Drupal Force HTTPS (ssl)

By shane
Fri, 2012-04-13 11:24

Share with Others

There may come a time where you need to force a user to see your site under HTTPS. If you only have one site on the server, you can easily add something like this to your apache config file:

Redirect permanent / https://www.domainname.com/

However, in the case that you have multiple websites on your server, and you only need Apache to force a redirect on one of your Drupal sites, this changes things. In order to get this setup, you will need to edit the .htaccess file inside your Drupal root folder for this website (note: multi-site installations may be slightly different).

Inside the .htaccess file, you will need to add something like this (replacing your domain name as needed):

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^domainname\.com*
RewriteRule ^(.*)$ https://www.domainname.com/$1 [L,R=301]

These rewrite conditions should be placed after the following lines:

<IfModule mod_rewrite.c >
RewriteEngine on

In the example above, I am forcing a user to be redirected to https://www.domainname.com regardless of whether they originally navigated to domainname.com or www.domainname.com

Adding the SSL certificate to the subdomain (in this case www), allows you to set up the SSL without a dedicated IP address for this site. This may work well in some shared hosting environments.


Does this method have any downsides as far as server performance and using up bandwidth?

When multiple sites comes into force under the drupal sites it often works very difficult as when a particular task is operated in the drupal sites the works becomes very slow in the server due to some technical issues.<

There are so many other crazy versions of this on the web. Thanks so much for this very clear example. Saved my day!

The SecurePages module I believe has the option to force https and works under a multisite Drupal installation.

I was able to use this

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteRule ^ - [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=protossl:s]

RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^(www|mobile|forum)\. [NC]
RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I have not tried this, but thanks for the comment. This could help other people that are running multisite installs and are using HTTPS.

I posted the comment above from Erik on 16th December, 2014 titled Multisite Configuration. This is an update. I tried to change my comment but couldn't maybe someone can update it for me; but after a little bit of more testing it seemed that this did work but was not doing everything I needed.

The following worked perfect for me on a Drupal 7 Multisite that I wanted to redirect to ssl and enforce www except on sub-domains mobile and forum.I uncommented and replaced
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^(www|mobile|forum)\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} ^(www|mobile|forum)\. [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

First redirects all traffic not (!) with sub-domains of (www|mobile|forum) to ssl and enforce www in domains except those with sub-domains of www, mobile, or forum.

Second redirects all traffic with sub-domains of (www|mobile|forum) to ssl.

This redirects everything to

If you have no sub-domains replace (www|mobile|forum) with just www or had more sub-domains, just separate with | and no spaces.


I used the above code in my .htaccess file and it caused a redirect loop and the site won't load. I just replaced 'domainname' with my domain. Any reason why this might be happening?

Post new comment