Redirect HTTP to HTTPS in Apache

Posted 

5 min read

Apache HTTP server is one of the most popular web servers in the world. It is an open-source and cross-platform HTTP server that powers a large percentage of the Internet’s websites. Apache provides many powerful features that can be extended through additional modules.

If you are a website owner or system administrator, chances are that you’re dealing with Apache on a regular basis. One of the most common tasks you’ll likely perform is redirecting the HTTP traffic to the secured (HTTPS) version of your website.

Unlike HTTP, where requests and responses are sent and returned in plaintext, HTTPS uses TLS/SSL to encrypt the communication between the client and the server.

There are many advantages of using HTTPS over HTTP, such as:

  • All the data is encrypted in both directions. As a result, sensitive information cannot be read if intercepted.
  • Google Chrome and all other popular browsers will mark your website as safe.
  • HTTPS allows you to use the HTTP/2 protocol, which significantly improves the site performance.
  • Google favors HTTPS websites. Your site will rank better if served via HTTPS.

This guide covers how to redirect the HTTP traffic to HTTPS in Apache.

There are several ways to redirect to HTTPS in Apache. If you have root access to the Linux server where Apache runs, the preferred way is to set up the redirection in the domain’s virtual host configuration file. Otherwise, you can set up the redirection in the domain’s .htaccess file.
Some control panels, such as cPanel allows you to force HTTPS redirection with a few mouse clicks.

Redirect HTTP to HTTPS using Virtual Host

Apache Virtual Hosts defines the settings of one or more domains hosted on the server. In the virtual host directive, you can specify the site document root (the directory which contains the website files), create a separate security policy for each site, use different SSL certificates, configure redirection, and much more.

Typically when an SSL certificate is installed on a domain, you will have two virtual host directives for that domain. The first one for the HTTP version of the site on port 80, and the other for the HTTPS version on port 443.

In Red-Hat based distros such as CentOS and Fedora, virtual host files are stored in the /etc/httpd/conf.d. While on Debian and its derivatives like Ubuntu the files are stored in the /etc/apache2/sites-available directory.

To redirect a website to HTTPS, use the Redirect directive as shown in the example below:

<VirtualHost *:80> 
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  Protocols h2 http:/1.1

  # SSL Configuration

  # Other Apache Configuration

</VirtualHost>

Let’s explain the code. We’re using have two virtual host directives, one for HTTP and one for the HTTPS version of the site.

  • VirtualHost *:80 - The Apache server listens for incoming connections on port 80 (HTTP) for the specified domain.
  • VirtualHost *:443 - The Apache server listens for incoming connections on port 443 (HTTPS) for the specified domain.

The ServerName and ServerAlias directives are specifying the virtual host’s domain names. Make sure you replace it with your domain name.

The highlighted line, Redirect permanent / https://example.com/ inside the HTTP virtual host, redirects the traffic to the HTTPS version of the site.

Typically you also want to redirect the HTTPS www version of the site to the non-www or vice versa. Here is an example configuration:

<VirtualHost *:80> 
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  Protocols h2 http:/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  # SSL Configuration

  # Other Apache Configuration

</VirtualHost>

The code inside the HTTPS virtual host (the highlighted lines ) is checking whether the request header contains the www domain and redirects to the non-www version.

Whenever you make changes to the configuration files you need to restart or reload the Apache service for changes to take effect:

  • Debian and Ubuntu:

    sudo systemctl reload apache2 
  • CentOS and Fedora:

    sudo systemctl reload httpd 

Redirect HTTP to HTTPS using .htaccess

.htaccess is a configuration file on a per-directory basis for the Apache webserver. This file can be used to define how Apache serves files from the directory where the file is placed and to enable/disable additional features.

Usually, the .htaccess file is placed in the domain root directory, but you can have other .htaccess files in the subdirectories.

This method requires the mod_rewrite module to be loaded on the Apache server. This module is loaded by default on most servers. If possible, prefer creating a redirection in the virtual host because it is simpler and safer.

To redirect all HTTP traffic to HTTPS, open the root .htaccess file, and add the following code to it:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

Here is what the code means:

  • RewriteEngine On - enables the Rewrite capabilities.
  • RewriteCond %{HTTPS} off - checks for HTTP connection, and if the condition is met, the next line is executed.
  • RewriteRule ^(.*)$ https://example.com/$1 [L,R=301] - redirect HTTP to HTTPS with status code 301 (Moved Permanently). Make sure you change the domain name.

The example below has an additional condition that checks whether the request begins with www. Use it to force all visitors to use the HTTPS non-www version of the site:

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

When editing .htaccess file, you do not need to restart the server because Apache reads the file on each request.

Conclusion

In Apache, the preferred way to redirect HTTP to HTTPS is to configure the 301 redirect in the domain’s virtual host.

If you have any questions or feedback, feel free to leave a comment.