How to redirect all traffic to HTTPS on your Drupal site

How to redirect all traffic to HTTPS on your Drupal site

Drupal Version: 7

Since Google announced that it gives an additional SEO boost for sites that are fully encrypted with HTTPS it is now advisable to encrypt your entire site and not just pages with sensitive information such as user login and checkout pages.

There are multiple method to achieve this. We like using the below modification to .HTACCESS file.

In the .HTACCESS file that is located in the Drupal root directory after the line:

<IfModule mod_rewrite.c>
RewriteEngine on

Simply add this code to the:

    RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Your Drupal .HTACCESS file should now have a section that looks similar to this:

# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on
   RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]  # Set “protossl” to “s” if we were accessed via https://.  This is used later
# if you enable “www.” stripping or enforcement, in order to ensure that
# you don’t bounce between http and https.
RewriteRule ^ – [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ – [E=protossl:s]

NOTE: This, of course, assumes that you’ve procured a valid SSL certificate for your site/domain and have it installed correctly.

What is SSL

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys – a Private Key and a Public Key.

The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) – a data file also containing your details. You should then submit the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer’s web browser.

The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide them with a key indicator to let them know they are currently protected by an SSL encrypted session – the lock icon in the lower right-hand corner, clicking on the lock icon displays your SSL Certificate and the details about it. All SSL Certificates are issued to either companies or legally accountable individuals.

Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure site it will retrieve the site’s SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL.