Redirect HTTP to HTTPS
In addition to www canonicalization, you can also canonicalize the HTTP protocol, redirecting HTTP to HTTPS (or vice versa) using Apache/.htaccess. Below you will find several ways to force SSL/TLS for all URI requests. This is especially useful for sites with existing links pointing to unencrypted http://
URLs. Enforcing use of SSL/HTTPS helps to eliminate duplicate content and preserve precious link equity to your canonical set of pages.
Requirements
First, you need to have an SSL certificate installed on your Apache server. The techniques provided in this tutorial assume that SSL is working properly. If in doubt about this, ask your web host for help. Then once you’ve got SSL set up, you can use any of the following techniques to make sure that all requests are served via the HTTPS protocol (or HTTP if preferred).
Additionally you will need access to your site’s public root .htaccess file (or you can use the Apache configuration file), in order to add the required Apache/.htaccess rules.
Probably also a good idea to put your site into maintenance mode if necessary while making changes to .htaccess. That way the search engines won’t notice any intermittent or unexpected scenarios.
Reminder: Always make a backup of your .htaccess
file before making any changes!
.htaccess redirect HTTP to HTTPS (or vice versa)
Below you will find four techniques for redirecting all requests to the HTTPS protocol. The first technique may be used for testing, to give you an idea of your server’s current handling of URI requests.
After testing, you may use any of the other three techniques to ensure that all requests always are served via SSL/HTTPS (or plain HTTP if preferred). All three redirect techniques accomplish the same goal, so feel free to use whichever one works best with your site configuration.
Method 1: Check if HTTPS is enabled
The first thing to do is check if HTTPS is enabled on your Apache server. You can do that by adding the following code to your site’s root .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} ^on$ [NC]
RewriteCond %{QUERY_STRING} !https-is-on [NC]
RewriteRule (.*) /?https-is-on [R=301,L]
</IfModule>
This technique checks if HTTPS is enabled on your server. If so, then it will redirect the request to the your homepage with the query string https-is-on
appended. You can perform the inverse test by changing on
to off
. After testing with this code, remove it and choose one of the following three techniques to ensure SSL for all requests.
Method 2: Redirect all to HTTP or HTTPS
This is the SSL-redirect method that I use for my own Apache-powered sites. It is as simple as possible and just works. It’s also nice because no changes are required: you can simply drop it in to any Apache-powered website and you’re good to go.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
How does it work? Here is a line-by-line breakdown:
- Check if the Apache rewrite module is available
- If so, then make sure the rewrite module is enabled
- Check if HTTPS (SSL) is off for the request
- If so, then the request is redirected to HTTPS
- Close the check for the rewrite module
Note: to change this technique instead to redirect from HTTPS to HTTP, change the RewriteCond
to on
and replace https
with http
in the RewriteRule
. Also, if HTTP_HOST
isn’t working as expected, try using SERVER_NAME
instead.
Method 3: Redirect all to HTTP or HTTPS
This method is the same as #2, only here we are hard-coding the redirect protocol and domain name for greater control and customization. So if the previous technique does not work on your server for whatever reason, try this one instead.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://example.com/$1 [R=301,L]
</IfModule>
This code works the same way as it does in method #2. The only difference is that here, the redirect destination is written explicitly. So you can replace example.com
to match your own domain, and/or include a www prefix if desired. In that case, you would want to use this code instead:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.example.com/$1 [R=301,L]
</IfModule>
Notice the difference between this and the previous technique. Here we add another rewrite condition that checks the request for www
prefix. If the request does not include the prefix, OR if HTTPS is “off”, the request is redirected to the canonical version of the URL. This ensures that all requests are served via SSL/HTTPS, and also that the www
prefix (i.e., subdomain) always is included in the request URI.
Note: to change this technique instead to redirect from HTTPS to HTTP, change the RewriteCond
to on
and replace https
with http
in the RewriteRule
.
Method 4: Redirect all to HTTP or HTTPS
This alternate method uses the server port to test for SSL/HTTPS. If the request is for the SSL port, it is redirected to the HTTPS protocol.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} ^443$
RewriteRule (.*) https://example.com/$1 [R=301,L]
</IfModule>
As written, this code checks if the request is on server port 443
, which is common for encrypted connections. Your server may or may not be using port 443, so ask your web host if unsure.
FYI: here is some alternate logic for the RewriteRule
:
RewriteRule (.*) https://example.com%{REQUEST_URI} [R=301,L]
Note: edit the example.com
to match your own domain. To change this technique instead to redirect HTTPS to HTTP, change the server port from 443
(https) to the default http server port (typically 80
), and replace https
with http
in the RewriteRule
.
Notes
Note that every server setup is different, and redirecting HTTPS to HTTP (or vice versa) seems to be one of those tasks that seems simple, but actually requires either access to the Apache configuration file, or some trial-&-error using different .htaccess techniques. In other words, as far as I know, there is no one-size .htaccess solution for redirecting HTTP to HTTPS. Even so, there are variety of methods available that seem to work depending on server configuration.
Also: if none of the code snippets are working when placed in the root .htaccess file contained in the /http/
(or similar) directory, try placing them in the root .htaccess file contained in the /https/
directory (if it exists, again it all depends on server configuration). Never hesitate to ask your web host for help if/when needed.