Although installing an SSL certificate on a website provides the possibility of accessing it with the secure https:// protocol, the protocol is not used by default. To make sure that the website is accessed using the https:// protocol by default, you will need to set up an automatic redirect.
If you have a control panel installed over Apache, you will need to set up redirects in the panel itself and not on the server to avoid redirect loops or incorrect module execution. Check out our guide on how to set up a HTTPS redirect in cPanel here.
An Apache redirect should be used if you are not using cPanel or any other control panel or GUI (graphical user interface).
Enable Apache Redirect in the Virtual Host
Enabling the redirect in the Virtual Host file is safer and simpler than other options presented in this guide. The configuration is also similar for all systems. It involves adding a specific piece of code to the Virtual Host file. Usually, there are two Virtual Host files on Apache if an SSL certificate is installed: one is for the non-secure port 80, and the other is for the secure port 443.
- Locate the VirtualHost configuration for port 80 by running the following command:
- for Debian-based servers (Ubuntu):
apachectl -S
- for RHEL-based servers (CentOS):
httpd -S
- The redirect to HTTPS can be enabled in the Virtual Host file for port 80. If you would like to force HTTPS for all web pages, you can use the following set of directives:
- to redirect everything to https://yourdomain.com:
<VirtualHost *:80>
ServerName yourdomain.com
Redirect permanent / https://yourdomain.com/
</VirtualHost>
<VirtualHost _default_:443>
ServerName yourdomain.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine On
...
</VirtualHost>
- to redirect everything to https://www.yourdomain.com:
<VirtualHost *:80>
ServerName www.yourdomain.com
Redirect permanent / https://www.yourdomain.com/
</VirtualHost>
<VirtualHost _default_:443>
ServerName www.yourdomain.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine On
...
</VirtualHost>
- to redirect a specific directory (/secure in our case):
<VirtualHost *:80>
ServerName www.yourdomain.com
DocumentRoot /usr/local/apache2/htdocs
Redirect permanent /secure https://yourdomain.com/secure
</VirtualHost>
<VirtualHost _default_:443>
ServerName www.yourdomain.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine On
...
</VirtualHost>
Note:
In order to apply the changes made in the configuration file, the
server has to be restarted. Here are console commands for both system
types:
Debian-based:
sudo service apache2 restart
RHEL-based:
sudo service httpd restart
Use .htaccess to Redirect to HTTPS
As an alternative, you can modify the .htaccess file. This file is usually located in the website document root directory and is used to implement redirect rules as well as some others (such as rules that affect how the content is linked on the website, file permissions, etc.).
Keep in mind that .htaccess isn’t available by default. In order to enable it, locate and edit the VirtualHost file as follows:
After the VirtualHost block, add the following lines:
....
</VirtualHost>
<Directory /usr/local/apache2/htdocs>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
After that, it will be possible to add configurations to .htaccess files.
The following command can be used to locate the .htaccess file (if it already exists):
find / -type f -name ".htaccess"
If the command returns nothing, the .htaccess file should be created in the main document root folder.
The following directive can be added to the .htaccess file (which is placed in the document root folder of the website) to secure all the pages of the website:
- to redirect everything to https://yourdomain.com:
Redirect permanent / https://yourdomain.com
- to redirect everything to https://www.yourdomain.com:
Redirect permanent / https://www.yourdomain.com
- to redirect only a specific directory (/secure in our case):
Redirect permanent /secure https://yourdomain.com/secure
Note: it’s recommended that you place this code at the very top of the .htaccess file so that it can overwrite other conflicting codes.
Use Apache Rewritecond - mod_rewrite Rule
Using the mod_rewrite rule is recommended for experienced users, as the exact configuration can be different on different systems. This rule can be placed in either the Virtual Host configuration file or the .htaccess file.
To set up redirects using rewrite rules, Apache requires rewrite module (mod_rewrite) to be enabled.
To enable this module on a Debian-based (Ubuntu) OS, run the below command:
sudo a2enmod rewrite
If the module is enabled, the following message will be sent by the server:
Module rewrite already enabled
The rewrite module is usually enabled by default on RHEL-based OS. The following line should be present in the main config file:
LoadModule rewrite_module modules/mod_rewrite.so
Make sure it is not commented. If this line is not in in the main configuration file, install the rewrite module by running this command:
sudo yum install mod_rewrite
The syntax of mod_rewrite rules can be complicated; for example, if you want to redirect to HTTPS in certain subfolders that consist of other subfolders. If you are not sure whether mod_rewrite can be used, it is better to enable the redirect to HTTPS in the Virtual Host file.
If you want to create a redirect for all pages, the mod_rewrite rule should look like this:
- to redirect everything to https://yourdomain.com:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
Note: The code for www is the same as for non-www, however, for it to work correctly, the ServerName needs to be set as www in the VirtualHost configuration code.
- to redirect a specific directory (/secure in our case):
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?secure/(.*) https://%{SERVER_NAME}/secure/$1 [R=301,L]
Note: To set a temporary redirect, change the 301 status code (permanent) to 302 (temporary) on the R-flag.
Now your website will be available via HTTPS by default. To check if the redirects work correctly, you can either clear the cache in the browser you usually use and open your website, or try checking it in another browser.
