Force Apache to send to HTTPS - I have everything else ready

I just obtained my SSL certificate, and have modified my virtual host file.

The site works now when I go to https://. But if I type in http:// Apache is not automatically sending me to the https://.

I'm on Debian 7.4. Anyone familiar with making this work? Thanks!!!

12 Replies

The more common way to do this is via .htaccess by placing the following towards the top of it;

RewriteEngine On 
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$$1 [R,L]

If for some reason your apache doesn't use the %{HTTPS} bit (I forget but I think there's some cases it won't?), try the following instead

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$$1 [R,L]

If you have the RewriteEngine On already in your .htaccess, disregard the first line and just make sure you tuck the other two directly under the already existing one (of course replace with your domain as well).

It's worth noting though, Apache suggests handling this at the main VHost level;

If you would like your entire domain to always be https://, make sure you enable HSTS as well (this will need mod_headers enabled in your main apache config);

Header set Strict-Transport-Security "max-age=31536000"

If you would like to cover all subdomains of your main domain as well;

Header set Strict-Transport-Security "max-age=31536000;includeSubdomains"

It's worth noting in this case however, in some CGI/FastCGI models that it might not work, so you may have to send this particular header from whatever backend language you're working from.

Might also be worth looking into HPKP if you're really into that extra bit of 'security' for your https:// config.

And of course last but not least, always make sure you do a run of your domain after you set up your https:// through SSL Labs' test just to make sure you don't have any potential issues/weaknesses :P

Thanks so much for the detailed info.

After I posted, I succeeded in getting it to work, but then every other site on my Linode redirected to the one site with HTTPS. I removed all changes, rebooted the Linode, and then none of the sites would even load.

I'm restoring from backup as I type.

So….kind of perplexed on this. I thought I could enable SSL for only one site, while still serving up the other non-SSL sites under the same IP.

If this is possible, I'll try your steps above. Maybe I'm trying something that isn't even doable.

The first two examples I gave (with the RewriteEngine bit) were designed as noted to go into an .htaccess file, specifically an .htaccess file under the main webroot of whatever domain you want it to affect (eg; /var/www/

I tried your instructions for the htaccess. It worked, however every site on my Linode then redirected to the https site…even though I only edited the .htaccess file on that site. It's so weird. I'm about to just pay Linode to do this. Thought I could do it, but holy crap.

Yeah that's… really not how it should be happening unless all other 'sites' (eg; domains) are also pointing to that directory in their vhosts configuration.

You didn't do the RewriteRule based one and the RedirectSSL page I linked here; did you?

You only need one or the other, that URL there will technically do what you're describing, but if you take that route it's not necessary to do the .htaccess model then, but you may run into an issue where all things redirect if you use something that doesn't support SNI properly I believe.

Simple solution is to undo the RedirectSSL changes if you did them and stick with just .htaccess.

I restored my Linode again, and started over with reissuing the cert, etc.

Still cannot get the .htaccess thing to work. Not sure what I'm doing wrong. If I type in the https:// it works without issue. But the redirect doesn't.

Here's my htaccess without the redirect…maybe something is screwed up in it?

#WFIPBLOCKS - Do not remove this line. Disable Web Caching in Wordfence to remove this data.
Order Deny,Allow
Deny from
Deny from
#Do not remove this line. Disable Web Caching in Wordfence to remove this data - WFIPBLOCKS
#WFCACHECODE - Do not remove this line. Disable Web Caching in Wordfence to remove this data.
 <ifmodule mod_deflate.c="">AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
     <ifmodule mod_headers.c="">Header append Vary User-Agent env=!dont-vary</ifmodule> 
     <ifmodule mod_mime.c="">AddOutputFilter DEFLATE js css htm html xml</ifmodule></ifmodule> 
 <ifmodule mod_mime.c="">AddType text/html .html_gzip
    AddEncoding gzip .html_gzip
    AddType text/xml .xml_gzip
    AddEncoding gzip .xml_gzip</ifmodule> 
 <ifmodule mod_setenvif.c="">SetEnvIfNoCase Request_URI \.html_gzip$ no-gzip
    SetEnvIfNoCase Request_URI \.xml_gzip$ no-gzip</ifmodule> 
 <ifmodule mod_headers.c="">Header set Vary "Accept-Encoding, Cookie"</ifmodule> 
 <ifmodule mod_rewrite.c="">#Prevents garbled chars in cached files if there is no default charset.
    AddDefaultCharset utf-8
    #Cache rules:
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTPS} on
    RewriteRule .* - [E=WRDFNC_HTTPS:_https]
    RewriteCond %{HTTP:Accept-Encoding} gzip
    RewriteRule .* - [E=WRDFNC_ENC:_gzip]
    RewriteCond %{REQUEST_METHOD} !=POST
    RewriteCond %{HTTPS} off
    RewriteCond %{QUERY_STRING} ^(?:\d+=\d+)?$
    RewriteCond %{REQUEST_URI} (?:\/|\.html)$ [NC]

    RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|wf_logout|wordpress_logged_in|wptouch_switch_toggle|wpmp_switcher) [NC]

    RewriteCond %{REQUEST_URI} \/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)(.*)$
    RewriteCond "%{DOCUMENT_ROOT}/wp-content/wfcache/%{HTTP_HOST}_%1/%2~%3~%4~%5~%6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" -f
    RewriteRule \/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)(.*)$ "/wp-content/wfcache/%{HTTP_HOST}_$1/$2~$3~$4~$5~$6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" [L]</ifmodule> 
#Do not remove this line. Disable Web caching in Wordfence to remove this data - WFCACHECODE
# Use PHP5.4 as default
AddHandler application/x-httpd-php54 .php
# BEGIN WordPress
 <ifmodule mod_rewrite.c="">RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^assets/(.*) /wp-content/themes/roots/assets/$1 [QSA,L]
RewriteRule ^plugins/(.*) /wp-content/plugins/$1 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]</ifmodule> 

# END WordPress

This is what I did in default-ssl for my SSL virtual host.

Appears to work ok.


        # Redirect all http trafic to https
        Redirect /</virtualhost> 

 <ifmodule mod_ssl.c=""><virtualhost""></virtualhost></ifmodule> 


This is what I did in default-ssl for my SSL virtual host.

Appears to work ok.


        # Redirect all http trafic to https
        Redirect /</virtualhost> 

 <ifmodule mod_ssl.c=""><virtualhost""></virtualhost></ifmodule> 

Thanks- I added that to my .conf file (my default-ssl.conf is full of bumpf for whatever reason, so that file is cleaner… but it didn't seem to do anything, nor did it address the permalink issue.

Things have changed in Debian Jessie. This needs to go in 000-default.conf now, not in default-ssl and all site configs have to end in .conf (if you are using Jessie)

Remember to reload Apache.

Also <ifmodule mod_ssl.c=""><virtualhost""></virtualhost></ifmodule> is only a fraction of default-ssl. It was just a place holder to show that the non ssl virtual host part was inserted at the top of default-ssl.

Super! It is now redirecting to https… at least the home page is.

I'm still getting the error on other pages though, due to wordpress permalink issues I believe… when I change them to the default setting in wordpress it is fine, but when I switch the permalink, the pages break…

I feel that my .htaccess isn't working properly, as I think this code should resolve the permalinks:

# BEGIN WordPress
 <ifmodule mod_rewrite.c="">RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]</ifmodule> 

# END WordPress

Any thoughts on that aspect?

I don't use wordpress, so I can't provide any guidance on the htaccess stuff.

You could try installing WP under the ssl root directory.

As long as the program exists under ssl website, it should work.

You may need to add another redirect like this:

        # Redirect all http trafic to https
        Redirect /
        Redirect /wordpress

Or this may not help at all.

OK thanks for the suggestion, and the help overall- i'll look. I think it has something to do with AllowOveride ALL but not sure which file to put that in.. will tinker around.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct