How to redirect all HTTP requests to HTTPS

Question

I\'m trying to redirect all insecure HTTP requests on my site (e.g. http://www.example.com) to HTTPS (https://www.example.com). I\'m using PHP btw.

Answer 1

Using the following code in your .htaccess file automatically redirects visitors to the HTTPS version of your site:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

If you have an existing .htaccess file:

Do not duplicate RewriteEngine On.

Make sure the lines beginning RewriteCond and RewriteRule immediately follow the already-existing RewriteEngine On.

Answer 2

Do everything that is explained above for redirection. Just add "HTTP Strict Transport Security" to your header. This will avoid man in the middle attack.

Edit your apache configuration file (/etc/apache2/sites-enabled/website.conf and /etc/apache2/httpd.conf for example) and add the following to your VirtualHost:

# Optionally load the headers module:
LoadModule headers_module modules/mod_headers.so

<VirtualHost 67.89.123.45:443>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
</VirtualHost>

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Answer 3

If you are using Apache, mod_rewrite is the easiest solution, and has a lot of documentation online how to do that. For example: http://www.askapache.com/htaccess/http-https-rewriterule-redirect.html

Answer 4

Through .htaccess This will help.

RewriteEngine On


RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Also, Refer this for More Detail. How To Redirect Http To Https?

Answer 5

If you want to do it from the tomcat server follow the below steps

In a standalone Apache Tomcat (8.5.x) HTTP Server, how can configure it so if a user types www.domain.com, they will be automatically forwarded to https(www.domain.com) site.

The 2 step method of including the following in your [Tomcat_base]/conf/web.xml before the closing tag

step 1: 
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

and setting the [Tomcat_base]/conf/server.xml connector settings:

step 2:
<Connector URIEncoding="utf-8" connectionTimeout="20000" port="80" protocol="HTTP/1.1" redirectPort="443"/>
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="[keystorelocation]" type="RSA" />
</SSLHostConfig>
</Connector>

Note: If you already did the https configuration and trying to redirect do step 1 only.

Answer 6

If you are in a situation where your cannot access the apache config directly for your site, which many hosted platforms are still restricted in this fashion, then I would actually recommend a two-step approach. The reason why Apache themselves document that you should use their configuration options first and foremost over the mod_rewrite for HTTP to HTTPS.

First, as mentioned above, you would setup your .htaccess mod_rewrite rule(s):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Then, in your PHP file(s) (you need to do this where ever it would be appropriate for your situation, some sites will funnel all requests through a single PHP file, others serve various pages depending on their needs and the request being made):

<?php if ($_SERVER['HTTPS'] != 'on') { exit(1); } ?>

The above needs to run BEFORE any code that could potentially expose secure data in an unsecured environment. Thus your site uses automatic redirection via HTACCESS and mod_rewrite, while your script(s) ensure no output is provided when not accessed through HTTPS.

I guess most people don't think like this, and thus Apache recommends that you don't use this method where possible. However, it just takes an extra check on the development end to ensure your user's data is secure. Hopefully this helps someone else who might have to look into using non-recommended methods due to restrictions on our hosting services end.