Redirecting plain HTTP requests to HTTPS keeps login forms, session cookies, API calls, and canonical URLs on the encrypted version of the site instead of leaving port 80 as a parallel public entry point.
In Apache, the HTTP listener and the HTTPS listener are usually separate VirtualHost blocks. The HTTP side answers first, returns a redirect status plus a Location header, and the client repeats the same request over TLS. For a straight full-site redirect, Apache's Redirect directive is usually the simplest server-level option, while mod_rewrite is more useful in .htaccess files or when extra conditions are needed.
Examples below use the Debian and Ubuntu layout with apache2ctl, /etc/apache2/, and the apache2 service name. The HTTPS virtual host should already work before the redirect is enforced, including a valid certificate and matching hostnames. Keep in mind that browsers cache 301 redirects aggressively, and that .htaccess rules only run when AllowOverride permits them.
Related: How to configure Let's Encrypt SSL in Apache
Related: How to enable HSTS in Apache
Related: How to redirect a bare domain to www in Apache
Methods to redirect HTTP to HTTPS in Apache:
Steps to redirect HTTP to HTTPS in Apache:
Redirect HTTP to HTTPS in Apache using htaccess
Use .htaccess when the site owner can edit files under the DocumentRoot but not the main Apache configuration. The rule is evaluated in directory context, so it can upgrade requests to HTTPS without touching the global VirtualHost files.
That convenience has a cost. Apache checks for .htaccess files while serving requests when AllowOverride allows them, so the main server configuration remains the better place for the redirect whenever direct server access is available.
- Enable mod_rewrite if the platform does not already load it.
$ sudo a2enmod rewrite Enabling module rewrite. To activate the new configuration, you need to run: systemctl restart apache2
On platforms that do not ship a2enmod, confirm that mod_rewrite is loaded or enabled through the distribution's module configuration.
- Confirm that the site directory allows file-based rewrite directives.
<Directory /var/www/html> AllowOverride FileInfo </Directory>
If AllowOverride is set to None, .htaccess is ignored and the redirect never runs.
- Open or create the .htaccess file under the site document root.
$ sudo vi /var/www/html/.htaccess
Use the directory that matches the active HTTP DocumentRoot.
- Add the rewrite rule that upgrades non-TLS requests to the same hostname and path on HTTPS.
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
The rule keeps the current hostname and request path. Replace https://%{HTTP_HOST} with a fixed hostname such as https://www.example.com when the site also needs hostname canonicalization.
If Apache sits behind a TLS-terminating reverse proxy, base the condition on the trusted forwarded scheme header used in that environment instead of relying only on HTTPS.
- Test the main configuration if AllowOverride or module state changed.
$ sudo apache2ctl configtest Syntax OK
Use sudo apachectl -t or sudo httpd -t on platforms that use those control names.
Related: How to test Apache configuration
- Reload or restart Apache if the main configuration or module state changed.
$ sudo systemctl restart apache2
Use sudo systemctl restart httpd on Red Hat-family systems.
- Confirm that the site now returns a permanent redirect from HTTP to HTTPS.
$ curl -sI http://host.example.net/docs/ HTTP/1.1 301 Moved Permanently Date: Thu, 09 Apr 2026 04:45:13 GMT Server: Apache/2.4.58 (Ubuntu) Location: https://host.example.net/docs/ Content-Type: text/html; charset=iso-8859-1
Use curl or a fresh private browser session when testing because cached 301 responses can make later changes look stuck.
Redirect HTTP to HTTPS in Apache using mod_rewrite on VirtualHost configuration
A VirtualHost rewrite keeps the redirect in the main server configuration and avoids the per-request .htaccess lookup. This is the better mod_rewrite pattern when the redirect already belongs with other host-level rules or when conditional exceptions will be added later.
For a plain “everything on port 80 goes to HTTPS” policy, Redirect permanent is usually simpler. Use mod_rewrite here when the redirect needs rewrite-specific logic rather than because it is the default server-level tool.
- Enable mod_rewrite if it is not already loaded.
$ sudo a2enmod rewrite Enabling module rewrite. To activate the new configuration, you need to run: systemctl restart apache2
Verify the loaded module list with apache2ctl -M if the platform uses a different module workflow.
- Open the HTTP VirtualHost configuration file.
$ sudo vi /etc/apache2/sites-available/000-default.conf
- Add a port 80 VirtualHost rule that redirects requests to the matching HTTPS URL.
<VirtualHost *:80> ServerName host.example.net RewriteEngine On RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost>
Replace https://%{HTTP_HOST} with a fixed hostname when the HTTPS site should always answer on one canonical name.
Add RewriteCond lines ahead of the catch-all rule only when the redirect truly needs conditions or exceptions.
- Test the Apache configuration before loading the change.
$ sudo apache2ctl configtest Syntax OK
Related: How to test Apache configuration
- Reload Apache to apply the validated VirtualHost change.
$ sudo systemctl reload apache2
Use sudo systemctl reload httpd on Red Hat-family systems.
- Confirm the redirect from the HTTP listener.
$ curl -sI http://host.example.net/docs/ HTTP/1.1 301 Moved Permanently Date: Thu, 09 Apr 2026 04:45:13 GMT Server: Apache/2.4.58 (Ubuntu) Location: https://host.example.net/docs/ Content-Type: text/html; charset=iso-8859-1
Redirect HTTP to HTTPS in Apache using Redirect directive
The Redirect directive from mod_alias is the simplest way to move an entire HTTP vhost to HTTPS. It is readable, built for straightforward redirection, and avoids bringing mod_rewrite into the configuration when no extra matching logic is needed.
This method belongs in the dedicated port 80 VirtualHost that should do nothing except send clients to the secure URL. The important detail is status handling: a bare Redirect is temporary by default, so use permanent or an explicit 301 when the scheme upgrade should be cached as the canonical path.
- Open the HTTP VirtualHost configuration file.
$ sudo vi /etc/apache2/sites-available/000-default.conf
- Add a permanent redirect inside the port 80 VirtualHost.
<VirtualHost *:80> ServerName host.example.net Redirect permanent / https://host.example.net/ </VirtualHost>
permanent sends a 301 response. Omit the status or use temp while testing when a temporary 302 is preferable.
Hardcode the destination hostname instead of using HTTP_HOST when the HTTPS site must always answer on one canonical host.
- Test the Apache configuration before reloading it.
$ sudo apache2ctl configtest Syntax OK
Related: How to test Apache configuration
- Reload Apache to apply the redirect.
$ sudo systemctl reload apache2
Use sudo systemctl reload httpd on Red Hat-family systems.
- Confirm that the redirect keeps the requested path and query string.
$ curl -sI 'http://host.example.net/docs/page.html?ref=1' HTTP/1.1 301 Moved Permanently Date: Thu, 09 Apr 2026 04:45:13 GMT Server: Apache/2.4.58 (Ubuntu) Location: https://host.example.net/docs/page.html?ref=1 Content-Type: text/html; charset=iso-8859-1
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
