From 26e797e8fd4117747ec1bf1246286fa6f6f402c6 Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Fri, 13 Jan 2023 17:50:25 -0500
Subject: [PATCH] document alternate redirect scheme

---
 web-conf | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/web-conf b/web-conf
index 3373e26..977c8cf 100755
--- a/web-conf
+++ b/web-conf
@@ -243,6 +243,19 @@ EOF
 
     if (( port == 443 )); then
       echo "$0: creating $redir_file"
+
+      # note, alternatively:
+      cat >/dev/null <<'EOF'
+#https://webmasters.stackexchange.com/questions/124635/apache-redirect-http-to-https-without-preventing-http
+<If "%{req:Upgrade-Insecure-Requests} == '1'">
+Redirect permanent "/" "https://mydomain.ltd/"
+</If>
+# or, with generic rewrite, we use this on gnu.org
+RewriteEngine on
+RewriteCond %{HTTP:Upgrade-Insecure-Requests} "^1$"
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=307]
+EOF
+
       cat >$redir_file <<EOF
 <VirtualHost *:80>
 ServerName $h
@@ -271,7 +284,7 @@ EOF
 # manually, Certbot will be unable to automatically provide future security
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
-# this file.
+# this file. Contents are based on https://ssl-config.mozilla.org
 
 SSLEngine on
 
-- 
2.30.2