How to force HTTPS on Linux and Windows servers

Last updated: 28 April 2021

If your website has an SSL certificate you probably want all website traffic to use the HTTPS protocol rather than HTTP. To do so, you need to redirect traffic from HTTP to HTTPS.

Linux (.htaccess)

Most of our Linux servers run Apache and come with cPanel. The easiest way to force HTTPS on cPanel servers is via cPanel’s Domains interface. All you have to do is toggle the Force HTTPS Redirect option to On.

Image: the Force HTTPS Redirect option in cPanel.

In the background, cPanel creates a redirect rule in the .htaccess file. The rule looks like this:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{HTTP_HOST} ^example\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.net$
RewriteRule ^(.*)$ "https\:\/\/example\.net\/$1" [R=301,L]

This rule redirects http://example.net to https://example.net and http://www.example.net to https://www.example.net.

If you also want your domain to either always or never use the the ‘www’ subdomain then you need to manually add a rule to the .htaccess file. You can copy and paste the below code examples.

Redirect to non-WWW and HTTPS

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

Redirect to WWW and HTTPS

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]

There are more examples of managing redirects in our article about cPanel redirects.

Windows (web.config)

On our Windows servers you can add a rule to the web.config file:

<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS redirect" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

If the <rules> sections already exists in the web.config file then you can simply add the <rule> block to the existing section.

Checking redirects

It’s always a good idea to make sure that redirects work as expected. If you got cURL installed on your computer then you can run the command curl -IL $domain, where $domain is the domain you want to check.

The command produces a fair bit of output. The main thing to look for are the lines that start with HTTP and Location. These lines show the Apache status code (such as 200, 301 or 302) and, in the case of a 301 or 302 redirect, what the destination of the redirect is.

To give an example, our website always uses the ‘www’ subdomain. The below cURL command shows that catalyst2.com first redirects to https://catalyst2.com/ and then to https://www.catalyst2.com/. We added the --silent option and piped the output to grep to filter the information we are interested in:

$ curl -IL --silent catalyst2.com | grep -E "^(HTTP|Location)"
HTTP/1.1 301 Moved Permanently
Location: https://catalyst2.com/
HTTP/1.1 301 Moved Permanently
Location: https://www.catalyst2.com/
HTTP/1.1 200 OK