Force HTTPS connections in an Apache server environment.

HTTPS connections can be enforced on visitors to your site by several different methods. If you are using a content management system like WordPress you can explore plugins like WordPress HTTPS (SSL) to set all or specific sections of your site to use secure connections.

However, administrators with sufficient access may prefer to enforce HTTPS connections at a higher level. This article shows the most straightforward method for doing this in Apache server environments.

Apache can be extended via modules to add new useful functions. One of the most popular Apache modules is mod_rewrite, which enables redirection to control your visitor’s options and shape traffic on your site. Most web hosting companies using Apache will already have mod_rewrite activated by default and will give you appropriate permissions to edit your settings. (Please contact your host directly if this is not the case.)

The data structure for an Apache server will always include at least one .htaccess file, which acts as a configuration file for the directory the file is located in. (Note that the period indicates this is a “hidden” file – you may need to adjust the settings in your text editor to view and edit these.) Multiple .htaccess files can be created in different directories to define how different sections of your site function.

The .htaccess file is consulted by httpd (the Apache server process) for directions on how to handle a request for access to a page, file or directory, and the mod_rewrite module will handle these directions appropriately.

You may configure your site’s .htaccess file to direct all visitors to use HTTPS. This can be done either for the entire site or for a given section of it.


To secure your entire site:

  1.  Open the .htaccess file in your site’s document root.
  2.  Add the following:

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{SERVER_PORT} 80
# This checks to make sure the connection is not already HTTPS – port 80 indicates a non-secured HTTP conection.

RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
# This rule will redirect users from their original location to the same location but using HTTPS.
# Example: Visitors trying to access http://www.domain.com/somesubsection/ will be redirected to https://www.domain.com/somesubsection/

Remember to change the URL in the example above to the actual URL you wish to protect.



To secure a specific directory on your site:

The below solution should be applied in a .htaccess file in the directory to be secured. (If no .htaccess file exists, you can create a new one. Note that any .htaccess file in a directory tree operates on all subdirectories, and rules in a higher level .htaccess file will be applied unless overridden by rules in a lower level .htaccess file. )

  1. Open or create the .htaccess file.
  2. Add the following:RewriteEngine On
    # This will enable the Rewrite capabilitiesRewriteCond %{SERVER_PORT} 80
    # This checks to make sure the connection is not already HTTPS – port 80 indicates a non-secured HTTP conection.
    RewriteRule ^(.*)$ https://www.domain.com/somesubsection/$1 [R=301,L]
    # This rule will redirect users from their original location in /somesubsection/ to the same location but using HTTPS.
    # Example: Visitors trying to access http://www.domain.com/somesubsection/ will be redirected to https://www.domain.com/somesubsection/

Again, make sure to change the domain name and directory to the actual URL and directory you wish to secure.

For more information on the configuration of your .htaccess file in your specific hosting environment please contact your hosting provider.