Apache Rewrite HTTP to HTTPS

If you have a SSL certificate and want to force use of HTTPS on your Apache server, you can use mod_rewrite to do this by adding code to your .htaccess file.

Post updated: January 22, 2014

From the Apache Wiki:

Note: Using mod_rewrite to do this isn’t the recommended behavior. See RedirectSSL.

Disclaimer

In this post I’m sharing my experiences with you and do not claim to be an expert on this subject. My intent is to help you in your research. Proceed at your own risk.

Here are some examples of what I’ve used successfully in various server environments.

This is what has worked on VPS:

Example 1

The example below will take any HTTP request and redirect to HTTPS, including subdomains. This means if you have http://sub.example.com, this will be rewritten to https://sub.example.com/sub unlike Example 2 where subdomains are left alone. The url example.com is rewritten to HTTPS. Just copy and paste this to your .htaccess file in the root of your “public_html” directory (or equivalent). I put mine at the top. In this example, there is no need to modify the code to use your domain name etc., it’s ready to use as-is.

See the Apache Wiki for more HTTP to HTTPS details.

# BEGIN REWRITE SITEWIDE HTTP TO HTTPS

# This will enable the Rewrite capabilities
RewriteEngine On

# This checks to make sure the connection is not already HTTPS
RewriteCond %{HTTPS} !=on

# This rule will redirect users from their original location, to the same location but using HTTPS.
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]

# END REWRITE SITEWIDE HTTP TO HTTPS

Example 2

The example below will take any HTTP request and redirect to HTTPS, excluding subdomains. This means if you have http://sub.example.com, this will be left alone and not rewritten to https://sub.example.com/sub like in Example 1. The url example.com is still rewritten to HTTPS. Just copy and paste this to your .htaccess file in the root of your “public_html” directory (or equivalent). I put mine at the top. Be sure to edit the domain name example.com to your own.

See the Apache Wiki for more HTTP to HTTPS details.

# BEGIN REWRITE SITEWIDE HTTP TO HTTPS EXCEPT SUBDOMAINS

# This will enable the Rewrite capabilities
RewriteEngine On

# This checks to make sure the connection is not already HTTPS
RewriteCond %{HTTPS} !=on

RewriteCond %{HTTP_HOST} ^(www.)?example.com$

RewriteRule ^/?(.*)$ https://www.example.com/$1 [R=301,L]

# END REWRITE SITEWIDE HTTP TO HTTPS EXCEPT SUBDOMAINS

This is what has worked on shared hosting:

Example 3

When on shared hosting, Examples 1 and 2 didn’t work for me.

The example below will take any HTTP request and redirect to HTTPS, including subdomains. This means if you have http://sub.example.com, this will be rewritten to https://example.com/sub unlike Example 2 where subdomains are left alone. The url example.com is rewritten to HTTPS. Just copy and paste this to your .htaccess file in the root of your “public_html” directory (or equivalent). I put mine at the top. Be sure to edit the domain name example.com to your own.

# BEGIN HTTPS
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
# END HTTPS

I hope this helps! Feel free to post your comments and suggestions below!