Redirect HTTP to HTTPS in Apache

By 

Dejan Panovski

Updated on

7 min read

Apache Redirect HTTP to HTTPS

Apache HTTP server is one of the most popular web servers in the world. It is an open-source and cross-platform HTTP server that powers a large percentage of the Internet’s websites. Apache provides many powerful features that can be extended through additional modules.

If you are a website owner or system administrator, chances are that you’re dealing with Apache on a regular basis. One of the most common tasks you’ll likely perform is redirecting the HTTP traffic to the secured (HTTPS) version of your website.

Unlike HTTP, where requests and responses are sent and returned in plaintext, HTTPS uses TLS to encrypt the communication between the client and the server.

There are many advantages of using HTTPS over HTTP, such as:

  • All the data is encrypted in both directions. As a result, sensitive information cannot be read if intercepted.
  • Modern browsers will show a “Not Secure” warning for HTTP sites.
  • HTTPS allows you to use the HTTP/2 protocol, which significantly improves the site performance.
  • Google favors HTTPS websites. Your site will rank better if served via HTTPS.

This guide covers how to redirect the HTTP traffic to HTTPS in Apache.

Before setting up the redirect, you need a valid SSL/TLS certificate. Let’s Encrypt provides free certificates and is the most popular choice for most websites.

There are several ways to redirect to HTTPS in Apache. If you have root access to the Linux server where Apache runs, the preferred way is to set up the redirection in the domain’s virtual host configuration file. Otherwise, you can set up the redirection in the domain’s .htaccess file. Some control panels, such as cPanel , allow you to force HTTPS redirection with a few mouse clicks.

Redirect HTTP to HTTPS using Virtual Host

Apache Virtual Hosts define the settings of one or more domains hosted on the server. In the virtual host directive, you can specify the site document root (the directory containing the website files), create a separate security policy for each site, use different SSL certificates, configure redirection, and more.

Generally, when an SSL certificate is installed on a domain, you will have two virtual host directives for that domain. The first is for the HTTP version of the site on port 80, and the other is for the HTTPS version on port 443.

In Red Hat-based distros such as CentOS and Fedora, virtual host files are stored in /etc/httpd/conf.d. On Debian and its derivatives like Ubuntu , the files are stored in the /etc/apache2/sites-available directory.

Before adding the redirect, make sure the domain has a valid TLS certificate and the HTTPS virtual host is working.

To redirect a website to HTTPS, use the Redirect directive as shown in the example below:

apache
<VirtualHost *:80> 
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  Protocols h2 http/1.1

  # SSL Configuration

  # Other Apache Configuration

</VirtualHost>

Let’s explain the code. We have two virtual host directives, one for HTTP and one for the HTTPS version of the site.

  • VirtualHost *:80 - The Apache server listens for incoming connections on port 80 (HTTP) for the specified domain.
  • VirtualHost *:443 - The Apache server listens for incoming connections on port 443 (HTTPS) for the specified domain.

The ServerName and ServerAlias directives specify the virtual host’s domain names. Make sure you replace them with your domain name.

The highlighted line, Redirect permanent / https://example.com/ inside the HTTP virtual host, redirects the traffic to the HTTPS version of the site.

Typically you also want to redirect the HTTPS www version of the site to the non-www or vice versa. Here is an example configuration:

apache
<VirtualHost *:80> 
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  Protocols h2 http/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  # SSL Configuration

  # Other Apache Configuration

</VirtualHost>

The code inside the HTTPS virtual host (the highlighted lines) checks whether the request header contains the www domain and redirects to the non-www version.

If the HTTPS virtual host is not configured or the certificate is missing, the redirect can cause a loop or a browser error. Make sure HTTPS works before enforcing the redirect.

Whenever you make changes to the configuration files, you need to restart or reload the Apache service for changes to take effect:

  • Debian and Ubuntu:

    Terminal
    sudo systemctl reload apache2

  • CentOS and Fedora:

    Terminal
    sudo systemctl reload httpd

Redirect HTTP to HTTPS using .htaccess

.htaccess is a configuration file on a per-directory basis for the Apache web server. This file can be used to define how Apache serves files from the directory where the file is placed and to turn additional features on or off.

Usually, the .htaccess file is placed in the domain root directory, but you can have other .htaccess files in the subdirectories.

This method requires the mod_rewrite module to be loaded on the Apache server. This module is loaded by default on most servers. If possible, prefer creating a redirection in the virtual host because it is simpler and safer.

To redirect all HTTP traffic to HTTPS, open the root .htaccess file and add the following code to it:

htaccess
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

Here is what the code means:

  • RewriteEngine On - enables the Rewrite capabilities.
  • RewriteCond %{HTTPS} off - checks for HTTP connection, and if the condition is met, the next line is executed.
  • RewriteRule ^(.*)$ https://example.com/$1 [L,R=301] - redirect HTTP to HTTPS with status code 301 (Moved Permanently). Make sure you change the domain name.

The example below has an additional condition that checks whether the request begins with www. Use it to force all visitors to use the HTTPS non-www version of the site:

htaccess
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

When editing the .htaccess file, you do not need to restart the server because Apache reads the file on each request.

Redirect to a Single Canonical Host

If you want to force all traffic to a single host (www or non-www), use a canonical redirect on the HTTPS virtual host. For example, to redirect all traffic to the non-www version:

apache
<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  # SSL Configuration
</VirtualHost>

Test the Redirect

Use curl to verify that HTTP requests redirect to HTTPS:

Terminal
curl -I http://example.com

You should see a 301 response and a Location header pointing to the HTTPS URL:

output
HTTP/1.1 301 Moved Permanently
Location: https://example.com/

Enable HSTS (HTTP Strict Transport Security)

HSTS tells browsers to always use HTTPS when connecting to your site, even if the user types http:// in the address bar. This prevents downgrade attacks and improves security.

Add the following header to your HTTPS virtual host:

apache
<VirtualHost *:443>
  ServerName example.com

  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

  # SSL Configuration
</VirtualHost>

The max-age value is in seconds. The example above sets it to one year (31536000 seconds). The includeSubDomains directive applies the policy to all subdomains.

To use the Header directive, the mod_headers module must be enabled. On Debian/Ubuntu, run:

Terminal
sudo a2enmod headers
sudo systemctl reload apache2

Troubleshooting

Redirect Loop

If your browser shows “too many redirects”, check that:

  • The HTTPS virtual host is properly configured and listening on port 443
  • The SSL certificate is valid and not expired
  • You are not redirecting HTTPS to HTTPS in the configuration

Mixed Content Warnings

After enabling HTTPS, your site may show mixed content warnings if some resources (images, scripts, CSS) are still loaded over HTTP. Update all internal links to use HTTPS or use protocol-relative URLs (//example.com/path).

Changes Not Taking Effect

If changes to the virtual host configuration are not working, make sure you reloaded Apache:

Terminal
sudo systemctl reload apache2  # Debian/Ubuntu
sudo systemctl reload httpd    # CentOS/Fedora

For .htaccess changes, verify that AllowOverride is set to All in the virtual host configuration.

Quick Reference

MethodWhen to Use
Virtual Host redirectPreferred method when you have server access
.htaccess redirectWhen you don’t have access to virtual host config
HSTS headerAdd after redirect is working to improve security

Conclusion

In Apache, the preferred way to redirect HTTP to HTTPS is to configure a 301 redirect in the domain’s virtual host. For additional security, enable HSTS to ensure browsers always use HTTPS.

Tags

apache

Linuxize Weekly Newsletter

A quick weekly roundup of new tutorials, news, and tips.

About the authors

Dejan Panovski

Dejan Panovski

Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.

View author page