Nazmul
Middleware and Databases Expert

How to force Apache to use HTTPS

Hi guys ! In this tutorial, we will show, how to forcefully redirect apache HTTP to HTTPS

If you are a website owner or system administrator, chances are that you’re dealing with Apache on a regular basis. One of the most common tasks you’ll likely perform is redirecting the HTTP traffic to the secured (HTTPS) version of your website.

Unlike HTTP, where requests and responses are sent and returned in plaintext, HTTPS uses TLS/SSL to encrypt the communication between the client and the server.

We will see this in two different ways:

i. Using Virtual Host.

ii. Using .htaccess

Let’s begin

Using Virtual Host

In the virtual host directive, you can specify the site document root (the directory which contains the website files), create a separate security policy for each site, use different SSL certificates, configure redirection, and much more.

When an SSL certificate is installed on a domain, you will have two virtual host directives for that domain. The first one for the HTTP version of the site on port 80, and the other for the HTTPS version on port 443.

In Red-Hat based distros such as CentOS and Fedora, virtual host files are stored in the /etc/httpd/conf.d. While on Debian and its derivatives like Ubuntu the files are stored in the /etc/apache2/sites-available directory.

To redirect a website to HTTPS, use the Redirect directive as shown with the example “unixcop.com”

<VirtualHost *:80> 
  ServerName unixcop.com
  ServerAlias www.unixcop.com

  Redirect permanent / https://unixcop.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName unixcop.com
  ServerAlias www.unixcop.com

  Protocols h2 http/1.1

</VirtualHost>

Explanation

Let’s have some explanation of the above code

  • VirtualHost *:80 – The Apache server listens for incoming connections on port 80 (HTTP) for the specified domain.
  • VirtualHost *:443 – The Apache server listens for incoming connections on port 443 (HTTPS) for the specified domain.

The ServerName and ServerAlias directives are specifying the virtual host’s domain names. Make sure you replace it with your domain name. (in our case unixcop.com)

The highlighted line, Redirect permanent / https://example.com/ inside the HTTP virtual host, redirects the traffic to the HTTPS version of the site.

Typically you also want to redirect the HTTPS www version of the site to the non-www or vice versa. Here is an example configuration:

<VirtualHost *:80> 
  ServerName unixcop.com
  ServerAlias www.unixcop.com

  Redirect permanent / https://unixcop.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName unixcop.com
  ServerAlias www.unixcop.com

  Protocols h2 http/1.1

  <If "%{HTTP_HOST} == 'www.unixcop.com'">
    Redirect permanent / https://unixcop.com/
  </If>

</VirtualHost>

Above code is checking whether the request header contains the www domain and redirects to the non-www version.

Whenever you make changes to the configuration files you need to restart or reload the Apache service for changes to take effect

.htaccess is a configuration file on a per-directory basis for the Apache webserver. This file can be used to define how Apache serves files from the directory where the file is placed and to enable/disable additional features.

Usually, the .htaccess file is placed in the domain root directory, but you can have other .htaccess files in the subdirectories.

This method requires the mod_rewrite module to be loaded on the Apache server. This module is loaded by default on most servers. If possible, prefer creating a redirection in the virtual host because it is simpler and safer.

To redirect all HTTP traffic to HTTPS, open the root .htaccess file, and add the following code to it

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://unixcop.com/$1 [L,R=301]

Explanation

  • RewriteEngine On – enables the Rewrite capabilities.
  • RewriteCond %{HTTPS} off – checks for HTTP connection, and if the condition is met, the next line is executed.
  • RewriteRule ^(.*)$ https://unixcop.com/$1 [L,R=301] – redirect HTTP to HTTPS with status code 301 (Moved Permanently).

The example below has an additional condition that checks whether the request begins with www. Use it to force all visitors to use the HTTPS non-www version of the site

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.unixcop\.com [NC]
RewriteRule ^(.*)$ https://unixcop.com/$1 [L,R=301]

When editing .htaccess file, you do not need to restart the server because Apache reads the file on each request.

So, you already know how to force Apache to use HTTPS.

Apache Documentation

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

x