based on https://ssl-config.mozilla.org
 
 SSLEngine on