Apache2: Forcing All Inbound Traffic to SSL
So, you have an Apache 2 web server and you have decided that you want to force all inbound traffic to be encrypted via HTTPS (port 443) instead of HTTP (port 80). This method actually “dumbs down” the connection so the average user can’t inadvertently negotiate your web site without encrypting their traffic.
My web server of choice is Apache2, running on a Linux Operating System. Preferably Debian but we’ll discuss an option for Red Hat Enterprise Linux 4 (RHEL-4). That being said, you need Apache installed and running on Linux. You also need the Apache module “mod_rewrite.so” installed and an encryption key generated for your server.
In the following snippet of .conf file we will first load mod_rewrite and then redirect all inbound port 80 traffic to port 443.
Add the following code section to your httpd.conf down around line #220, right after the big “load modules” section.
Be aware that “#’s” indicate a comment line in the .conf file and are ignored by Apache2.
#########################################
#### XXX: BEGIN EDIT FOR MOD_REWRITE ####
#### This is intended to force HTTPS ####
#### for all inbound HTTP requests ########
# This module (mod_rewrite) simply tells Apache2 that all connections to
# port 80 need to go to port 443 – SSL – No exceptions
####<IfModule !mod_rewrite.c>
LoadModule rewrite_module modules/mod_rewrite.so
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on####
# The line below sets the rewrite condition for mod_rewrite.so.
# That is, if the server port does not equal 443, then this condition is true
####ReWriteCond %{SERVER_PORT} !^443$
####
# The line below is the rule, it states that if above condition is true,
# and the request can be any url, then redirect everything to https:// plus
# the original url that was requested.
####RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</IfModule>#### XXX: END EDIT FOR MOD_REWRITE ####
#######################################
Add the code to httpd.conf and restart Apache2, check your logs for errors to ensure a clean startup and connect to your server on port 80. It should be instantly redirected to 443.
Alternatively, on RHEL4, you can add the code above into a file (you create) called mod_rewrite.conf in the /conf.d directory (/conf.d/mod_rewrite.conf).
Note the “XXX” marks in my comments, I make a habit to “tag” any configuration files I edit on a linux server so when I come back to it later i can find my edits easily. Your initials work well for this and helps identify which admin makes the change.
Enjoy,
bf
September 26, 2007 at 3:19 am
Cheers, just the information I was after!
December 7, 2007 at 9:25 pm
I spent an hour looking for mod_rewrite / .htaccess ways to do this and this worked just fine!! Thanks you so much. I’m using a newer copy of Apache 2.2.4 and it comes with mod_rewrite already loaded in the defaul httpd.conf without a check for the C file already having been compiled into the binary. I think that’s what you’re doing anyway. I just used the second part that makes sure that the module has actually loaded.
Again, thank you so much!
December 7, 2007 at 10:11 pm
Anytime. Most of my experience is with Apache 2 and as you know Apache 2.2 loads modules and configs slightly differently, glad it worked out for you.
January 11, 2008 at 3:12 pm
Very useful information. Thanks for sharing.
April 16, 2008 at 9:00 am
[...] Read more at blackflag.wordpress.com [...]
October 15, 2008 at 10:29 am
You really should use
RewriteCond %{HTTPS} !=on
instead of checking for a hard-coded port.
See the mod_rewrite Cookbook at http://rewrite.drbacchus.com/rewritewiki/SSL
June 4, 2009 at 1:10 pm
thanks, exactly what I wanted! Curious, how would you do this to work for specific locations?
eg, /about it’s fine to be not secured and /login would require https.
June 5, 2009 at 10:22 am
Jan,
You can probably work something out with the mod_rewrite statements.
something like this:
RewriteEngine On
RewriteRule ^/login$ https://foo/login
July 24, 2009 at 1:51 am
Cheers, worked a treat….
July 30, 2009 at 2:13 am
Thanks! Worked great. Just what I have been looking for.
September 18, 2009 at 2:57 pm
I have also had a lot of luck with the following:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
December 8, 2010 at 10:26 pm
Many thanks. This worked like a charm. I appreciate your assistance
February 22, 2011 at 1:28 pm
This was just what I needed. Thanks!
August 11, 2011 at 10:21 am
Thanks, it worked magic on my Fedora!
October 13, 2011 at 6:16 am
Thanks!
October 15, 2011 at 3:22 am
Fashion Stud Earrings…
[...]Apache2: Forcing All Inbound Traffic to SSL « The Black Flag[...]…
October 22, 2011 at 9:25 pm
I spent hours trying to figure it out. I copy pasted this and worked!
Thanks a lot.
November 7, 2011 at 4:11 am
mla style…
[...]Apache2: Forcing All Inbound Traffic to SSL « The Black Flag[...]…
November 20, 2011 at 11:42 pm
I’ve been exploring for a bit for any high-quality articles or blog posts on this kind of space . Exploring in Yahoo I at last stumbled upon this web site. Reading this information So i’m satisfied to express that I’ve a very good uncanny feeling I discovered just what I needed. I so much indubitably will make sure to don?t omit this website and provides it a look regularly.
February 6, 2012 at 4:21 am
web trafic…
adwords professional…
June 1, 2012 at 2:43 pm
Ela ma thama