Force a URL to Use HTTPS

Feb 28

ClaudeHow-To, Protocol, Security , , , , , 2 Comments

Today I came across some old ColdFusion & Mach-II (1.0) code where a plugin was used to force HTTPS. I assume the original developer decided to go with this solution because the target environment was Windows and Internet Information Server.

The task becomes a lot easier under Apache. So I threw away the plugin code and added the following rule to the Apache configuration:

<directory "/public_html/mysite.com">
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{HTTP_HOST}/$1	[R,L]
</directory>

The directive above can be placed inside a VirtualHost or Directory directives, but this usually requires access to the Apache server configuration, which is not typically possible in a shared hosting environment — in that case, the rule can be added to the .htaccess file.

Alternatively we could have used the SSLRequireSSL Apache (2.x) directive, but this would only block access to the non HTTPS address. In our case we want to automatically redirect the users instead of displaying an error message.

2 Comments (+add yours?)

  1. Khurt
    Feb 28, 2009 @ 13:12:24

    Good tip. But … in a shared hosting environment can’t one just request that the hosting provider turn this on? If they won’t it’s most likely the server does not have a SSL cert for that domain so forcing it in the .htacces file would be pointless anyway.

  2. claude
    Feb 28, 2009 @ 16:35:35

    @Khurt – Of course the assumption here is that you DO have an SSL certificate and intend to use it.

Leave a Reply