Linux Sysadmin Blog

Linux Sysadmin Blog header image 2

Force url to use SSL/https

March 9th, 2009 · 10 Comments · hosting

In some cases you would want to have your site use SSL (https://) at all times you can do this by using:

1.) Using Htaccess/mod_rewrite. You only need to create a .htaccess file on your home directory and add the codes below:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>

The above codes may not work on other Apache/php setup but i’m not sure what’s the exact configuration variable for that.

Anyway, here are my alternatives. Either of them is fine if you’re running http and https on standard ports (http=80, https=443), otherwise change the value to your custom http or https port. Change domain.com to your domain.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://domain.tld/$1 [R,L]
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://domain.tld/$1 [L,R]
</IfModule>

2.) PHP function. If your site use PHP you can redirect the url to SSL/https using this function:
<?php
function ForceHTTPS(){
if( $_SERVER['HTTPS'] !=
"on") {
//if( $_SERVER['SERVER_PORT'] == 80 ) { <<-- use this line if the above will not work.

$new_url = "https://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header(
"Location: $new_url");
exit; }
}
?>

If you are using an application/script wherein you can enter the settings for site url (either from database or config file), it is better to use that settings.

Let me know if you run into issues, maybe i can help. :)

About gerold

Gerold Mercadero has wrote 52 articles on this blog.

Random Posts

Tags:

10 Comments so far ↓

  • marius

    Gerold: it is a good policy to wrap such commands inside:
    <IfModule mod_rewrite.c>
    ...
    </IfModule>

    as this will prevent the htaccess rules to break the site completely if for some reason the module is not available or disabled.

  • teelah

    thanks!!!!
    I knew this was fairly simple to implement–for a personal site that is.

    But all I could ever find thru google was complicated gargles of configs, financial costs, and other headaches. Guess I just wasn’t coming up with the right google query.

    This was super easy! Took me 5 minute! thanks again…….

  • Mattias Berge

    you could also use the RedirectPermanent inside a directive:

    Servername secure.foobar.com
    RedirectPermanent / https://secure.foobar.com/

  • gerold

    @Marius – thank you, i updated the post.

    @Mattias – i agree, we can use this RedirectPermanent if we have access to Apache/virtualhost config. Thanks for the addition.

  • Bookmark: 301 (etc…) Redirect Cheatsheet - mod_rewrite, javascript, cfm, perl, php, refresh, python | Tech Space

    [...] .Force url to use SSL/https Related Posts:.htaccess redirect guideClassic Blogger and PHP?Redirect stdout output elsewhere in a Java AppletRip page to new window in firefoxUbiquity for Mozilla web browser Share and Enjoy: [...]

  • Harry

    Hey Gerold ,
    I am bit confused, do you mean i can have https url even i dont have SSL installed for my domain ? also what about the security issues ?
    Sorry for being noob ;)

    Thanks
    Harry.

  • gerold

    @Harry – it is assumed that SSL is installed on your domain – it could be dedicated, wildcard, shared, etc. What you mean by security issues?

  • harry

    Thanks for your positive feedback Gerold, well, if we install dedicated certificate for our domain then I think there’s no need to set redirect for the urls.

  • Jeff

    if( $_SERVER['HTTPS'] != “on”) {
    causes “PHP Notice: Undefined index: HTTPS…” error.

    I tried adding isset and !isset but it does not work. How can this resolved without altering my level of error reporting?

  • Tonje

    Hi, could any of you great developers show us a way or make some code or add-ins(exstension) that force our local PC browsers like Firefox,Opera,Chrome and IE to use SSL/https on pages like Facebook where SSL/https is possible but not the default options.

    I think there are some add-ins for Firefox and Chrome which is not the best options, but for Opera and IE I cant find anthing ???!!!

    Thank you in advance

Leave a Comment