Home  »  Htaccess  »  htaccess HTTPS / SSL Tips, Tricks, and Hacks

by 7 comments

Apache has the best SSL/HTTPS support and can be controlled by the httpd.conf file or other HTTPD server configuration file. This htaccess tutorial has htaccess example code to make it easy to secure and use HTTPS and SSL with Apache.

| .htaccess Tutorial Index |

Redirect non-https requests to https server

Fixes double-login problem and guarantees that htpasswd basic authorization can only be entered using HTTPS.

NOTE: You will only find this method on this site and it is the most secure way to do this.

SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq ""
ErrorDocument 403

Rewrite non-https to HTTPS without mod_ssl!

NOTE:The HTTPS variable is always present,evenif mod_ssl isn't loaded!

Based on HTTPS variable (best)

RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]


RewriteCond %{SERVER_PORT} !^443$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Redirect everything served on port 80 to HTTPS URI

RewriteCond %{SERVER_PORT} ^80$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Redirect particular URLs to a secure version in an SSL SEO method

RewriteRule "^/normal/secure(/.*)" "https://%{HTTP_HOST}$1" [R=301,L]

Check to see whether the HTTPS environment variable is set

RewriteCond %{HTTPS} !=on
RewriteRule "^(/secure/.*)" "https://%{HTTP_HOST}$1" [R=301,L]

Rewrite to SSL or NON-SSL using relative URL!

This lets you use hyperlinks like this

/doc.html:SSL      --    >
/doc.html:NOSSL  -->
RewriteRule ^/(.*):SSL$   https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]

MORE: Apache SSL in htaccess examples and https/ssl forum

htaccess Guide Sections

| .htaccess Tutorial Index |


April 10th, 2007

Comments Welcome

  • Jamie Souef

    thank you! The amount of times I've looked up .htaccess issues in Google and your site has come up with the answer - life saver.

  • Daniel Norton

    Careful with "Redirect Everything", above. Redirect rules apply only in their own directory. If a URL refers to a different directory, the rules of that directory and its .htaccess file will apply. (A child directory can request inheritance of its parents rules using RedirectOptions Inherit, but a parent cant force its rules on a child.)

  • Steve

    excellent help. I use this for deciphering if https is on or off. Always transferring the user to index.php (which is my intention)

    RewriteCond %{HTTPS} =on
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . https://%{SERVER_NAME}/index.php [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . http://%{SERVER_NAME}/index.php [L]

    Thanks alot for the tip

  • rankONE


    We are having problem with a clients website. Basically, we don't use SSL on our website but google has indexed all the pages with https and http. So, now it thinks as duplication of content. We tried to rewrite https url to http using .htaccess but it didn't work because the hosting doesn't support as it is cloud hosting. Below is what we got from the hosting company

    As the apache servers are located in a cloud environment you will need to detect SSL via the following directive in a .htaccess file:

    RewriteCond %{ENV:HTTP_NR_SSL} ^1$

    As for redirecting to another URL, this is not supported by our servers as this requires the Options FollowSymLinks directive.

    You could rewrite SSL requests to a PHP script that could then parse the referer and then redirect it to the non SSL site. This would acheive what you are trying to accomplish.

    Can you please tell me how to do the last part in wordpress, in short I want to rewrite/redirect all https to http and have http only indexed in google.


  • Liza Overgaard

    Hello there,
    Maybe Apache has been updated or something else has chanced since this article was written. The codes cause an infinite loop because the left side of the pattern keeps becoming equal to the right side. I've searched the web for solutions, but none of them work. I've ploughed through Apache's documentation of mod_rewrite without finding any useful remedies. I'm beginning to think there is no way to remedy the problem.

    Options +FollowSymLinks
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTPS} !=on
    RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

    The code above causes an endless loop, and cannot be resolved by the browser.

    And no this does not stop the loop:

    RewriteCond %{ENV:REDIRECT_STATUS} 200
    RewriteRule .* - [L]

    Nor does this:

    RewriteCond %{ENV:REDIRECT_STATUS} 0
    RewriteRule .* - [L]

    Some have suggest this rewrite rule in stead:

    RewriteRule ^(.*)/$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

    This one actually works in the sense that you DO get redirected to https. However the loop must still be going on cause the url gets full of forward slashes like this: /////////////////////. Pretty? Not so much but worse still is if you'd like to use authentication and .htpasswd (I do) you'll be asked to log in again and again and again... I don't know how many times because tenacity failed me.

    Then I thought: Maybe it's the slash in the RewriteRule. Remove it, and the endless loop causing a browser error reappears.

    I don't know what to do or try next.

  • Marc

    Hi, it seems that the rules in my htaccess never execute when the request is a https one. If there something I'm missing in my conf file? The rewrite rules do execute when I put them directly in my conf file. What gives?

    ServerName cl
    RewriteEngine On
    RewriteLog "/web/mwm/www/rewrite_ssl.log"
    RewriteLogLevel 8
    RewriteCond %{SCRIPT_FILENAME} !-f
    RewriteCond %{SCRIPT_FILENAME} !-d
    RewriteRule ^(.+) index.php$1 [E=VAR1:$1,QSA,L,PT]
    DocumentRoot /web/mwm/cl/public_html/
        Options FollowSymLinks
        AllowOverride None
        Options +FollowSymLinks -MultiViews
        AllowOverride all
        Order allow,deny
        allow from all
  • Ruby

    Hi! I've been following your site for a while now and finally got the courage to go ahead and give you a shout out from Dallas Tx! Just wanted to tell you keep up the excellent job!

Related Articles

My Online Tools
Popular Articles

Hacking and Hackers

The use of "hacker" to mean "security breaker" is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean someone who loves to program, someone who enjoys playful cleverness, or the combination of the two. See my article, On Hacking.
-- Richard M. Stallman


It's very simple - you read the protocol and write the code. -Bill Joy

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.

+Askapache | askapache

Site Map | Contact Webmaster | License and Disclaimer | Terms of Service

↑ TOPMain