Force https entire site without redirecting http to https

httphttps

There were a plenty of discussions while I was researching how to make my entire site https. The most answers were to redirect http to https (.htaccess file), which is not good, because it's not good to do the same job twice (two requests). Also, the "man in the middle" first takes on http, and I want my site to go directly on https.
Is there another way to make your entire site https, and how to do this? For example, when user types in example.com, that example.com automatically goes to https, without redirecting from http or anything else first?

Best Answer

No. You cannot magically make the visitor's browser choose the right protocol. A redirect is the way to do it.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Redirect all http AND https non-www URLS to https://www.example.com via htaccess

You need a certificate that is valid for both example.com and www.example.com if you're going to rewrite those requests to www.example.com (or two separate certs that accomplish this). There's no way around this.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Redirect all http AND https non-www URLS to https://www.example.com via htaccess

Related Topic