Apache2: Forcing All Inbound Traffic to SSL

So, you have an Apache 2 web server and you have decided that you want to force all inbound traffic to be encrypted via HTTPS (port 443) instead of HTTP (port 80). This method actually “dumbs down” the connection so the average user can’t inadvertently negotiate your web site without encrypting their traffic.


My web server of choice is Apache2, running on a Linux Operating System. Preferably Debian but we’ll discuss an option for Red Hat Enterprise Linux 4 (RHEL-4). That being said, you need Apache installed and running on Linux. You also need the Apache module “mod_rewrite.so” installed and an encryption key generated for your server.

In the following snippet of .conf file we will first load mod_rewrite and then redirect all inbound port 80 traffic to port 443.

Add the following code section to your httpd.conf down around line #220, right after the big “load modules” section.

Be aware that “#’s” indicate a comment line in the .conf file and are ignored by Apache2.

#########################################
#### XXX: BEGIN EDIT FOR MOD_REWRITE ####
#### This is intended to force HTTPS ####
#### for all inbound HTTP requests ####

####
# This module (mod_rewrite) simply tells Apache2 that all connections to
# port 80 need to go to port 443 – SSL – No exceptions
####

<IfModule !mod_rewrite.c>
LoadModule rewrite_module modules/mod_rewrite.so
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on

####
# The line below sets the rewrite condition for mod_rewrite.so.
# That is, if the server port does not equal 443, then this condition is true
####

ReWriteCond %{SERVER_PORT} !^443$

####
# The line below is the rule, it states that if above condition is true,
# and the request can be any url, then redirect everything to https:// plus
# the original url that was requested.
####

RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</IfModule>

#### XXX: END EDIT FOR MOD_REWRITE ####
#######################################

Add the code to httpd.conf and restart Apache2, check your logs for errors to ensure a clean startup and connect to your server on port 80. It should be instantly redirected to 443.

Alternatively, on RHEL4, you can add the code above into a file (you create) called mod_rewrite.conf in the /conf.d directory (/conf.d/mod_rewrite.conf).

Note the “XXX” marks in my comments, I make a habit to “tag” any configuration files I edit on a linux server so when I come back to it later i can find my edits easily. Your initials work well for this and helps identify which admin makes the change.
Enjoy,

bf

21 Responses to “Apache2: Forcing All Inbound Traffic to SSL”

  1. Cheers, just the information I was after!

  2. I spent an hour looking for mod_rewrite / .htaccess ways to do this and this worked just fine!! Thanks you so much. I’m using a newer copy of Apache 2.2.4 and it comes with mod_rewrite already loaded in the defaul httpd.conf without a check for the C file already having been compiled into the binary. I think that’s what you’re doing anyway. I just used the second part that makes sure that the module has actually loaded.

    Again, thank you so much!

  3. Anytime. Most of my experience is with Apache 2 and as you know Apache 2.2 loads modules and configs slightly differently, glad it worked out for you.

  4. Very useful information. Thanks for sharing.

  5. You really should use

    RewriteCond %{HTTPS} !=on

    instead of checking for a hard-coded port.

    See the mod_rewrite Cookbook at http://rewrite.drbacchus.com/rewritewiki/SSL

  6. thanks, exactly what I wanted! Curious, how would you do this to work for specific locations?

    eg, /about it’s fine to be not secured and /login would require https.

  7. Jan,
    You can probably work something out with the mod_rewrite statements.

    something like this:
    RewriteEngine On
    RewriteRule ^/login$ https://foo/login

  8. Cheers, worked a treat….

  9. Thanks! Worked great. Just what I have been looking for.

  10. Paul J. Martinez Says:

    I have also had a lot of luck with the following:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

  11. M Selwicky Says:

    Many thanks. This worked like a charm. I appreciate your assistance

  12. This was just what I needed. Thanks!

  13. Thanks, it worked magic on my Fedora!

  14. Fashion Stud Earrings…

    [...]Apache2: Forcing All Inbound Traffic to SSL « The Black Flag[...]…

  15. I spent hours trying to figure it out. I copy pasted this and worked!

    Thanks a lot.

  16. mla style…

    [...]Apache2: Forcing All Inbound Traffic to SSL « The Black Flag[...]…

  17. I’ve been exploring for a bit for any high-quality articles or blog posts on this kind of space . Exploring in Yahoo I at last stumbled upon this web site. Reading this information So i’m satisfied to express that I’ve a very good uncanny feeling I discovered just what I needed. I so much indubitably will make sure to don?t omit this website and provides it a look regularly.

  18. web trafic…

    adwords professional…

  19. Ela ma thama

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: