How to redirect HTTP to HTTPS in Apache

Redirecting all HTTP requests to HTTPS prevents unencrypted logins, cookies, and API calls from crossing the network in clear text, and keeps a single canonical scheme for browsers and search engines.

In Apache, requests are matched to a VirtualHost (typically *:80 for HTTP and *:443 for HTTPS). An HTTP→HTTPS redirect is simply an HTTP response (usually 301) containing a Location header pointing at the same resource over TLS, prompting the client to retry over HTTPS.

The redirect should only be enforced after the HTTPS site is already reachable and correct (certificate, ServerName, firewall, and VirtualHost selection). A .htaccess-based redirect also depends on AllowOverride being enabled for the directory, and permanent 301 redirects can be cached by browsers (making rollbacks appear “stuck” until cache clears).

Methods to redirect HTTP to HTTPS in Apache:

Redirect HTTP to HTTPS in Apache using htaccess
Redirect HTTP to HTTPS in Apache using mod_rewrite on VirtualHost configuration
Redirect HTTP to HTTPS in Apache using Redirect directive

Steps to redirect HTTP to HTTPS in Apache:

Redirect HTTP to HTTPS in Apache using htaccess

The .htaccess file applies configuration per directory, making it a common choice on shared hosting where direct access to Apache VirtualHost files is not available. A redirect can be enforced through mod_rewrite without touching the main server configuration, as long as .htaccess overrides are permitted.

While convenient, .htaccess introduces per-request overhead because Apache may need to check for and read these files during request handling. For high-traffic sites or servers with full administrative access, a VirtualHost redirect is typically more efficient.

Enable the rewrite module if it is not already loaded.
```
$ sudo a2enmod rewrite
Enabling module rewrite.
To activate the new configuration, you need to run:
  systemctl restart apache2
```
On Debian and Ubuntu, a2enmod enables the module and requires a restart to load it.

Related: How to enable or disable Apache modules
Verify that mod_rewrite is loaded.
```
$ sudo apache2ctl -M | grep rewrite
 rewrite_module (shared)
```
On some systems the command is apache2ctl; both output a module list when supported.
Confirm the site directory permits .htaccess overrides for rewrite rules.
```
<Directory /var/www/html>
    AllowOverride FileInfo
</Directory>
```
If AllowOverride is set to None, the .htaccess file is ignored and the redirect will not trigger.

Related: Location for Apache VirtualHost configuration
Open or create the .htaccess file under the site document root.
```
$ sudo vi /var/www/html/.htaccess
```
Use the directory that matches the DocumentRoot for the HTTP site.
Add the redirect rules to the .htaccess file.
```
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
```
Behind a TLS-terminating reverse proxy, Apache may see the backend connection as HTTP even when the client used HTTPS; add a proxy-aware condition when X-Forwarded-Proto is set.
```
RewriteCond %{HTTP:X-Forwarded-Proto} !https
```
Restart Apache if AllowOverride was changed or mod_rewrite was just enabled.
```
$ sudo systemctl restart apache2
$ sudo systemctl restart httpd
```
Related: How to manage the Apache web server service

Confirm the redirect returns a 301 and the expected Location header.

$ curl -sI http://host.example.net/docs/
HTTP/1.1 301 Moved Permanently
Date: Sat, 10 Jan 2026 05:43:35 GMT
Server: Apache/2.4.58 (Ubuntu)
Location: https://host.example.net/docs/
Content-Type: text/html; charset=iso-8859-1

A hard refresh in a browser can be misleading after a 301 due to caching; curl shows the raw redirect headers.

Redirect HTTP to HTTPS in Apache using mod_rewrite on VirtualHost configuration

Redirecting at the VirtualHost level applies the rule once at the server configuration layer, avoiding the per-request .htaccess lookup. This is generally preferred on VPS or dedicated servers where configuration files are editable and service restarts are possible.

A dedicated *:80 VirtualHost that only issues redirects is easy to reason about and keeps the application itself focused on the HTTPS listener. It also avoids dependency on AllowOverride and directory-level inheritance.

Enable the rewrite module if it is not already loaded.
```
$ sudo a2enmod rewrite
Enabling module rewrite.
To activate the new configuration, you need to run:
  systemctl restart apache2
```
On RHEL-family systems, verify the module is loaded via apachectl -M and enable the LoadModule line if required.

Related: How to enable or disable Apache modules
Open the HTTP VirtualHost configuration file.
```
$ sudo vi /etc/apache2/sites-available/000-default.conf
```
Related: Location for Apache VirtualHost configuration

Add a port 80 VirtualHost that redirects to HTTPS.

<VirtualHost *:80>
    ServerName host.example.net
    RewriteEngine On
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

Set a fixed canonical hostname by replacing https://%{HTTP_HOST} with https://www.example.com.

Test the Apache configuration before restarting the service.
```
$ sudo apache2ctl -t
Syntax OK
```
Related: How to test your Apache configuration
Restart Apache for the changes to take effect.
```
$ sudo systemctl restart apache2
$ sudo systemctl restart httpd
```
Related: How to manage the Apache web server service

Confirm the redirect works from HTTP to HTTPS.

$ curl -sI http://host.example.net/docs/
HTTP/1.1 301 Moved Permanently
Date: Sat, 10 Jan 2026 05:43:49 GMT
Server: Apache/2.4.58 (Ubuntu)
Location: https://host.example.net/docs/
Content-Type: text/html; charset=iso-8859-1

Redirect HTTP to HTTPS in Apache using Redirect directive

The Redirect directive from mod_alias is the simplest way to enforce a site-wide scheme upgrade. It does not require mod_rewrite and is usually the best option when the goal is “everything on port 80 redirects to HTTPS.”

This approach is lightweight and readable, but it is less flexible than mod_rewrite when complex conditions are needed (proxy headers, selective exceptions, path-specific routing). For straight full-site redirects, it is typically sufficient.

Open the HTTP VirtualHost configuration file.
```
$ sudo vi /etc/apache2/sites-available/000-default.conf
```
Related: Location for Apache VirtualHost configuration

Add a Redirect directive inside the port 80 VirtualHost.

<VirtualHost *:80>
    ServerName host.example.net
    Redirect permanent / https://host.example.net/
</VirtualHost>

permanent sends a 301 redirect; use temporary for 302 when testing changes.

Test the Apache configuration before restarting the service.
```
$ sudo apache2ctl -t
Syntax OK
```
Related: How to test your Apache configuration
Restart Apache to apply the changes.
```
$ sudo systemctl restart apache2
$ sudo systemctl restart httpd
```
Related: How to manage the Apache web server service

Confirm the redirect preserves the requested path.

$ curl -sI http://host.example.net/docs/page.html
HTTP/1.1 301 Moved Permanently
Date: Sat, 10 Jan 2026 05:43:39 GMT
Server: Apache/2.4.58 (Ubuntu)
Location: https://host.example.net/docs/page.html
Content-Type: text/html; charset=iso-8859-1

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.