Thursday, April 17, 2014

Apache: How To Redirect http to https

If you want to direct traffic from your http so that it gets encrypted, this is really easy to do in Apache:

Step one: Set up your https vhost:

<IfModule mod_ssl.c>
<VirtualHost 10.1.1.1:443>
DocumentRoot /var/www
# other server options go here as needed
# - logging for example
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.cert
SSLCertificateKeyFile /etc/ssl/private/example.key
# Add other SSL specific options as needed</pre>
</VirtualHost>
</IfModule>

Step two: Set up your http vhost:

<VirtualHost 10.1.1.1:80>
ServerName my.example.com
RedirectPermanent / https://my.example.com/
</VirtualHost>

We have previously posted more information on enabling SSL in Apache.

Obviously, instead of 10.1.1.1 and my.example.com you'll have to use your own IP and hostname, whatever they may be.

Note that this will redirect everything from http to https. Finer control is possible, for example you could do:

RedirectPermanent /secure/ https://my.example.com/secure/

Or you could use RewriteRules for even more control. However, in the age of mass surveillance and constant threats from hackers, a general redirect to https is a good idea.

3 comments:

  1. Hi, I've had problem because I only bought cert for non www for example myweb.com so when client entered www.myweb.com will cause problem. They will not redirected to https://myweb.com. So here's the fix:

    NameVirtualHost *:80

    ServerName myweb.com
    ServerAlias www.myweb.com
    RedirectPermanent / https://myweb.com/


    Thought I could share here. Thanks again.

    ReplyDelete
  2. Yup, myweb.com (without a preceding hostname) and www.myweb.com are unique and would require different certificates. myweb.com - without a prefix - would also not be covered by a *.myweb.com wildcard certificate, which is counter-intuitive to a lot of people. Thanks for your comment, passerby!

    ReplyDelete
  3. Just want to let the readers know that they must include the bracket angle and slash. Wordpress is filtering html code so they must edit accordingly. Thanks

    ReplyDelete