How to force HTTPS in Apache2?

(e.g. https://crt.sh/?q=example.com)

My domain is: botboutique.com.br

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

My hosting provider, if applicable, is: Locaweb

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I’m trying to force Apache2 to only serve HTTPS in my domain. Here is the .htaccess that I out in the root folder of Apache (/var/www):

RewriteEngine On
RewriteCond %{HTTP_HOST} botboutique.com.br [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://botboutique.com.br/$1 [R,L]

(I take this code from https://www.whynopadlock.com)

But it didn’t worked, can you guys help me on this matter?

Some possibilities:

  1. Something in the rules is not matching
  2. Your .htaccess file is not actually being read because it’s in the wrong location
  3. Your .htaccess file is not being processed due to options in your main Apache configuration.

For (1), try see if using this more generic approach helps:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]

For (2), confirm that your /var/www/ is indeed your webroot. For example, create a test file to access in your browser:

echo "Hello World" > /var/www/hello-world.txt

For (3), try adding AllowOverride All inside this domain’s <VirtualHost> in your main Apache configuration, and reload Apache. See if it has any effect.

1 Like

Thanks for your kind response, @_az.

  1. I tried yor code, but no effects. I tried too:
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://botboutique.com.br/$1 [R,L]
    with no results.

  2. At first I get confused about on where to put .htaccess file. At last, I realize that I must to put it in /var/www/www.botboutique.com.br/html. No effects either.

  3. Changed my apache2.conf:
    "<VirtualHost *:80>
    ServerName www.botboutique.com.br
    Redirect / https://botboutique.com.br
    ServerAlias botboutique.com.br *.botboutique.com.br
    DocumentRoot /var/www/www.botboutique.com.br/html
    <Directory “/var/www/www.botboutique.com.br/html”>
    Require all granted
    AllowOverride All

    "
    And … none.

Everytime I used
systemctl restart apache2
to reboot Apache.

Any clues, please?

The fact that this doesn’t do anything points to the possibility that your Apache configuration contains duplicate virtual hosts. If that’s the case, that may provide the explanation for why none of your configs seem to do anything.

What does this show:

apachectl -t -D DUMP_VHOSTS
1 Like

Here it is:

VirtualHost configuration:
*:443 www.botboutique.com.br (/etc/apache2/sites-enabled/apache2-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server vps18569.publiccloud.com.br (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost vps18569.publiccloud.com.br (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost www.botboutique.com.br (/etc/apache2/sites-enabled/apache2-le-ssl.conf:15)
alias botboutique.com.br
wild alias *.botboutique.com.br
port 80 namevhost www.botboutique.com.br (/etc/apache2/apache2.conf:241)
alias botboutique.com.br
wild alias *.botboutique.com.br

Here is the duplication of your port 80 virtualhost for botboutique.com.br:

Number 1:

Number 2:

Only one of these virtual hosts actually has any effect - the other one gets ignored by Apache. Ultimately only one of them should exist.

Try making your changes to the “other one” and see whether they take effect.

1 Like

@_az It’s not clear for me how to avoid this duplication and how to fix it.

What do you mean when you say “to the other one”?

Sorry, I’m pretty noob.

Try making the same changes to /etc/apache2/sites-enabled/apache2-le-ssl.conf. You should find the virtualhost around line 15.

1 Like

@_az

Despite an strange inconsistency among browsers (Chrome and Edge, ok | Firefox says that I have mixed content and shows me an yellow padlock), seems that your tips take me out of my nightmare :slight_smile:

Tomorow I’ll test it further.

Thank you very, very much for your support!

1 Like

It looks like you got it figured out!
The HTTP requests are being redirected to HTTPS (including their paths) :slight_smile:

curl -Iki http://botboutique.com.br/x/y/z
HTTP/1.1 302 Found
Date: Sat, 06 Jun 2020 01:03:49 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://botboutique.com.br/x/y/z
Content-Type: text/html; charset=iso-8859-1

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.