Https to http redirect using htaccess

apache .htaccess http https

284,387

Solution 1

Attempt 2 was close to perfect. Just modify it slightly:

RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

UPDATE:

Above solution works from a technical point of view. BUT:

Since a few years now the user will receive a huge warning indicating that the connection is not private. That is to be expected: none of today's browsers will silently switch from an encrypted to a not encrypted connection, for obvious reasons ... You cannot get around that behavior of standard browsers. That however has nothing to do with the redirection itself. It is how the web works today, how users are protected from criminal intents.

Solution 2

However, if your website does not have a security certificate, it's on a shared hosting environment, and you don't want to get the "warning" when your website is being requested through https, you can't redirect it using htaccess. The reason is that the warning message gets triggered before the request even goes through to the htaccess file, so you have to fix it on the server. Go to /etc/httpd/conf.d/ssl.conf and comment out the part about the virtual server 443. But the odds are that your hosting provider won't give you that much control. So you would have to either move to a different host or buy the SSL just so the warning does not trigger before your htaccess has a chance to redirect.

Solution 3

You can use the following rule to redirect from https to http :

 RewriteEngine On


RewriteCond %{HTTPS} ^on$
RewriteRule ^(.*)$ http://example.com/$1 [NC,L,R]

Explanation :

RewriteCond %{HTTPS} ^on$

Checks if the HTTPS is on (Request is made using https)

Then

RewriteRule ^(.*)$ http://example.com/$1 [NC,L,R]

Redirect any request (https://example.com/foo) to http://example.com/foo .

$1 is part of the regex in RewriteRule pattern, it contains whatever value was captured in (.+) , in this case ,it captures the full request_uri everything after the domain name.
[NC,L,R] are the flags, NC makes the uri case senstive, you can use both uppercase or lowercase letters in the request.

L flag tells the server to stop proccessing other rules if the currunt rule has matched, it is important to use the L flag to avoid rule confliction when you have more then on rules in a block.

R flag is used to make an external redirection.

Solution 4

RewriteEngine On
RewriteCond %{SERVER_PORT} 443
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Solution 5

The difference between http and https is that https requests are sent over an ssl-encrypted connection. The ssl-encrypted connection must be established between the browser and the server before the browser sends the http request.

Https requests are in fact http requests that are sent over an ssl encrypted connection. If the server rejects to establish an ssl encrypted connection then the browser will have no connection to send the request over. The browser and the server will have no way of talking to each other. The browser will not be able to send the url that it wants to access and the server will not be able to respond with a redirect to another url.

So this is not possible. If you want to respond to https links, then you need an ssl certificate.

View more solutions

284,387

Ansh

Updated on July 05, 2022

Comments

Ansh almost 2 years
I'm trying to redirect https://www.example.com to http://www.example.com. I tried the following code in the .htaccess file
```
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
```
This code successfully redirects https://example.com to http://www.example.com. However when I type in https://www.example.com then it gives me a "web page not available" error in the browser.

I have also tried the following 2 codes without success

Attempt 1
```
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*):NOSSL$ http://www.example.com/$1 [R=301,L]
```
Attempt 2
```
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
```
Both above attempts failed. Any suggestions?
marknt15 about 9 years

Thank you for this answer. As our existing site don't have an SSL certificate so that's why no matter how correct my .htaccess is, it will not work.
Pageii Studio about 8 years

@arkascha I've tried the various methods shared here but none worked. Yes I tested in on a shared environment. SSL is not active though a shared SSL is free. The https link in question was historic/inherited from a previously SSL-enabled environment. I don't mind the browser warning (in dev mode) but I needed the redirect at least to happen. Any one able to offer any more leads?
ProfNandaa over 7 years

Will be good to use R=302 if you don't wish to make permanent. This landed me in trouble when my SSL expired and I wanted to temporarily move back to http before I go through the painful renewal procedures.
arkascha over 7 years

Painful renewal? Should be either a flip of certificare files or a simple script execution... The issue with 302 is that clients have to follow it each time, so you raise the number of requests for client and server side.
Ankur Jain over 7 years

@arkascha Just wanted to understand, the RewriteCond will act as a if statement write? I mean only where it finds https it will run next rewrite rule. I am asking since Google has automatically taken a couple of https url in its index without us linking them from anywhere. Hence to rule out any miscong we are using the code above to 302 all https url
arkascha over 7 years

You are basically correct. It certainly does make sense for you to take a look into the excellent documentation:httpd.apache.org/docs/current/mod/mod_rewrite.‌html
arkascha over 7 years

Apart from that: google indeed prefers ssl variants of urls, if it can find them. With very good reasons. I dont see a reason why you would want to prevent that...
Harry Matharoo about 7 years

this help me a lot.
Lorenzo Magon almost 6 years

This solution worked well in a specific server hosting (ergonet.it) when the others mentioned above cause the error "Too many redirects", thank you!
Frank Conijn - Support Ukraine almost 6 years

Valid answer. I wanted to redirect IE9 from https to http, because of incompatible security protocols (TLS 1.0 is not maintained anymore). But whatever I did, it didn't work. Caused by the fact that the security protocol comes into effect before the .htaccess commands.
frank_108 almost 5 years

This works fine for www and non www redirection from https to http.
DrupalFever almost 4 years

I found out that the new Microsoft Edge works even on a shared host site. Firefox and Chrome continue to give the warning but the new Edge sees the .htaccess information before redirecting to a warning. The new Edge browser with the Chromium engine is awesome!
Naren Verma almost 4 years

@arkascha, Is this working in 2020? I tested this code and it's working on firefox but not working in chrome.
arkascha almost 4 years

This has nothing to do with a browser. Rewriting operates on the server side. It handles requests. So yes, this works in 2020. Maybe you were looking at a cached result when testing with the chrome browser.
MrWhite about 3 years

Checking against the X-Forwarded-Proto HTTP request header would be required if your application server is behind a front-end proxy that manages the secure connection.
user9437856 over 2 years

@arkascha, I tested this code but I am getting the error. The connection has timed out. some time Your connection is not private
arkascha over 2 years

@user9437856 I cannot say anything about the connection timeout, that has nothing to do with a redirection. The warning indicating that your connection is not private is to be expected: none of todays browsers will silently switch from an encrypted to n unencrypted connection, for obvious reasons ... You cannot get around that behavior of standard browsers. But again, this has nothing to do with the rewriting itself. It is how the web works today.
user9437856 over 2 years

@arkascha, When I add the above code then I am getting the error.
arkascha over 2 years

@user9437856 I very well understood that. But that does not change what I wrote as a reply to that. What you observe (the warning / error), is not the actual redirection, which apaprently works as expected. But the browser's reaction to that redirection. Nothing wrong with the code above, nothing wrong with your setup. But the situation has changed since 2012, that's all. In short: you cannot make a redirection from https to http anymore except in extremely special situations.
user9437856 over 2 years

@arkascha, Thank you for the explanation. I got your point.
Naren Verma about 2 years

I know the answer is too old but It's not working for me.
arkascha about 2 years

@NarenVerma Did you really read the comments here? Where I explain why that is not working any more? And why that actually is a good thing?
Naren Verma about 2 years

@arkascha, Yes, I read the comment. Can you update the same in the post? You can check the above comment. I also commented the same in 2020. So better for every once just updates your answer. It will help everyone.
Naren Verma about 2 years

@arkascha, Thank you so much for updating the answer.