How to redirect all HTTP requests to HTTPS
Solution 1
Update: Although this answer has been accepted a few years ago, note that its approach is now recommended against by the Apache documentation. Use a Redirect
instead. See this answer.
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Solution 2
The Apache docs recommend against using a rewrite:
To redirect
http
URLs tohttps
, do the following:<VirtualHost *:80> ServerName www.example.com Redirect / https://www.example.com/ </VirtualHost> <VirtualHost *:443> ServerName www.example.com # ... SSL configuration goes here </VirtualHost>
This snippet should go into main server configuration file, not into .htaccess
as asked in the question.
This article might have come up only after the question was asked and answered, but seems to be the current way to go.
Solution 3
I'd recommend with 301 redirect:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Solution 4
As I was saying in this question, I'd suggest you avoid redirecting all HTTP requests to their HTTPS equivalent blindly, as it may cause you a false impression of security. Instead, you should probably redirect the "root" of your HTTP site to the root of your HTTPS site and link from there, only to HTTPS.
The problem is that if some link or form on the HTTPS site makes the client send a request to the HTTP site, its content will be visible, before the redirection.
For example, if one of your pages served over HTTPS has a form that says <form action="http://example.com/doSomething">
and sends some data that shouldn't be sent in clear, the browser will first send the full request (including entity, if it's a POST) to the HTTP site first. The redirection will be sent immediately to the browser and, since a large number of users disable or ignore the warnings, it's likely to be ignored.
Of course, the mistake of providing the links that should be to the HTTPS site but that end up being for the HTTP site may cause problems as soon as you get something listening on the HTTP port on the same IP address as your HTTPS site. However, I think keeping the two sites as a "mirror" only increases the chances of making mistakes, as you may tend to make the assumption that it will auto-correct itself by redirecting the user to HTTPS, whereas it's often too late. (There were similar discussions in this question.)
Solution 5
I found out that the best way for https and www on domain is
RewriteCond %{HTTPS} off
RewriteCond %{HTTPS_HOST} !^www.example.com$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]
Comments
-
Cat almost 2 years
I'm trying to redirect all insecure HTTP requests on my site (e.g.
http://www.example.com
) to HTTPS (https://www.example.com
). How can I do this in .htaccess file?By the way, I'm using PHP.
-
ajinzrathod over 3 yearsWhere can i find the main server configuration file
-
qba-dev over 3 yearsthere is no
HTTPS_HOST
variable available in Apache htaccess. OnlyHTTP_HOST
can be used. Also, you could add[OR]
at the end of first condition to make it overall more flexible, as now it could only redirect non-ssl non-www requests. -
qba-dev over 3 yearsNo
HTTPS_HOST
variable is accessible in Apachehtaccess
by default. You can only useHTTP_HOST
. Also your third condition is redundant, as first condition already filters out non-ssl requests. -
Meryan about 3 yearsI like not having to duplicate the VirutalHost record for *:80 and *:443, Chrome is happy with a padlock however Firefox says "Parts of the this page are not surecure (such as images). How to fix that?? support.mozilla.org/en-US/kb/mixed-content-blocking-firefox
-
Admin about 3 yearsFor newbies this shall redirect
example.com
,http://example.com
tohttps://example.com
andwww.example.com
,http://www.example.com
tohttps://www.example.com
- see other answers for removing the www -
William Entriken about 3 yearsYour wording is too strong a damnation of this answer. In that link, Apache says: "If, for whatever reason, you still want to use
mod_rewrite
... you might use". And of course if you don't have access to the server config (99% of users) then this answer is good. -
King nima over 2 yearsI like your PHP approach. Nice
-
Hasanuzzaman Sattar about 2 yearsThis answer should be on the top!