Tag Archives: Let’s Encrypt

Security

How to force HTTPS on Apache

Leave a comment

HTTPS image

I recently added an SSL certificate to this website. I used Let’s Encrypt which is an awesome initiative to increase the use of HTTPS in websites by making SSL certificates free and easy to install.

My web hosting provider offers Let’s Encrypt certificates via cPanel so installing one for my website was as easy as clicking few buttons. If you are not that lucky, Let’s Encrypt provides instructions to install certificates via the shell as well as a list of hosting providers supporting Let’s Encrypt.

Once you have your SSL certificate installed on your server, you may want to force HTTPS so that any request for HTTP pages will automatically be redirected to HTTPS.

The Apache web server provides the .htaccess file to store Apache configuration on a per-directory basis. For example, if your website is stored under /var/www/html/mysite  and you’re using Apache, you can create the following .htaccess  file in that directory:

RewriteEngine On  
RewriteCond %{SERVER_PORT} 80  
RewriteRule ^(.*)$ https://sandrocirulli.net/$1 [R,L]

The third line is the rewrite rule that forces HTTPS for any request made to the web server. Note that you need to have the mod_rewrite module installed on Apache to add rewrite rules for URL redirection.

Gotchas

Make sure that the URL in the rewrite rule is the one used in the SSL certificate. I initially put www.sandrocirulli.net  in the rewrite rule even though I register the SSL certificate for sandrocirulli.net  and all its sub-domains (including www.sandrocirulli.net ) and got nasty security warnings displaying on the browser. You can easily check the SSL certificate with any browser by clicking on the green padlock near the URL and select View Certificate or the like:

View CertificateIf the padlock near the URL displays a warning, click on it and see what’s the problem. I initially encountered issues with mixed content. This occurred because I had links to images on the websites with HTTP instead of HTTPS. All the major browsers allow you to see where the error occurs, just click on the warning and then Details or the like. Changing these links to HTTPS solved the issue with mixed content.