[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Force SSL using .htaccess file

Posted on 2006-05-03
Medium Priority
Last Modified: 2008-01-09

Here is what I have my .htaccess file set at, but if I type in http://mydomain.com, it still will not force to https:// 

I also need it so when a user types in http://www.mydomain.com, it forces to https://mydomain.com 

any help?  thank you.

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
order deny,allow
deny from all
AuthName mydomain.com
AuthUserFile service.pwd
AuthGroupFile service.grp
rewriteEngine on
rewriteCond %{HTTP_HOST} !^mydomain\.com
rewriterule (.*) https://mydomain.com/$1 [R=301,L]
Question by:jpegvarn

Accepted Solution

MalleusMaleficarum earned 672 total points
ID: 16602054
According to the Apache SSL man page, you need to use SSLRequireSSL

Syntax: SSLRequireSSL
Context: server config, virtual host, .htaccess, directory
Override: FileInfo
Status: Extension
Module: Apache-SSL
Compatibility: ??

Require SSL. This can be used in sections (and elsewhere) to protect against inadvertantly disabling SSL. If SSL is not in use when this directive applies, access will be refused. This is a useful belt-and-braces measure for critical information. Conversely, deny SSL connections with SSLDenySSL.


<Directory /some/where/important>


Another example I found was:

The following snippet can be put in your .htaccess file to force access to go through an encrypted connection:

<IfModule !mod_ssl.c>
  RedirectMatch /(.*)$ https://www.cse.unsw.edu.au/$1
Observe the https in the redirect.

(Note: if you are using a Personal Domain or CGI Scripts with a password, you will need to change www to username.web or cgi respectively).

Got that info from: https://cgi.cse.unsw.edu.au/~csg/twiki/bin/view/FAQ/RestrictingWebAccess#Requiring_an_Encrypted_Connectio  (which, btw, is a GREAT page for all kinds of useful methods for securing a page)


Assisted Solution

Dragon_Krome earned 664 total points
ID: 16604897
LVL 51

Assisted Solution

ahoffmann earned 664 total points
ID: 16605767
RewriteEngine On
RewriteCond %{Server_Name} ^www\.
RewriteRule (.*)  https://%{REQUEST_URI} [L]
RewriteCond %{HTTPS} !^on$
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [L]
# feel free to use R, P flag as you like

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question