How to force HTTPS using .htaccess file in cPanel

Once an SSL certificate is installed and the site can be reached via https:// appropriately, you might want to make it accessible via https:// by default. In other words, by typing domain.com in a web-browser, a user should be redirected to https://domain.com to access the site securely.

In this article, we’ll go through some of the basic types of HTTPS-redirection and show how it can be implemented in cPanel, using your .htaccess file.

The file itself can be found if you go to cPanel >> 'File Manager'. There, find the document root of your website. For primary cPanel domains, the folder is usually ‘public_html’. If the website is an add-on, you can look up its document root in 'Addon domains' section.

When you find the folder, the .htaccess file may already be there. To double-check it, click 'Settings' in the top-right corner and tick 'Show hidden files (dotfiles)'.

If the file did not appear, feel free to create it by clicking '+File'. Make sure to name the file '.htaccess', starting with the dot.

To open the file, right-click it, then click 'Edit'. In the next pop-up window, click 'Edit' as well.



Types of redirects

When it comes to setting up a rewrite rule, it is useful to know that there is a permanent redirection type and a temporary one. Each type is processed by search engines and web-browsers differently, and has its own status code, which can be specified in a rewrite rule explicitly:

  • Status code 301 'Moved permanently' (permanent redirect) implies that the requested resource has moved to a new location permanently, thus search engines should not take into account the references to a previous location and index a new one. Web-browsers, in turn, will store a new URL in cache, therefore, giving it priority over the initial URL.

  • Status code 302 'Moved Temporarily' (temporary redirect) means that the redirect has been set for a limited period of time. Search engines in this case should honor both locations as equal and the initial one would remain valid. Accordingly, browsers will not cache the new URL and the redirection will be executed every time the initial URL is requested.

NOTE: Enabling a 302 redirect for a long period of time can significantly decrease a website’s ranking in search results. In terms of HTTP-HTTPS redirect, all site requests are split between http://domain.com and https://domain.com, since both are indexed by search engines separately. Therefore, in most cases a 301 status code is preferable for HTTP-HTTPS redirects.

We will describe exactly where a status code needs to be specified in the next section.



Setting a rewrite rule in .htaccess: use cases

NOTE: The directives specified below work under their own syntax. Changing any symbol or character can lead to improper functioning or failure of the rewrite rule. To keep things clear, we have highlighted the parts that can be modified with red color (mostly where a certain domain name should be placed).

Let’s take an overview of the most common ways in which a redirection from HTTP to HTTPS can be configured.



Enabling an HTTPS redirect for all sites in a cPanel account

NOTE: If you already have some code in your .htaccess, add this one above the rules with a similar starting prefix.

To redirect all sites within a cPanel account, one of the following blocks should be added to the .htaccess file in the home directory of your cPanel (‘/home/cpanelusername/’):

a)
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

This block enables rewriting capabilities, verifies that the initial request does not already have https://, and rewrites the entire requested URL, replacing http:// with https:// (e.g., http://domain.com/subfolder/index.php will be replaced with https://domain.com/subfolder/index.php).

b)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

This block works the same way as the previous one, just with the help of a different syntax. It is possible to use either of the above mentioned rewrite rules in order to redirect all sites within a cPanel account.



Disabling rewrite rule application for a specific site

If you need to setup a redirect for all sites within cPanel account except of example.com, the block of code specified below can be added to .htaccess in the home directory:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com|^(www\.)?example2\.com
RewriteRule .* - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

The first condition in the block matches the requested URL against the domain name, included to conditional value (the one that should NOT be redirected), and stops rewriting if they match. It is possible to add domain names to the conditional directive, separating them with the '|' symbol, or to specify several conditional directives, (see examples below).

a) Separating domains with '|'
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com|^(www\.)?example2\.com
RewriteRule .* - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

b) Specifying several conditions
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^(www\.)?example2\.com$
RewriteRule .* - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]



Redirecting a single site from http:// to https:// or https://www

a) Redirects all http:// requests to the same page, but with https://

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .* https://example.com%{REQUEST_URI} [R=301,L]
</IfModule>

b) Redirects all http:// requests to the same page, but with https://www.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .* https://www.example.com%{REQUEST_URI} [R=301,L]
</IfModule>



Forcing ‘https://example.com’ or ‘https://www.example.com’

a) Redirects all http:// and https:// requests to the same page, but with https://example.com (also redirects from https://www.example.com to https://example.com)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .* https://example.com%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .* https://example.com%{REQUEST_URI} [R=301,L]
</IfModule>

b) Redirects all http:// and https:// requests to the same page, but with https://www (also redirects https://example.com to https://www.example.com)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .* https://www.example.com%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteRule .* https://www.example.com%{REQUEST_URI} [R=301,L]
</IfModule>



Forcing ‘http://’ or ‘http://www.’

a) Redirects all site visitors to the same page, but with forced http:// + redirects http://www.example.com to http://example.com

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .* http://example.com%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .* http://example.com%{REQUEST_URI} [R=301,L]
</IfModule>

b) Redirects all site visitors to the same page, but with forced http://www + redirects from http://example.com to http://www.example.com

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .* http://example.com%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteRule .* http://www.example.com%{REQUEST_URI} [R=301,L]
</IfModule>



Redirect to/from a subdomain

a) Redirects from example.com or www.example.com (both http:// and https://) to a specific subdomain

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .* https://subdomain.example.com%{REQUEST_URI} [R=301,L]
</IfModule>

b) Redirects from a subdomain (both http:// and https://) to https://www.example.com

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTP_HOST} ^subdomain\.example\.com$
RewriteRule .* https://www.example.com%{REQUEST_URI} [R=301,L]
</IfModule>



Redirect from http:// to https:// or https://www having CloudFlare Flexible SSL mode

a) Basic http:// to https:// redirection, but this block should be used along with CloudFlare Flexible SSL Mode

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .* https://example.com%{REQUEST_URI} [R=301,L]
</IfModule>

b) The same rule, but redirects to https://www

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .* https://www.example.com%{REQUEST_URI} [R=301,L]
</IfModule>



Enabling HTTPS for a specific subfolder

Sometimes you may need to redirect a certain part of a website located in a specific subfolder, while leaving the rest of the site as-is. To do this, insert the following block to .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?subfolder/(.*) https://%www.example.com/subfolder/$1 [R,L]

This rule is applied if only the specified subfolder is mentioned in the initial request.



Forcing HTTPS for a specific page

The rewrite rule for redirecting a specific page is similar to the previous one:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^example\.html$ https://www.example.com/example.html [R,L]

Only the requested page will be redirected; other site content will remain unaffected.

If the page that needs to be redirected is located in a specific subfolder, the RewriteRule line should be modified as follows:

RewriteRule ^test/example\.html$ https://www.example.com/test/example.html [R,L]

(in the above example, 'test' is the subfolder in question)



Setting up redirect for a specific file name, regardless of location

If you have a number of pages with the same name, located in different subfolders (the example 'index.html' is used below), you may enable HTTPS redirect for all of them at once. Do this by applying the ruleset as shown below:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_FILENAME} index.html
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

Only the pages with the file names that match the {REQUEST_FILENAME} parameter value will be redirected to HTTPS.



Partial redirect to https://

a) Redirects all site to https:// except for one page (example.com/some_http_page.html)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteCond %{REQUEST_URI} !^/some_http_page\.html$
RewriteRule .* https://example.com%{REQUEST_URI} [R=301,L]
</IfModule>

b) Redirects only one page example.com/some_https_page.html to https://

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteCond %{REQUEST_URI} ^/some_https_page\.html$
RewriteRule .* https://example.com%{REQUEST_URI} [R=301,L]
</IfModule>



How to specify a redirect status code in rewrite rule

Each rewrite rule ends with so-called 'rewrite flags' (specified in square brackets, e.g. [R,L]). These flags help to control the rewriting process to be performed correctly. To set a redirect with a 301 status code (permanent), you will need to assign this code to the R-flag in brackets by adding '=301'.


NOTE: If there is no value specified for the R-flag, a redirection will be executed with a 302 status code by default.

Once complete, a redirect functioning and its status code can be checked with the help of this tool.

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close