[Techtalk] implementing HTTPS-only sitewide

Maria McKinley maria at shadlen.org
Wed Sep 5 18:35:44 UTC 2012

On 9/5/12 1:23 AM, Veronica K. B. Olsen wrote:
> On 5 September 2012 07:32, Carla Schroder <carla at bratgrrl.com> wrote:
>> howdy techtalkers,
>> I need to figure out the best way to implement HTTPS for a client's site,
>> and
>> it's driving me buggy. It's Drupal 7 on Apache on CentOS 6. We have an SSL
>> cert already installed. The problem I'm struggling with is how to
>> implement it
>> in a way that doesn't get in the way of site visitors; I have actually seen
>> suggestions to force HTTPS only by closing port 80, and to serve up an
>> error
>> page for all HTTP requests that tells the user to type HTTPS. That is
>> definitely not an option; it must be handled by the server.
>> I'm thinking the cleanest way, from the perspective of site visitors, is to
>> redirect all HTTP requests to HTTPS. Just force HTTPS sitewide. Then I
>> don't
>> have to worry about accidentally missing a page or a form. So how do I do
>> this? In Apache? Drupal? I've seen many different suggestions, and most of
>> them
>> look bizarre, and it seems odd that something this important is so poorly-
>> documented. So help plz.
>> thanks in advance,
>> Carla
>> btw I am developing great dislike for CPanel and other "helpful" frontends.
>> They make a gawdawful mess sometimes!
>> --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Carla Schroder
>> ace Linux nerd
>> author of Linux Cookbook,
>> Linux Networking Cookbook,
>> Book of Audacity
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> _______________________________________________
>> Techtalk mailing list
>> Techtalk at linuxchix.org
>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
> I have a private webserver set up with Ubuntu and Apache2.
> I do pretty much what you're asking (I think). This is how I do it:
> I have this bit added to /etc/apache2/sites-available/default
> <Directory /var/www/>
>      Options Indexes FollowSymLinks MultiViews
>      AllowOverride None
>      Order allow,deny
>      allow from all
>      RewriteEngine On
>      RewriteCond %{HTTPS} off
>      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
> </Directory>
> This redirects all requests to Https.
> –Veronica

This is approximately what I was going to say. For some reason the 
RewriteCon and Rewrite rule are often in .htaccess, but I've never 
understood why.


More information about the Techtalk mailing list