Enforce https
April 22nd, 2010If you want to enforce the users of your Apache server to use https instead of http, you can write a Rewrite which works without the mod_ssl module.
The Rewrite is stored either in your httpd configuration or in a .htaccess file.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301]
Sometimes you run into problems with authentication systems which are configured in a .htaccess file too. This leads to double authentications which you want to avoid because the first authentication works through http (which is bad enough), then the rewrite is putting you to https and you have to authenticate again.
To avoid this, you can store the configuration of the authentication system into your ssl httpd configuration in a directory tag. This ensures that the user of your web-server when landing on http does not have to authenticate but will be placed to https and have to authenticate there.
If you do not have access to the ssl configuration you might want to test out
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "http://yourservername"
ErrorDocument 403 https://yourservername
in your .htaccess file. I have to admit i didn’t test the SSLRequireSSL option by myself, but it worked for some people.
For more information about Rewrites, .htaccess files and ssl support, have a look at the Apache httpd documentation
