HTTP (Hyper Text Transfer Protocol) is a popular as well as the fundamental protocol for data communication on the World Wide Web (WWW); typically between a web browser and the server which stores web files. Whereas HTTPS is the secure version of HTTP, where the ‘S‘ at the end stands for ‘Secure‘.
Using HTTPS, all data between your browser and the web server are encrypted thus secure. This tutorial will show you how to redirect HTTP to HTTPS on Apache HTTP server in Linux.
Before you can set up an Apache HTTP to HTTPS redirect for your domain, make sure you have SSL certificate installed and mod_rewrite is enabled in Apache. For more information on how to setup SSL on Apache, see following guides.
- How to Create Self-Signed SSL Certificates and Keys for Apache
- How to Install Let’s Encrypt SSL Certificate on CentOS/RHEL 7
- How to Install Let’s Encrypt SSL Certificate on Debian/Ubuntu
Redirect HTTP to HTTPS on Apache Using .htaccess File
For this method, make sure mod_rewrite is enabled, otherwise enable it like this on Ubuntu/Debian systems.
$ sudo a2enmod rewrite [Ubuntu/Debian]
For CentOS/RHEL users, ensure that your have the following line in httpd.conf (mod_rewrite support – enabled by default).
LoadModule rewrite_module modules/mod_rewrite.so
Now you just need to edit or create .htaccess file in your domain root directory and add these lines to redirect http to https.
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
Now, when a visitor types http://www.yourdomain.com
the server will automatically redirect HTTP to HTTPS https://www.yourdomain.com
.
Redirect HTTP to HTTPS on Apache Virtual Host
Additionally, to force all web traffic to use HTTPS, you can also configure your virtual host file. Normally, there are two important sections of a virtual host configurations if an SSL certificate is enabled; the first contains configurations for the non-secure port 80.
The second is for the secure port 443. To redirect HTTP to HTTPS for all the pages of your website, first open the appropriate virtual host file. Then modify it by adding the configuration below.
NameVirtualHost *:80 <VirtualHost *:80> ServerName www.yourdomain.com Redirect / https://www.yourdomain.com </VirtualHost> <VirtualHost _default_:443> ServerName www.yourdomain.com DocumentRoot /usr/local/apache2/htdocs SSLEngine On # etc... </VirtualHost>
Save and close the file, then restart the HTTP sever like this.
$ sudo systemctl restart apache2 [Ubuntu/Debian] $ sudo systemctl restart httpd [RHEL/CentOS]
While the <VirtualHost>
is the most recommended solution because it is simpler and safer.
You may like to read these useful assortment of Apache HTTP server security hardening articles:
- 25 Useful Apache ‘.htaccess’ Tricks to Secure and Customize Websites
- How to Password Protect Web Directories in Apache Using .htaccess File
- How to Hide Apache Version Number and Other Sensitive Info
- Protect Apache Against Brute Force or DDoS Attacks Using Mod_Security and Mod_evasive
That’s all! To share any thoughts concerning this guide, make use of the feedback form below. And remember to always stay connected to Tecmint.com.
Also, if you using LetsEncrypt certification, add this before redirect rule:
Thank you for the info. This helped me set up HTTP to HTTPS redirects in OS X 10.14 Mojave. Apple has moved away from its own implementation with OSX 10.14 Mojave, and OSX 10.15 Catalina, so you have to install open-source Apache to get web services working. I had experience deploying Apache in Linux, but not familiar with the steps that were required to get it working on an OSX platform.
Here is what you need to do for OSX 10.14 Mojave:
1) Enable Apache on OSX:
2) Modify /private/etc/apache2/httpd.conf file:
3) Modify /private/etc/apache2/httpd-ssl.conf file:
Add following:
4) Modify /private/etc/apache2/httpd-vhosts.conf file.
Add following:
5) Test the Apache configuration for errors after restarting Apache.
6) Restart apache.
Correction to step 2)
Modify /private/etc/apache2/httpd.conf file:
##Change the following lines to the folder path where the web files are located:
Tons of misspellings that cause syntax errors in the code above. This causes more problems than solutions.
Simple and working, thanks
@MisterX
Great! Thanks for the useful feedback.
I found that when it comes to the Apache configuration, this worked better –
The IfModule ensures that your site will be live even if you have forgotten to enable SSL (a. this happened to me that may not necessarily be a BAD thing)
the
/
at the end of the domain ensures that if you are giving it a full path, it will follow the path.I’m assuming that port 443 would also need to be opened up on your firewall for traffic to get through. Is this correct?
@Troy
Yes, this is true, especially when you have a firewall running on your system.
Don’t you have to point to the location of your certificates?
You are missing the slash after the domain name.
Redirect / https://www.yourdomain.com/
@Neil
Thanks for mentioning this, we will add it as soon as possible.
I can’t help but think this article could use a bit more detail. Especially when it comes to explaining what is happening in the configuration files. Perhaps comments to explain what each line is acutely doing.
@Brian
You can find detailed information about mod_rewrite rules from here: http://httpd.apache.org/docs/current/mod/mod_rewrite.html