Joseph Scott’s Blog

58 Responses to “Redirect To SSL Using Apache’s .htaccess”

1. September 9th, 2004 at 8:56 am John Jonas

   

   You can also add the following to a .htaccess file:

   
   SSLRequireSSL
   

   
   #no non-ssl access
   Redirect permanent /secure https://www.example.domain.com/secure
   

   PS. I’m LDS too!

2. September 9th, 2004 at 8:58 am John Jonas

   

   Dang…forgot the code tag…

           
   		SSLRequireSSL
   	
   
   	
   		#no non-ssl access
   		Redirect permanent /secure https://www.example.domain.com/secure
   	
   

3. October 21st, 2004 at 7:20 pm Paul Mortlock

   

   i use SSLRequireSSL in my .htaccess file and it causes a server error any ideas?

4. December 4th, 2004 at 6:07 pm Nicolás Echániz

   

   I want my users to access their webmail through https, so I have this on my httpd.conf:

   Alias /webmail “/var/www/localhost/htdocs/squirrelmail”
   
   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
   AllowOverride None
   Options FollowSymLinks
   Order allow,deny
   Allow from all

5. March 19th, 2005 at 4:38 am Paul Roberts

   

   I find that the following works

   IfModule !mod_ssl.c>
   # no non-ssl access
   Redirect permanent / https://www.cse.unsw.edu.au/
   </IfModule>

   from http://www.cse.unsw.edu.au/faq/questions/www-htaccess.html

   PS moderator pls deleted previous post the <’s were striped

6. September 2nd, 2005 at 6:24 pm Eugene Miroskins

   

   Thank you SO MUCH! The mod_rewrite works great for me, I thought this problem was going to be more difficult to solve until i came upon this page. Now almost ready to launch our site.

7. February 15th, 2006 at 12:15 pm Dan

   

   Thanks, exactly what I was looking for; works great.

8. April 18th, 2006 at 5:55 am Cormac

   

   I have uploaded a .htaccess file to my root with the code that is posted in the original article. When i try to access the folder http://www.example.com/require-secure it brings me to https://www.example.com/require-secure straight away but it also throws out a 404 error. I’m wondering if anybody knows why this might be happening?

9. April 21st, 2006 at 2:50 pm Finster

   

   I think you need to have a section set up to direct traffic to the SSL port with SSLEnable included in it.

   I may also be full of crap. I’m kind of an Apache n00b.

10. May 8th, 2006 at 12:36 pm Joakim

    

    Nicolás Echániz’

    RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    is very elegant, since it checks to see if it is using ssl regardless of what port is used and uses variables to do the rewriting. Good job :)

11. May 23rd, 2006 at 2:32 pm ChiselingStone

    

    Thank all of you for your posts!!!
    By combining Joseph Scott’s code and Joakim’s code into an .htaccess file at the root of my server files, I came up with:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*)https://www..com/index.htm

    With your site in the middle of course… Works great! A user goes to mysite.com, and boom, it switches to http://www.mysite.com and is secure. Very nice!

    I swear, every bit of these things is like chiseling a statue out of a block of marble. Each little bit requires a lot of hammering, but when you’re done…

    Laters!

12. July 26th, 2006 at 4:48 am Álvaro G. Vicario

    

    My non-mod_rewrite solution:

    ServerName example.com

    RedirectPermanent / https://example.com/

    ServerName example.com

13. July 26th, 2006 at 4:49 am Álvaro G. Vicario

    

    Sorry, tags are not escaped but stripped. I’ll use square brackets:

    My non-mod_rewrite solution is:

    [VirtualHost *:80]
    ServerName example.com
    [Location /]
    RedirectPermanent / https://example.com/
    [/Location]
    [/VirtualHost]
    [VirtualHost *:443]
    ServerName example.com
    [/VirtualHost]

14. July 26th, 2006 at 4:51 am Álvaro G. Vicario

    

    Just a note: I couldn’t make this work until I realised that HTTPS env variable was not available in my web server, God knows why. I had to use the SERVER_PORT solution instead.

15. August 2nd, 2006 at 4:21 am saravanan

    

    hi

    how to redirect http to https,

    what data has been put in the htaccess file

16. October 18th, 2006 at 2:01 pm Bernard

    

    How can I change my login page and other personal information page from http to https?

17. October 24th, 2006 at 1:36 pm htaccesselite

    

    I came up with a much better solution:

    SSLOptions +StrictRequire
    SSLRequireSSL
    SSLRequire %{HTTP_HOST} eq “domaincom.secure.powweb.com”
    AuthUserFile /www/d/domain/.htpasswd
    AuthName “Private”
    AuthType basic
    require user admin56
    ErrorDocument 403 https://domaincom.secure.powweb.com/private/index.php

    Tutorial: http://www.htaccesselite.com/htaccess/force-https-and-no-double-login-vt30.html

18. October 30th, 2006 at 10:06 am ti89

    

    # htaccesselite Says:
    October 24th, 2006 at 1:36 pm

    I came up with a much better solution:

    SSLOptions +StrictRequire
    SSLRequireSSL
    SSLRequire %{HTTP_HOST} eq “domaincom.secure.powweb.com”
    AuthUserFile /www/d/domain/.htpasswd
    AuthName “Private”
    AuthType basic
    require user admin56
    ErrorDocument 403 https://domaincom.secure.powweb.com/private/index.php

    Tutorial: http://www.htaccesselite.com/htaccess/force-https-and-no-double-login-vt30.html

    Wow! That fixed my problem exactly! There is an even better SSL article at htaccesselite -> http://www.htaccesselite.com/htaccess/redirecting-all-or-part-of-a-server-to-ssl-vt61.html

19. November 7th, 2006 at 12:12 am AskApache.com » htaccesselite.com aboutus

    [...] http://joseph.randomnetworks.com/archives/2004/07/22/redirect-to-ssl-using-apaches-htaccess/ [...]

20. November 7th, 2006 at 7:13 pm Rudolf Potucek

    

    Here is a most paranoid version that includes all the above comments. The idea is that we want to use a .htaccess file to make sure that all access to this directory will be by SSL or not at all, but we also want to make sure that if someone has typed a URL manually without the http/https, we direct to the desired url. The paranoid aspect of this lies in the fact that neither mod_rewrite nor mod_ssl might be available, say if you just ported to a new webserver setup etc.

    # If we have neither mod_ssl nor mod_rewrite
    # simply deny access

    deny from all

    # If we have mod_rewrite
    # redirect to https version of requested page

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    # else (if we have mod_ssl)
    # make sure we require SSL

    SSLRequireSSL

    # Finally, if anything went wrong, tell the user we
    # require SSL
    ErrorDocument 403 http://xyz.com/error-403-require-ssl.html

21. November 7th, 2006 at 7:18 pm Rudolf Potucek

    

    REPOST with edits because angled brackets got stripped out … replace all square brackets with angled brackets to make this work …

    Here is a most paranoid version that includes all the above comments. The idea is that we want to use a .htaccess file to make sure that all access to this directory will be by SSL or not at all, but we also want to make sure that if someone has typed a URL manually without the http/https, we direct to the desired url. The paranoid aspect of this lies in the fact that neither mod_rewrite nor mod_ssl might be available, say if you just ported to a new webserver setup etc.

    # If we have neither mod_ssl nor mod_rewrite
    # simply deny access
    [IfModule !mod_rewrite.c]
    [IfModule !mod_ssl.c]
    deny from all
    [/IfModule]
    [/IfModule]

    # If we have mod_rewrite
    # redirect to https version of page
    [IfModule mod_rewrite.c]
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    [/IfModule]

    # else (if we have mod_ssl)
    # make sure we require SSL
    [IfModule !mod_rewrite.c]
    [IfModule mod_ssl.c]
    SSLRequireSSL
    [/IfModule]
    [/IfModule]

    ErrorDocument 403 http://xyz.com/error-403-require-ssl.html

22. November 21st, 2006 at 5:58 am Amy Gardner

    

    According to http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html you don’t need mod_ssl to check for HTTPS variable.

    [IfModule !mod_ssl.c]
    deny from all
    [/IfModule]

    And I think if HTTPS isn’t on its empty?

23. January 5th, 2007 at 1:27 pm Jonathan Webber

    

    Are the IfModules even correct syntax? Are you allowed to use them? How come there aren’t any at the http://www.askapache.com/2006/htaccess/htaccesselite-ultimate-htaccess-article.html ?

24. January 31st, 2007 at 11:24 pm How to automatically redirect http to https in Apache « Kojiroh’s technical blogs

    [...] Joseph Scott’s Blog [...]

25. February 2nd, 2007 at 9:16 pm Rakesh

    

    Hi,

    I have a page called test1.xml in /htdocs/test1/test1.xml and want to redirect to test2.php located in /htdocs/test2/test2.php using .htaccess file.
    My entries are as follows in .htaccess :

    Redirect 301 /htdocs/test1/test1.xml http://www.example.com/test2/test2.php

    plz Correct me if any mistakes done in above line. I am using Apache 1.3.33 version.
    I have created .htaccess file in /htdocs/ directory .
    Let me know your suggestions

26. February 13th, 2007 at 7:43 pm Jarrod

    

    The “Update” with this code:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    Works great. Any url from within my site automatically gets rolled to https:

27. February 26th, 2007 at 5:47 am Rick Syuh

    

    Jarrod I still get a warning if I try to goto http://www.site.com:80...

    The only way to make sure my site doesn’t act funny and popup warnings is to use the SSLRequireSSL with the erordocument suggested by ti89..

    http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html

28. March 10th, 2007 at 11:10 am twp

    

    My problem is that i only want ssl for authentication on a portion of the website (using htpasswd); after the authentication completed i want plain http back on. I am quite new at apache and i suspect i can use mod_rewrite.. but i failed to find any exemple to fit :( thanks for any info

29. March 14th, 2007 at 4:00 am Mario Lobo

    

    what if I have the following:

    —————————————
    NameVirtualHost *:80

    \
    ServerName webmail.mallavoodoo.com.br
    Redirect permanent / https://webmail.mallavoodoo.com.br:443/
    \

    \
    ServerName webmail.digiart.art.br
    Redirect permanent / https://webmail.digiart.art.br:444/

    NameVirtualHost *:443
    NameVirtualHost *:444
    listen 444

    \
    ServerAdmin suporte.provedor@ipad.com.br
    DocumentRoot /mail/webmail
    ServerName webmail.mallavoodoo.com.br
    ErrorLog /var/log/httpd/webmail.mallavoodoo.com.br-ssl_error_log
    CustomLog /var/log/httpd/webmail.mallavoodoo.com.br-ssl_access_log combined
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /usr/local/etc/apache22/ssl/malla.crt
    SSLCertificateKeyFile /usr/local/etc/apache22/ssl/malla.key
    \
    SSLOptions +StdEnvVars
    \
    SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    \

    \
    ServerAdmin suporte.provedor@ipad.com.br
    DocumentRoot /mail/webmail
    ServerName webmail.digiart.art.br
    ErrorLog /var/log/httpd/webmail.digiart.art.br-ssl_error_log
    CustomLog /var/log/httpd/webmail.digiart.art.br-ssl_access_log combined
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /usr/local/etc/apache22/ssl/digiart.crt
    SSLCertificateKeyFile /usr/local/etc/apache22/ssl/digiart.key
    \
    SSLOptions +StdEnvVars
    \
    SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    \
    ——————————————

    when I try to access http://webmail.digiart.art.br/ ,

    I get a a page with only:

    SSH-2.0-OpenSSH_4.0

    adn I don’t get redirected to https://webmail.digiart.art.br:444/

    whats wrong? the purpose here is to use a certificate for each site.

    Thanks

30. March 14th, 2007 at 10:36 am Mario Lobo

    

    Never mind my previous post. I found the tweak.

    Instead of:
    Redirect permanent / https://…….

    I wrote:
    Redirect 301 / https://…….

    and it worked !!

    But thanks for letting me post here !

31. October 14th, 2007 at 3:49 pm JudyE

    

    I used Jarrod’s code from 2/13/07 and it’s perfect. Many thanks :)

32. November 7th, 2007 at 3:46 am To Whom It Concerns … » SSL (https://) per .htaccess erzwingen

    [...] des Webservers nur über eine verschlüsselte Verbindung auszuliefern1, habe ich bei Joseph Scott (in einem kurzen Beitrag von 2004) eine kurze und sehr elegante Lösung gefunden, die euch [...]

33. December 27th, 2007 at 5:45 pm *real me» Blog Archive » ໃຊ້ .htaccess ໃນການ redirect ຫນ້າເວັບໄປໃຊ້ SSL

    [...] ຂໍ້ມູນໄດ້ຈາກ Josept Scott’s blog [...]

34. January 11th, 2008 at 8:15 am Liew Jo Ee

    

    Hi to all, I m newbie to apache.

    Can anyone explain to me wat is FollowSymLinks and Indexes FollowSymLink?

    Do I have to put one of the above the under and under ?

    I have put this into
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    in the .htaccess in the documentroot

    the redirect is working but it is redirecting to the DirectoryIndex

    etc -> http://www.abc.com/info.php becomes https://www.abc.com/
    i want it to be changed to https://www.abc.com/info.php. How can i do that? what i ve done wrong?

35. January 11th, 2008 at 10:39 am Joseph Scott

    

    @ Liew Jo Ee -

    I’d suggest reading up on the DirectoryIndex option in Apache, which indicates that the default file name for a directory should be served as default if none is provided. In your example you’d do something like:

    DirectoryIndex info.php

36. January 17th, 2008 at 9:40 pm Kyle

    

    I was looking for this snippet of code for one of my customers thanks a million!

37. January 17th, 2008 at 10:22 pm Joseph Scott

    

    @Kyle –

    Cool, always nice to hear people find this stuff useful.

38. January 30th, 2008 at 3:05 am SpiritualTheater » การติดตั้ง server Mailtalk

    [...] http://joseph.randomnetworks.com/archives/2004/07/22/redirect-to-ssl-using-apaches-htaccess/ [...]

39. February 27th, 2008 at 4:44 am Boris R

    

    I edited my .htaccess file (added the text at the end of the htaccess file) and used Joakim’s and ChiselingStone’s points. (#s 10 and 11). It worked the first time. Thanks!

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

40. March 2nd, 2008 at 12:53 am Using .htaccess to Redirect to SSL » orangeSplotch.com

    [...] Pretty slick stuff. Too bad I can’t take any credit for it. Here is where I first came across it. Redirect To SSL Using Apache’s .htaccess [...]

41. March 11th, 2008 at 10:41 pm Njau Ndirangu

    

    Alot of people have written how to redirect http to https but nobody explains how to switch back to http. With apache once you switch to https it stays like that so what approach would you take to switch back to http from https?

42. April 23rd, 2008 at 2:48 pm Patrick K

    

    I’ve been putzing with a ubuntu 7.10 server install, and having fits with most info I could find on removing directory listings, and also routing http to https sites.

    My site has 4 normal virtual sites, and 1 self signed SSL site. I needed to have anything with http://some.secure.site route to https://some.secure.site.

    All my other sites worked without problem, so http://www.somesite.com would resolve for all normal sites. but http://www.secure.site would drop back to the /var/www directory, meaning it wasn’t resolving to my /var/www/secure area. typeing in https://www.secure.site worked perfectly.

    I liked the
    [code]
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    [/code]
    as listed above, but it wouldn’t work in a .htaccess. I turned on AllowOverride everywhere I could find it, but to no avail. I also installed (or it was already) the mod_rewrite and mod_alias was working too. I confirmed this by running phpinfo() and seeing that both were installed as loaded modules.

    I finally removed it from .htaccess, and instead put it in the [Directory /var/www] section of /etc/apache2/sites-available/default.

    Is working now.

    Basically, all my named hosts resolve to their respective directories, but if someone puts a http: address that doesn’t resolve, it gets sent to my https://some.secure.site address. Seeing as how I only have one to worry about, it works fine.

    For my directory listings, I tried the Options -Indexes in a .htaccess file, but no dice, kept giving 500 errors. I have error doc statements in .htaccess, and those work fine, so I new .htaccess is working.

    I ended up going into the conf file for each site: http://www.somesite.com.conf under /etc/apache2/sites-available. In each site conf file, under the [Directory "/var/www/somesite"] section, i changed Options +Indexes to Options -Indexes.

    That’s working too. So I removed both attempts from my .htaccess, as neither worked from that route. Instead I installed directives in the conf file for each site, and default, and it’s working fine.

43. May 12th, 2008 at 11:55 pm hitesh shinde

    

    If you want HTTPS for only 2 or more individual files not a full directory, Then try this

    RewriteEngine On

    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^index.php$ https://www.phppassion.com/index.php

    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^index1.php$ https://www.phppassion.com/index1.php

    It works.

44. May 12th, 2008 at 11:57 pm hitesh shinde

    

    if anyone want to full directory HTTPS

    Try this

    RewriteCond %{HTTPS} off
    #RewriteRule ^DirName(.*) https://%{HTTP_HOST}%{REQUEST_URI}

45. June 3rd, 2008 at 3:02 am Utpal Desai

    

    simply create a squirrelmail.conf file at /etc/httpd/conf.d copy and paste below content, save it and restart APACHE

    Alias /webmail “/usr/share/squirrelmail”

    RewriteEngine on
    RewriteCond %{HTTPS} !=on
    RewriteRule .* https://%{HTTP_HOST}:443%{REQUEST_URI} [QSA,R=permanent,L]

46. July 17th, 2008 at 1:30 pm Adlerweb

    [...] Editierlinks auf die ungesicherte Seite. Hier lässt sich mit einer .htaccess-Datei, welche ich auf Joseph Scott’s Blog gefunden habe, im Verzeichnis wp-admin Abhilfe [...]

47. July 21st, 2008 at 1:09 am Forward http:// to https:// - Kayako Community Forums

    [...] 08:09 AM Redirect To SSL Using Apache’s .htaccess – Joseph Scott’s Blog details how to do this. Craig Brass – Kayako Forum Squatter (Note: I am NOT a staff member) [...]

48. August 20th, 2008 at 7:24 am nowashburn

    

    thanks! works great, nice and simple!

49. September 19th, 2008 at 7:41 am lasdesign

    

    Hi,
    Thanks for all your help above, i managed to put use what youve shared above and com eup with a solution that seems to work for me.

    My problem is that i need to switch to ssl (https) for a particular directory based on using a shared host offering shared SSL.

    The contents of the htaccess file i created was as follows:

    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} subdirectory
    RewriteRule ^(.*)$ https://www.shared-ssl-domain-url.com/subdirectory/ [R,L]

    PS – The htaccess file has to be stored in the sub directory you wish to use for ssl. E.g. subdirectory.

    I hope this helps somebody.

50. October 29th, 2008 at 5:05 pm Taylor

    

    I currently have my .htaccess file that sends all of the requests for my website to https: however I am trying to host two different sites under the same hosting. Well when I put in the URL then it redirects me back to the other site. Does anyone know the code to only redirect within the root directory and leave the subdirectories alone?

    This is my current code:

    Options +FollowSymLinks
    RewriteEngine On
    RewriteBase /
    SSLOptions +StrictRequire
    SSLRequireSSL
    SSLRequire %{HTTP_HOST} eq “example.com”
    ErrorDocument 403 https://example.com

    Thanks

51. January 9th, 2009 at 8:36 am Leslie

    

    Boy am I late to the party on this, but thanks! I spent hours looking for code that would work and this did the trick.

52. January 20th, 2009 at 6:08 am unhitched

    

    worked for me – thanks!

53. February 5th, 2009 at 6:12 pm Un peu de tout » Archives du Blog » Apache: redirection en https avec .htaccess

    [...] me suis basé sur ce billet de Joseph Scott, solution améliorée par Nicolas [...]

54. February 23rd, 2009 at 3:58 pm Gimi

    

    To redirect a specific url to https use RewriteCond
    RewriteCond %{HTTPS} off
    RewriteCond %{REQUEST_URI} =/secure #You can have multiple rewrite cond
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    To redirect the rest of the site from https to http:

    RewriteCond %{HTTPS} on
    RewriteCond %{REQUEST_URI} !=/secure
    RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

55. February 28th, 2009 at 8:05 pm Kev

    

    RewriteEngine On
    RewriteCond %{HTTPS} !on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    Simple, elegant, works brilliantly.
    THANKS!

56. March 3rd, 2009 at 10:40 pm Derek

    

    I had to add [R=301,L] to my RewriteRule to get this working with wildcard subdomains.

    RewriteEngine On
    RewriteCond %{HTTPS} !on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

57. March 14th, 2009 at 1:29 pm breadbaker

    

    I am sorry to tell you, that those examples won’t work if you are on a non standard http port, e.g. http://www.example.com:8888/ will redirect to https://www.example.com:8888/

    use this instead:

    [code]
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI}
    [/code]

58. April 21st, 2009 at 5:17 pm AA

    

    I like the May 23rd updated solution best.
    The problem with hard coding a redirect to something like http://site/something, at least for what I want, I just want to add https to whatever they typed. I don’t want to send them to a set home page but rather what they typed, just secure.
    That’s why I like the first solution best.

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    Yay!
    I don’t have to worry about where I put this or what site, as long as it has ssl enabled.