Redirect HTTP to HTTPS Using .htaccess

In today’s world, security is of paramount importance when it comes to web applications. One of the simplest ways to enhance your website’s security is by enforcing HTTPS, which stands for Hypertext Transfer Protocol Secure. HTTPS ensures that all communication between your browser and the website are encrypted.

When a user visits your website using an unsecured HTTP connection, we would ideally want to redirect them to the secure HTTPS version. This is where the Apache’s .htaccess file comes into play.

In Apache web servers, the .htaccess (hypertext access) file is a directory-level configuration file that allows for decentralized management of web server configuration. You can use .htaccess to rewrite URLs, password-protect directories, enable/disable additional functionalities, and much more. In this blog post, we’ll focus on how to use .htaccess to redirect all HTTP traffic to HTTPS.

The .htaccess File

The .htaccess file should be located in the root directory of your website. If the file doesn’t already exist, you can create it using a plain text editor. Note that the file has no name and the extension is .htaccess.

Now, let’s dive into the code to achieve this HTTP to HTTPS redirect.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Here’s what each line does:

  1. RewriteEngine On: This line enables the runtime rewriting engine. Essentially, it tells the server to start interpreting the rewrite rules that follow.
  2. RewriteCond %{HTTPS} off: This is a condition that checks if the HTTPS is off for the current request. If it is, the following RewriteRule will be executed.
  3. RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]: This is the rule that will be executed if the preceding condition is met. In essence, it tells the server to redirect all traffic ((.*)) to the same host (%{HTTP_HOST}) and the same requested resource (%{REQUEST_URI}), but over HTTPS. The [R=301,L] flag indicates that it is a permanent redirect (301) and this should be the last rule processed (L).

By incorporating these lines of code into your .htaccess file, you can ensure that all incoming HTTP traffic is seamlessly redirected to HTTPS, hence making your website more secure.

With a little knowledge of how .htaccess works and some simple code, you can significantly improve your website’s security and user trust in a short amount of time.

Redirect Request to SSL on Apache

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs
   Redirect /secure https://mysite.example.com/secure
</VirtualHost>

<VirtualHost _default_:443>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
# etc...
</VirtualHost>

When redirecting everything you don’t even need a DocumentRoot:

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName www.example.com
   Redirect / https://secure.example.com/
</VirtualHost>

<VirtualHost _default_:443>
   ServerName secure.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
# etc...
</VirtualHost>

Note: Once the configuration is working as intended, a permanent redirection can be considered. This avoids caching issues by most browsers while testing. The directive would then become:

Redirect permanent / https://secure.example.com/

—————

<Directory /topsecret>
  SSLRequireSSL
</Directory>

References
https://wiki.apache.org/httpd/RedirectSSL
https://serverfault.com/questions/429634/restrict-apache-to-only-allow-access-using-ssl-for-some-directories
https://www.tecmint.com/redirect-http-to-https-on-apache/

Configure Let’s Encrypt for Apache on Ubuntu

sudo apt-get install python-letsencrypt-apache 
letsencrypt --apache
nano /etc/apache2/apache2.conf
<VirtualHost *:443>
	SSLEngine on
	SSLCertificateKeyFile /etc/letsencrypt/live/dl.mhdr.ir/privkey.pem
	SSLCertificateFile /etc/letsencrypt/live/dl.mhdr.ir/cert.pem
	SSLCertificateChainFile /etc/letsencrypt/live/dl.mhdr.ir/chain.pem
    DocumentRoot "/var/www/html/dl"
    ServerName dl.mhdr.ir
</VirtualHost>
service apache2 restart

PPA

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache

note : only the last VitualHost will be detected by letsencrypt
References
https://certbot.eff.org/#ubuntuxenial-apache
https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension
https://letsencrypt.org/