158

I have an old domain (www1.example.net) and I would like to redirect it to https://www1.example.net.

I have implemented and installed our SSL certificate on my site.

This is my old file .htaccess:

RewriteEngine On
RewriteRule !\.(js|gif|jpg|png|css|txt)$ public/index.php [L]
RewriteCond %{REQUEST_URI} !^/public/
RewriteRule ^(.*)$ public/$1 [L]

How can I configure my .htaccess file so that the URL auto redirects to https?

Improve this question
1
  • If the second line is intended to not do a redirect if the path points to an actual file (and you're listing the expected possible extensions), you could make it more flexible by replacing it with a check for an existing file: RewriteCond %{REQUEST_FILENAME} !-f followed by your redirect. Commented May 14, 2019 at 14:34

15 Answers 15

Reset to default
333

I use the following to successfully redirect all pages of my domain from http to https:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Note this will redirect using the 301 'permanently moved' redirect, which will help transfer your SEO rankings.

To redirect using the 302 'temporarily moved' change [R=302,L]

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

this is more appropriate than the "hacky" accepted answer
In some cases the X-Forwarded-Proto is needed RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
141

Update 2016

As this answer receives some attention, I want to hint to a more recommended way on doing this using Virtual Hosts: Apache: Redirect SSL

<VirtualHost *:80>
   ServerName mysite.example.com
   Redirect permanent / https://mysite.example.com/
</VirtualHost>

<VirtualHost _default_:443>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
# etc...
</VirtualHost>

Old answer, hacky thing given that your ssl-port is not set to 80, this will work:

RewriteEngine on

# force ssl
RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

Note that this should be your first rewrite rule.

Edit: This code does the following. The RewriteCond(ition) checks wether the ServerPort of the request is 80 (which is the default http-port, if you specified another port, you would have to adjust the condition to it). If so, we match the whole url (.*) and redirect it to a https-url. %{SERVER_NAME} may be replaced with a specific url, but this way you don't have to alter the code for other projects. %{REQUEST_URI} is the portion of the url after the TLD (top-level-domain), so you will be redirected to where you came from, but as https.

Improve this answer

5 Comments

I'm getting 403 Forbidden when I try this. Any idea why?
Where can I find this file in virtual hosts
To add to the explanation. "[The [L] flag](httpd.apache.org/docs/2.4/rewrite/flags.html#flag_l) causes mod_rewrite to stop processing the rule set." Usually you want to just add this by default. "Use of [the [R] flag](httpd.apache.org/docs/2.4/rewrite/flags.html#flag_r) causes an HTTP redirect to be issued to the browser." If absent, the redirect will be internal which would void the meaning of using HTTPS. By default, the issued redirect is with status 302 (temporary redirection). If you want the browser to ("permanently") cache the new URL, use [R=301] instead.
For the VirtualHost solution, it's not clear where the "Redirect permanent" statement should be placed in case of a complicated setup. I assumed near the top, and it worked.
it worked. we need to add the script for http block only that will redirect us to https automatically.
118

This is the best for www and for HTTPS, for proxy and no proxy users.

RewriteEngine On

### WWW & HTTPS

# ensure www.
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ensure https
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

### WWW & HTTPS
Improve this answer

4 Comments

how to redirect to non-www?
this is by far the best answer for those where %{HTTPS} off isn't enough
Also, note that for those who wish to remove www from the URL, the following should work: stackoverflow.com/a/8699176/1035977 (just adapt it to use https://... instead of the http://... shown there)
Note that the check against the X-Forwarded-Proto header should only be used if your server is behind a front-end proxy that handles the secure connection. Otherwise, a malicious request could send the X-Forwarded-Proto header and prevent the redirect to HTTPS.
19

I force the https with following code:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
Improve this answer

Comments

10

Add this code at the end of your .htaccess file

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Improve this answer

2 Comments

Probably because mod_rewrite isn't enabled in this answer as it is in others.
"Add this code at the end of your .htaccess file" - This code should be added at the top of the .htaccess file, not at the end! You are also missing the R and L flags so this will default to a 302 (temporary) redirect and processing continues.
6

In cases where the HTTPS/SSL connection is ended at the load balancer and all traffic is sent to instances on port 80, the following rule works to redirect non-secure traffic.

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Ensure the mod_rewrite module is loaded.

Improve this answer

Comments

5

Insert this code in your .htaccess file. And it should work

RewriteCond %{HTTP_HOST} yourDomainName\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourDomainName.com/$1 [R,L]
Improve this answer

Comments

4

Searching for the best way to redirect, i've found this (coming from html5boilerplate) :

# ----------------------------------------------------------------------
# | HTTP Strict Transport Security (HSTS)                              |
# ----------------------------------------------------------------------

# Force client-side SSL redirection.
#
# If a user types `example.com` in their browser, even if the server
# redirects them to the secure version of the website, that still leaves
# a window of opportunity (the initial HTTP connection) for an attacker
# to downgrade or redirect the request.
#
# The following header ensures that browser will ONLY connect to your
# server via HTTPS, regardless of what the users type in the browser's
# address bar.
#
# (!) Remove the `includeSubDomains` optional directive if the website's
# subdomains are not using HTTPS.
#
# http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
# https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1
# http://blogs.msdn.com/b/ieinternals/archive/2014/08/18/hsts-strict-transport-security-attacks-mitigations-deployment-https.aspx

Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"

Maybe it will help someone in 2017 ! :)

Improve this answer

4 Comments

In 2017, this should be the accepted answer. But it should contain that to enable HSTS via .htacces file (question is tagged with this) you have to omit the IfModule tags. If you edit your answer with that I would gladly link to here from the accepted answer
Hello Jojo ! sorry for this late answer, you mean removing both # <IfModule mod_headers.c> and # </IfModule> lines ?
hey LIIT, yes that's what I meant.
While this is nice and does help to achieve or support the (probably) desired effect, this does not redirect http requests to https, and as such, does not answer the question. It does only work if the client already accessed the site via HTTPS (within the max-age interval specified). So it should always be accompanied with a proper redirect.
4

This makes sure that redirects work for all combinations of intransparent proxies.

This includes the case client <http> proxy <https> webserver.

# behind proxy
RewriteCond %{HTTP:X-FORWARDED-PROTO} ^http$
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]

# plain
RewriteCond %{HTTP:X-FORWARDED-PROTO} ^$
RewriteCond %{REQUEST_SCHEME} ^http$ [NC,OR]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
Improve this answer

Comments

3

Adding the following to the top of the .htaccess

RewriteEngine On
RewriteCond %{ENV:HTTPS} !=on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Improve this answer

Comments

2

I had a problem with redirection also. I tried everything that was proposed on Stackoverflow. The one case I found by myself is:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP:SSL} !=1 [NC]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
Improve this answer

Comments

1

This is what ended up working for me

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>
Improve this answer

Comments

1

This is the perfect way for apache server, further you can customize with or without www

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

Improve this answer

Comments

-1

Forcing HTTPS with the .htaccess File

==> Redirect All Web Traffic :-

To force all web traffic to use HTTPS, insert the following lines of code in the .htaccess file in your website’s root folder.

RewriteEngine On 
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

==> Redirect Only Specified Domain :-

To force a specific domain to use HTTPS, use the following lines of code in the .htaccess file in your website’s root folder:

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteEngine On 
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

If this doesn’t work, try removing the first two lines.

RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

Make sure to replace example.com with the domain name you’re trying force to https. Additionally, you need to replace www.example.com with your actual domain name.

==> Redirect Specified Folder :-

If you want to force SSL on a specific folder, insert the code below into a .htaccess file placed in that specific folder:

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} folder
RewriteRule ^(.*)$ https://www.example.com/folder/$1 [R=301,L]

Make sure you change the folder reference to the actual folder name. Then be sure to replace www.example.com/folder with your actual domain name and folder you want to force the SSL on.

Improve this answer

Comments

-1

Replace your domain with domainname.com , it's working with me .

RewriteEngine On
RewriteCond %{HTTP_HOST} ^domainname\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.domainname.com/$1 [R,L]
Improve this answer

1 Comment

Please don't post only code as answer, but also provide an explanation what your code does and how it solves the problem of the question. Answers with an explanation are usually more helpful and of better quality, and are more likely to attract upvotes.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.