Redirect HTTP to HTTPS in Apache
Introduction
The Apache HTTP server is one of the most widely used web servers worldwide. A significant amount of websites on the Internet are run using this open-source, cross-platform HTTP server. With the help of extra modules, Apache may be expanded to offer many key features.
There is a good probability that you work with Apache on a regular basis if you are a website owner or system administrator. Redirecting HTTP traffic to the secure (HTTPS) version of your website is one of the most regular activities you will likely perform.
HTTPS employs TLS/SSL to encrypt the communication between the client and the server, as opposed to HTTP, which uses plaintext to send and receive requests and responses.
Using HTTPS instead of HTTP has various advantages, including:
- All data is encrypted in both directions. As a result, even if intercepted, sensitive information cannot be read.
- Your website will be marked as secure by Google Chrome and all other widely used browsers.
- Utilizing HTTPS enables you to use the HTTP/2 protocol, which greatly enhances site performance.
- Google prefers HTTPS-secured websites. If your website is served through HTTPS, it will rank higher.
In Apache, there are several ways to redirect to HTTPS. The best method is to configure the redirection in the virtual host configuration file for the domain if you have root access to the Linux server on which Apache is installed. If not, you can configure the redirection in the .htaccess
file for the domain.
With a few mouse clicks, you can force HTTPS redirection with some control panels, like cPanel.
Redirect HTTP to HTTPS using Virtual Host
The settings of one or more domains hosted on the server are specified by Apache Virtual Hosts. You can specify the site document root (the directory containing the website files) in the virtual host directive. You can also configure redirection, use different SSL certificates, and create separate security policies for each site.
You will typically have two virtual host directives for a domain when an SSL certificate is installed on it. The first is for the HTTP version of the site, which runs on port 80, and the second is for the HTTPS version, which runs on port 443.
Virtual host files are kept in the /etc/httpd/conf.d
in Red-Hat-based distros like Fedora and CentOS. On Debian and its derivatives, such as Ubuntu, the files are saved in the /etc/apache2/sites-available
directory.
Use the Redirect
directive as seen in the following example to redirect a website to HTTPS:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
Protocols h2 http/1.1
# SSL Configuration
# Other Apache Configuration
</VirtualHost>
Now let us go over the code. One virtual host directive is used for the HTTP version of the site, and the other is used for the HTTPS version.
VirtualHost *:80
- The Apache server is listening on port 80 (HTTP) for inbound connections for the given domain.VirtualHost *:443
- The Apache server is listening on port 443 (HTTP) for inbound connections for the given domain.
The domain names for the virtual host are specified by the ServerName
and ServerAlias
directives. Remember to substitute it with your domain name.
The traffic is redirected to the HTTPS version of the website by the highlighted line, Redirect permanent / https://example.com/
inside the HTTP virtual host.
The HTTPS www version of the site should typically be redirected to the non-www version, and vice versa. An example configuration is as follows:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
Protocols h2 http/1.1
<If "%{HTTP_HOST} == 'www.example.com'">
Redirect permanent / https://example.com/
</If>
# SSL Configuration
# Other Apache Configuration
</VirtualHost>
The highlighted lines of code within the HTTPS virtual host check to see if the request header contains the www domain before redirecting to the non-www version.
You must restart or reload the Apache service after making changes to the configuration files in order for the changes to take effect:
- Debian and Ubuntu:
sudo systemctl reload apache2
- CentOS and Fedora:
sudo systemctl reload httpd
Redirect HTTP to HTTPS using .htaccess
.htaccess
is a per-directory configuration file for the Apache webserver. This file can be used to enable/disable additional features, as well as specify how Apache serves files from the directory where the file is placed.
The .htaccess
file is often placed in the domain root directory, however additional .htaccess
files might be placed in subdirectories.
The mod_rewrite
module must be loaded on the Apache server in order to use this technique. On the majority of servers, this module is loaded by default. If feasible, create a redirection in the virtual host because it is easier and safer.
Open the root .htaccess
file and add the following code to it to redirect all HTTP traffic to HTTPS:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]
The code means as follows:
RewriteEngine On
- activates the Rewrite features.RewriteCond %{HTTPS} off
- checks for an HTTP connection and executes the next line if the condition is satisfied.RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]
- redirect HTTP to HTTPS with status code 301 (Moved Permanently). Make sure the domain name is changed.
The following example has an additional condition that determines if the request begins with www
. Use it to compel all visitors to use the site's HTTPS non-www version:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]
You do not need to restart the server after making changes to the .htaccess
file because Apache reads it with each request.
Conclusion
In Apache, configuring the 301 redirect in the virtual host for the domain is the preferred method of redirecting from HTTP to HTTPS.
If you have any queries, feel free to post a comment below, and we'll be happy to answer them.