Apache rewrite config - double-encoding query strings

[jesusbagpuss]

Having deployed the suggested configuration from: https://ssl-config.mozilla.org/#server=apache&version=2.4.6&config=intermediate&openssl=1.0.2k-fips&ocsp=false&guideline=5.6 to a server, I experience double-encoded query-string issue.

<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

This results in a URL such as:
http://example.com/cgi/home?screen=EPrint%3A%3AView&id=1234
being rewritten as:
https://example.com/cgi/home?screen=EPrint%253A%253AView&id=1234

Using the 'NE (No Escape)' flag on the rewrite rule resolves this issue for my set-up at least:
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,NE,L]

It may not be as simple as this though - there have been changes in the way Apache/mod_rewrite handled the rewrites over time, and the 'NE' flag might break other aspects of the URL in older Apache versions (<2.4.1?):

• https://stackoverflow.com/questions/6520484/mod-rewrite-urlencoding-an-already-urlencoded-query-string-parameter-any-way-t
• http://serverfault.com/questions/331899/apache-mod-rewrite-double-encodes-query-string-on-redirect
• https://bz.apache.org/bugzilla/show_bug.cgi?id=34602
• https://bz.apache.org/bugzilla/show_bug.cgi?id=50447