How do I redirect from HTTP to HTTPS?

Redirection from HTTP to HTTPS can be performed in various places: in the application, in the web server or in an upstream proxy/CDN such as Cloudflare.

When using Apache httpd as a Managed Service, the redirect can be configured with an .htaccess file.

The .htaccess file should be stored in the --webroot (document root) folder defined with nine-manage-vhost and contain the following directives.

RewriteEngine on
RewriteCond %{HTTPS} !on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L,QSA]

If your .htaccess file already contains rewrite rules, you should place the above rule at the beginning.

Please note that there is no comparable alternative to .htaccess files for NGINX; in this case, redirection is only possible with a custom template.

If Apache httpd or NGINX is used as a proxy for e.g. a Node.js application, the redirection can be done with an existing template for nine-manage-vhosts.

If all requests to your application are made using HTTPS, the use of Strict Transport Security (HSTS) can provide additional security.

Redirection behind a load balancer

If secure connections are being terminated with a load balaner by Nine, the internal connection to the backend is done without encryption. The check above does not work and results in a redirection loop. But there is an alternate check which is based on an HTTP header:

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L,QSA]

Redirection behind a load balancer​

Redirection behind a load balancer