Force HTTPS Redirect in Apache (Using mod_rewrite)

In this article, we’ll showcase a basic method to force an HTTP to HTTPS redirect for clients on your website. Forced HTTPS keeps users safe from accidentally browsing over un-encrypted HTTP. By forcing all connections over SSL, the user’s information is kept secure, and data cannot be intercepted.

One of the most commonly asked questions is: Why should I use an SSL certificate? Standalone HTTP leaves traffic un-encrypted and susceptible to snooping. Purchasing a certificate (or using a free one) ensures a secure and encrypted session between your users and server. A forced HTTPS redirect keeps your users from accidentally browsing over un-encrypted sessions, thus keeping their connection and data safe.

Step 1: Ensure Apache is installed:

On CentOS/RHEL:

sudo yum install httpd

On Debian/Ubuntu:

sudo apt install apache2

After installing Apache2, start and enable the service. Afterwards, verify that it is reachable through a web browser. If you are unable to see the Apache2 default webpage, check your firewall rules for port 443.

Step 2: Enable mod_rewrite module

The module is enabled by default on CentOS/RHEL. You can verify by looking for this line in your httpd.conf file:

LoadModule rewrite_module modules/mod_rewrite.so

On Debian/Ubuntu, you can enable the module by running:

sudo a2enmod rewrite

Step 3: .htaccess Configuration

To accomplish the actual HTTPS redirect, create a .htaccess file in the domain root directory, and add the following code. Apache will not require a restart, the .htaccess file is loaded every time a user accesses the web page. Please ensure to replace “example.com” with your real domain.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

All done! Your page is now secured with HTTPS.