Security headers, such as HSTS, are required to work with the first domain name over HTTPS. So the rewriting called “Force Redirect” combined with the early rewriting to HTTPS has to be built in differently.
Please redesign the order; I think many scenarios are catched this way:
step 1. rewrite from HTTP to HTTPS by GUI DirectAdmin (works before reaching .htaccess)
step 2a. reading security headers in .htaccess, if .htaccess is read
step 2b. reading security headers on webserver / httpd level
step 2c. applying security headers via public_html
step 3. redirect (301/302) by GUI DirectAdmin to add or omit www
such as from https://hostingtool.nl/index.php: <?php header(“Location: https://rdap.hostingtool.nl/modeling_domain/“); exit; ?>
Note1: This is a working Next Redirect in .htaccess after setting the HSTS header that is not generally known.
<If “%{HTTP_HOST} =~ /www.example.com/”>
# Redirect 302 / https://example.com/
</If>
<Else>
Redirect 302 / https://www.example.com/
</Else>
Note 2: Redirection in index.php can function to a folder ‘Common’ this way:
<?php
echo ‘<!DOCTYPE html> ……….’;
redirect(‘Common/’);
function redirect($url) {
if (!headers_sent()) {
header(‘Location: ‘.$url);
exit;
}
else {
echo ‘<script type=”text/javascript”>’;
echo ‘window.location.href=”‘.$url.'”;’;
echo ‘</script>’;
echo ‘<noscript>’;
echo ‘<meta http-equiv=”refresh” content=”0;url=’.$url.'” />’;
echo ‘</noscript>’; exit;
}
}
?>