Asked  6 Months ago    Answers:  5   Viewed   32 times

How can I force to SSL/https using .htaccess and mod_rewrite page specific in PHP.



For Apache, you can use mod_ssl to force SSL with the SSLRequireSSL Directive:

This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL.

This will not do a redirect to https though. To redirect, try the following with mod_rewrite in your .htaccess file

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

or any of the various approaches given at


You can also solve this from within PHP in case your provider has disabled .htaccess (which is unlikely since you asked for it, but anyway)

if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] !== 'on') {
    if(!headers_sent()) {
        header("Status: 301 Moved Permanently");
            'Location: https://%s%s',
Tuesday, June 1, 2021
answered 6 Months ago

It doesn't hurt to just always rewrite to https and lose the www in one step. Trailing slash is unchanged, but lost a line on removing php-extenstion by inverting the Cond.

RewriteCond %{HTTP_HOST} ^www.(.*)$ [OR]
RewriteCond %{https} off
RewriteRule ^(.*)$$1 [R=301,L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301] 

# REMOVE PHP EXTENSION if there's no file with this name
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.+).php$ /$1 [NC,L,R=301]

If you also need handling for files that were requested as file/ without .php, you should stay with your code for the final part:

RewriteRule ^(.+).php$ /$1 [NC,L,R=301]
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.+)/?$ /$1.php [END]
Saturday, May 29, 2021
answered 7 Months ago

To first force HTTPS, you must check the correct environment variable %{HTTPS} off, but your rule above then prepends the www. Since you have a second rule to enforce www., don't use it in the first rule.

RewriteEngine On
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
# [NC] is a case-insensitive match
RewriteCond %{HTTP_HOST} !^www. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

About proxying

When behind some forms of proxying, whereby the client is connecting via HTTPS to a proxy, load balancer, Passenger application, etc., the %{HTTPS} variable may never be on and cause a rewrite loop. This is because your application is actually receiving plain HTTP traffic even though the client and the proxy/load balancer are using HTTPS. In these cases, check the X-Forwarded-Proto header instead of the %{HTTPS} variable. This answer shows the appropriate process

Tuesday, June 1, 2021
answered 6 Months ago

I beleive this would work:

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} /basket.php
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
Wednesday, August 4, 2021
venkatesh shanmuganathan
answered 4 Months ago

I think your problem is here:

 InetAddress serverAddr = InetAddress.getByName(serverIpAddress);
 socket = new Socket(serverAddr, REDIRECTED_SERVERPORT);

I can't find where your serverIpAddress is assigned, thus you get NullPointerException.

Thursday, September 2, 2021
Craig Ringer
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :