Magento 2 with Varnish Termination working but can't force HTTPS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: Want to force HTTPS

It produced this output: My site has a warning in

My web server is (include version): Server version: Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


hey buddy. Good to see you again

I used to have both base URLs (secure and unsecure) set to HTTPS but that gave me an error (redirect loop).

Now I have set the secure URL to https://lepto… and the unsecure to //lepto… (that worked fine at the time, and I had no error in whynotpadlock)

You will probably need to forward X-Forwarded-Proto: http/https through Apache and Varnish through to Magento, otherwise Magento will not have any way of knowing what the actual protocol in-use is.

1. In your Apache HTTPS VirtualHost:

RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}

2. In your Apache HTTP VirtualHost:

SetEnvIf X-Forwarded-Proto https HTTPS=on

(Varnish should pass-through the header between the HTTPS and HTTP listener without losing/changing it … hopefully).


I think I see what you are saying. Will take a look and report back.

Quick question. I need to redirect to a non-www version of the site also. Could I tackle both problems in the same manner?

I updated my post with a suggested plan of action for what I remember from your previous thread.

The redirect thing, I dunno. You could realistically handle it at any level (HTTPS listener, Varnish or HTTP listener). It should be a pretty basic Apache rewrite.

1 Like

Well this is embarrassing but I wasn’t forcing HTTPS from Magento’s admin. There was also the option to set X-Forwarded-Proto

I think now I am all set. I will look into redirecting to non-www version.

PS. How could I tell if my certificate is updating? From Why not Padlock I see that the expiration date is in 50+ days so I think that it is updating.

You could try certbot renew --dry-run to see whether it would renew successfully.

It should only be getting renewed at <30 days validity remaining.

1 Like

The certbot is renewing. My question was about the cron job. Anyway it probably is renewing :slight_smile:

Should I be worried that when giving in Edge it isn’t redirecting to HTTPS?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.