Apache: Redirect HTTP to HTTPS

Scenario :

Although installing an SSL certificate on a website provides the possibility of accessing it with the secure https:// protocol, the protocol is not used by default. To make sure that the website is accessed using the https:// protocol by default, you will need to set up an automatic redirect. You want to force people coming to your site to use HTTPS. Either for the entire site or a small sub-section of it.

If you are a website owner or system administrator, chances are that you’re dealing with Apache on a regular basis. One of the most common tasks you’ll likely perform is redirecting the HTTP traffic to the secured (HTTPS) version of your website.

There are many advantages of using HTTPS over HTTP, such as:

  • All the data is encrypted in both directions. As a result, sensitive information cannot be read if intercepted.
  • Google Chrome and all other popular browsers will mark your website as safe.
  • HTTPS allows you to use the HTTP/2 protocol, which significantly improves the site performance.
  • Google favors HTTPS websites. Your site will rank better if served via HTTPS.

This guide covers how to redirect the HTTP traffic to HTTPS in Apache.

Solution: Rewrite

Apache’s mod_rewrite makes it easy to require SSL to be used on your site and to gently redirect users who forget to add the https when typing the URL. Using Apache to redirect http to https will make sure that your site (or a part of it) will only be accessed by your customers using SSL. This is better than using SSLRequireSSL because users often forget to type in the https and will be automatically redirected.

Before you can set up an Apache redirect from http to https, you will need to do the following:

Now you just need to edit your httpd.conf file or the file where your virtual host is specified and add these lines to redirect http to https:

Entire site (.htaccess) :

Note: While the rules you need are the same as above (because the rule above doesn’t depend on any of the quirks of rewrite in .htaccess), you will need to ensure that you place this in a .htaccess file in the root of the site you want to apply it against, and to make sure you have the appropriate AllowOverride configuration in your httpd.conf

.htaccess is a configuration file on a per-directory basis for the Apache webserver. This file can be used to define how Apache serves files from the directory where the file is placed and to enable/disable additional features.

Usually, the .htaccess file is placed in the domain root directory, but you can have other .htaccess files in the subdirectories.

This method requires the mod_rewrite module to be loaded on the Apache server. This module is loaded by default on most servers. If possible, prefer creating a redirection in the virtual host because it is simpler and safer.

To redirect all HTTP traffic to HTTPS, open the root .htaccess file, and add the following code to it:

RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e. http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context

Specific Directory

Either put the above solution in a .htaccess file in the directory to be affected, or put the URI prefix in the regex itself.

RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?secure/(.*) https://%{SERVER_NAME}/secure/$1 [R,L]
# This rule will redirect all users who are using any part of /secure/ to the same location but using HTTPS.
# i.e. http://www.example.com/secure/ to https://www.example.com/secure/
# This means if you dont want to force HTTPS for all directories you can force it for a specific sub-section of the site.

Solution: Virtual Host

Enabling the redirect in the Virtual Host file is safer and simpler than other options presented in this guide. The configuration is also similar for all systems. It involves adding a specific piece of code to the Virtual Host file. Usually, there are two Virtual Host files on Apache if an SSL certificate is installed: one is for the non-secure port 80, and the other is for the secure port 443. Additionally, to force all web traffic to use HTTPS, you can also configure your virtual host file. Normally, there are two important sections of a virtual host configurations if an SSL certificate is enabled; the first contains configurations for the non-secure port 80. The second is for the secure port 443. To redirect HTTP to HTTPS for all the pages of your website, first open the appropriate virtual host file. Then modify it by adding the configuration below.

NameVirtualHost *:80
<VirtualHost *:80>
ServerName www.yourdomain.com
Redirect / https://www.yourdomain.com
</VirtualHost>

<VirtualHost _default_:443>
ServerName www.yourdomain.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine On
# etc...
</VirtualHost>

Save and close the file, then restart the HTTP sever like this.

sudo systemctl restart apache2

--

--

--

🎓 A true Software Engineer aspires to build a strong community and help other people grow up.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Running a Flutter online event

Publish Over SSH — Jenkins

No matter where you are on the journey in some way you are continuing on and that’s what makes it…

Framing the Future of Change, Pt. 2

How to Find a Precise Embedded Software Development Company

macOS: JAVA_HOME environment Setup

Launch a landing page in 5 minutes with Firebase + Google Analytics + Mailchimp

What I learned in 2017 about writing good software

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hau NGUYEN (Leo)

Hau NGUYEN (Leo)

🎓 A true Software Engineer aspires to build a strong community and help other people grow up.

More from Medium

Prototype Design Pattern

Mock S3 service for local development

A Quick Way to Document and Test Spring Boot RESTful Services with Swagger UI

Understanding CI/CD Pipeline, its Elements, and Characteristics of a Good CI/CD Pipeline