Need to redirect all traffic to https
This works for me:
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
If the traffic is coming in over non-SSL HTTP, then redirect to the HTTP equivalent of whatever page the user was originally trying to access. It also doesn't involve any mod_rewrite options, so it's easy to read.
Side rant: why does everyone feel the need to explicitly set the HTTP code of the redirect and mark one of their rewrites as the "last" one? Seriously, I've seen dozens of same-looking htaccess rules in just the last few days.
This is a previous answer using .httaccess but adding changes proposed in the comments, and some from me:
RewriteEngine on
RewriteBase /
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://my.domain.name%{REQUEST_URI} [L,R=301]
Notes:
- This is for the cases where user doesn't have access to main configuration, but has access to .htaccess rules. If you have access to main configuration, use mod_alias solution instead.
- For me the rule was not picked up without defining RewriteBase. Explicitly defining it gets rid of ambiguity with some server setups.
- At least on some configurations,
%{HTTPS}is not set tooffwhen using http, but is null, so!onis more reliable rule thanoff. - For explicit host name, you don't rely on client side Host header or server configuration. However, explicit host name natually assumes there is only one domain to redirect. Host header poses some considerable problems, such as containing port and being client-supplied data. Another alternative, as suggested by Apache Wiki, is to use
%{SERVER_NAME}. If you consider using that, check out caveat from this discussion - it relies on other configuration being correct. -
R=301means it's permanent redirect, as it's usually meant to be in this case. If you instead think it's temporary, that can be left out or specified asR=302. -
Lmeans it's last rule to be applied for this request. Leave it if you suspect or know there are other rules after this that you don't want to get applied. You can remove if this is the only rule of the file.
According to the Apache documentation, using mod_alias is more appropriate than mod_rewrite for this task. That is, in order to redirect all HTTP traffic to HTTPS, one would:
<VirtualHost *:80>
ServerName www.example.com
Redirect permanent / https://www.example.com/
</VirtualHost >
<VirtualHost *:443>
ServerName www.example.com
# ... SSL configuration goes here
</VirtualHost >
Two things to note about this configuration:
- You need access to the main server configuration file in order for this configuration to work. The
VirtualHostdirective is only valid in the "server config" context. - Keep in mind that
mod_rewritedirectives are processed beforemod_aliasdirectives. If you've already got a massive block ofRewriteRules in your.htaccessfile, you might be better off with themod_rewriteconfiguration.
why not just plain and simple?
rewriteCond %{HTTPS} !on
rewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
it has worked to me, and seems to me clear. Cheers.
Working in all conditions is:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [NE,L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,L,R=301]
<IfModule>