Forcing HTTPS from HTTP (Apache)

apache-2.2

Expanding on freiheit's answer, removing some redundant parts, eliminating the dependence on mod_rewrite (and associated speed penalty), and adding in some security:

<VirtualHost 1.2.3.4:80>
        ServerName SSL.EXAMPLE.COM
        CustomLog /var/log/httpd/EXAMPLE.access_log combined
        ErrorLog /var/log/httpd/EXAMPLE.error_log

        Redirect / https://ssl.example.com/
</VirtualHost>

<VirtualHost 1.2.3.4:443>
    ServerName ssl.example.com
    DocumentRoot /var/www/html
    CustomLog /var/log/httpd/EXAMPLE.ssl_access_log combined
    ErrorLog /var/log/httpd/EXAMPLE.ssl_error_log
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM
    .
    .
    .
</VirtualHost>

<Directory /var/www/html>
    #If all else fails, this will ensure nothing can get in without being encrypted.
    SSLRequireSSL
</Directory>

Personally, my favorite is to simply redirect all port 80 traffic to port 443:

<VirtualHost 1.2.3.4:80>
        ServerName SSL.EXAMPLE.COM
        ServerAlias SSL
        DocumentRoot /var/www/html
        CustomLog /var/log/httpd/EXAMPLE.access_log combined
        ErrorLog /var/log/httpd/EXAMPLE.error_log

        RewriteEngine on
        RewriteRule .* https://SSL.EXAMPLE.COM/ [NC,R,L]
</VirtualHost>

<VirtualHost 1.2.3.4:443>
    ServerName ssl.example.com
    DocumentRoot /var/www/html
    CustomLog /var/log/httpd/EXAMPLE.ssl_access_log combined
    ErrorLog /var/log/httpd/EXAMPLE.ssl_error_log
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM
    .
    .
    .
</VirtualHost>

RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^/(.*) https://your.server.name/$1 [R]

Forcing HTTPS from HTTP (Apache)

Related

Recent Posts