When an SSL certificate is installed on the server, the website is not available via a secure HTTPS connection by default. It is necessary to add “https” to a URL every time one needs to be securely connected. The best way to achieve maximum security for website visitors is to enable an automatic redirect from HTTP to HTTPS.
If you have some control panel installed over Apache, it is necessary to set up redirects in the panel itself and not on the server to avoid redirect loops or incorrect module execution. You can check the guide on how to set up HTTPS redirect in cPanel here.
An Apache redirect should be used if cPanel or any other control panel or GUI (graphical user interface) is not used.
Before setting up the redirect, please make sure that the following modules are enabled.
- To enable the modules on Debian-based (Ubuntu) OS, run the below commands:
sudo a2enmod rewrite
sudo a2enmod ssl
- To enable ssl module on RHEL-based OS (CentOS), run:
yum install mod_ssl
The rewrite module is usually enabled by default on these OS. The following line should be present in the main config file:
LoadModule rewrite_module modules/mod_rewrite.so
Make sure, it is not commented. If there is no such line in the main configuration file, install the module by running:
sudo yum install mod_rewrite
If both modules are enabled, you will see the following messages:
Enabling Apache Redirect
There are several methods of enabling an Apache redirect http to https:
- Enable the redirect in the Virtual Host file for the necessary domain.
- Enable it in the .htaccess file (previously created in the web root folder).
- Use the mod_rewrite rule in the Virtual Host file.
- Use it in the .htaccess file to force HTTPS.
Enable Apache Redirect in the Virtual Host
Enabling the redirect in the Virtual Host file is safer and simpler than other options, as the configuration will be similar for all systems. Usually, there are two Virtual Host files on Apache if an SSL certificate is installed: one is for the non-secure port 80, and the other is for the secure port 443. The redirect to HTTPS can be enabled in the virtual host for port 80. If you would like to force HTTPS only for certain webpages, you can use the following set of directives:
< VirtualHost *:80 >
ServerName www.yourdomain.com
DocumentRoot /usr/local/apache2/htdocs
Redirect permanent /secure https://yourdomain.com/secure
< /VirtualHost >
< VirtualHost _default_:443 >
ServerName www.yourdomain.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine On
...
< /VirtualHost >
where /secure is the directory you would like Apache to force https for.
Otherwise, a permanent redirect to HTTPS can be enabled for all the pages of the website:
< VirtualHost *:80 >
ServerName www.yourdomain.com
Redirect permanent / https://www.yourdomain.com/
< /VirtualHost >
< VirtualHost _default_:443 >
ServerName www.yourdomain.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine On
...
< /VirtualHost >
Use .htaccess to Redirect to HTTPS
As an alternative, you can modify the .htaccess file. The following directive can be used in the .htaccess file placed in the document root folder of the website to secure certain pages of the website:
Redirect permanent /secure https://www.yourdomain.com/secure
Use Apache Rewritecond - mod_rewrite Rule
Using the mod_rewrite rule is recommended for experienced users, as the exact configuration can be different on different systems. The syntax of mod_rewrite rules can be complicated - for example, if you would like to redirect to HTTPS certain subfolders that consist of other subfolders. If you are not sure whether mod_rewrite can be used, it is better to enable the redirect to HTTPS in the virtual host file. If you would like to create a redirect for certain pages, the mod_rewrite rule should look like this:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?secure/(.*) https://%{SERVER_NAME}/secure/$1 [R,L]
The redirect for all directories is similar and looks like this:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
Note: To set a redirect with a 301 status code (permanent), you will need to assign this code to the R-flag in brackets by adding "=301".
Now your website will be available via HTTPS by default. To check if the redirects work correctly, please clear the cache in the browser you usually use and open your website or try checking it in another browser.
We would like to emphasize that above-mentioned commands are related only to Debian-based Linux derivatives, like Ubuntu. In case of any specific questions as well as other types of the operating system we would highly recommend contacting your server/hosting provider or referring to official server documentation.