Solve DirectAdmin issues

  1. Since version 1.57.0: The ‘Force Redirect’ to add or omit www, needs a change to work until after security headers.
    The old choice can be correctly included in this way:
    – None (default) / Plus www / No www;
    – Early rewrite (old) / Late 301 redirect / Late 302 redirect;
    For the long-standing redirects functionality placed at the bottom of .htaccess, consider putting them after httpd.
    Workaround: Force Redirect ‘none’. In the redirects functionality www. redirects to with no www.
    Current explanation by DirectAdmin:
    https://www.directadmin.com/features.php?id=2365
    (https://www.directadmin.com/features.php?id=2234)
  2. The creation key type EC384 for Let’s Encrypt created manually, gets automatically renewed after 60-90 days with outdated RSA4096. Outdated Apache web server settings become active. Renewing manually works correctly (scenario no wildcard):
    Note 1: A 100% score at internet.nl requires manual renewal after automatic renewal:
    Note 2: Field label ‘Key Size (bits)’ could be better ‘Key Type’;
    Note 3. In my DirectAdmin configuration missed ‘pointers_own_virtualhost=1’. This could solve my automatic renewal problem.

Defect reproduction text issue no. 1:

http://www.webhostingtech.nl rewrites to https://webhostingtech.nl.

Security headers, such as HSTS, are required to work with the first domain name over HTTPS. So the rewriting called “Force Redirect” combined with the early rewriting to HTTPS has to be built in differently.

100%: https://en.internet.nl/site/webhostingtech.nl/973637/
97%: https://en.internet.nl/site/www.webhostingtech.nl/973636/

Please redesign the order; I think many scenarios are catched this way:
step 1. rewrite from HTTP to HTTPS by GUI DirectAdmin (works before reaching .htaccess)
step 2a. reading security headers in .htaccess, if .htaccess is read
step 2b. reading security headers on webserver / httpd level
step 2c. applying security headers via public_html
step 3. redirect (301/302) by GUI DirectAdmin to add or omit www
such as from https://hostingtool.nl/index.php: <?php header(“Location: https://whois.hostingtool.nl/”); exit; ?>

Notes:
– Own code is unnecessary if GUI DirectAdmin guarantees to do the same;
– Internet.nl: ‘Note that we consider HTTPS as a requirement for these security options.’.
Can be textual: ‘Security headers are required to work with the first domain name over HTTPS.’;
– Redirection in index.php can function to a folder ‘Common’ as follows:

<?php
echo ‘<!DOCTYPE html> ……….’;
redirect(‘Common/’);

function redirect($url) {
if (!headers_sent()) {
header(‘Location: ‘.$url);
exit;
}
else {
echo ‘<script type=”text/javascript”>’;
echo ‘window.location.href=”‘.$url.'”;’;
echo ‘</script>’;
echo ‘<noscript>’;
echo ‘<meta http-equiv=”refresh” content=”0;url=’.$url.'” />’;
echo ‘</noscript>’; exit;
}
}
?>