How to Redirect HTTP to HTTPS

After installing your SSL certificate, you need to redirect all HTTP traffic to HTTPS. Without a redirect, visitors accessing http://yourdomain.com won’t use the encrypted connection — even if HTTPS is available.

Use a 301 (permanent) redirect so search engines transfer all ranking signals to the HTTPS URL.

Nginx

Add a separate server block for port 80 that redirects everything:

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

This preserves the full URL path: http://example.com/page?q=1 → https://example.com/page?q=1.

After editing, test and reload:

sudo nginx -t && sudo systemctl reload nginx

Apache

Option 1: VirtualHost redirect (recommended)

Add to your Apache config:

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    Redirect permanent / https://example.com/
</VirtualHost>

Option 2: .htaccess (shared hosting)

If you don’t have access to VirtualHost config (shared hosting), add to your site’s .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Requires mod_rewrite to be enabled.

After changes:

sudo apachectl configtest && sudo systemctl reload apache2

Verify the redirect

# Should return 301 with Location: https://...
curl -I http://yourdomain.com

Expected output:

HTTP/1.1 301 Moved Permanently
Location: https://yourdomain.com/

HSTS: the double-lock

After confirming your redirect works, add HSTS (HTTP Strict Transport Security). This tells browsers to always use HTTPS, even if the user types http://:

Nginx:

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

Apache:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

Start with a short max-age (e.g., 300 seconds) to test, then increase to 2 years (63072000) once you’re confident everything works.

Warning: Once HSTS is active with a long max-age, browsers will refuse to connect over HTTP even if you remove HTTPS. Make sure your HTTPS setup is stable before setting a long duration.

Common redirect patterns

Redirect www to non-www + HTTPS

# Nginx: www → non-www, HTTP + HTTPS → HTTPS
server {
    listen 80;
    listen 443 ssl;
    server_name www.example.com;
    ssl_certificate     /etc/ssl/fullchain.pem;
    ssl_certificate_key /etc/ssl/privkey.pem;
    return 301 https://example.com$request_uri;
}

Redirect non-www to www + HTTPS

server {
    listen 80;
    listen 443 ssl;
    server_name example.com;
    ssl_certificate     /etc/ssl/fullchain.pem;
    ssl_certificate_key /etc/ssl/privkey.pem;
    return 301 https://www.example.com$request_uri;
}

Redirect an entire old domain

server {
    listen 80;
    listen 443 ssl;
    server_name olddomain.com www.olddomain.com;
    ssl_certificate     /etc/ssl/old-fullchain.pem;
    ssl_certificate_key /etc/ssl/old-privkey.pem;
    return 301 https://newdomain.com$request_uri;
}

You need a valid SSL certificate for the old domain too — browsers must establish HTTPS before they can receive the redirect. Use a SAN certificate covering both domains, or a separate certificate for the old domain.

Troubleshooting

Redirect loop (ERR_TOO_MANY_REDIRECTS)

This usually means your HTTPS server block is also redirecting to HTTPS. Check that only the port 80 block has the redirect — the port 443 block should serve content normally.

Another cause: a load balancer or proxy (Cloudflare, AWS ALB) terminates SSL and forwards HTTP to your server. Your server sees HTTP and redirects. Fix by checking the X-Forwarded-Proto header:

# Behind a proxy/load balancer
if ($http_x_forwarded_proto = "http") {
    return 301 https://$host$request_uri;
}

Old HTTP URLs cached in search engines

After setting up redirects, tell Google about the change:

1. Update <link rel="canonical"> to use https://
2. Update your sitemap URLs to https://
3. In Google Search Console, add the HTTPS property

Google will gradually update indexed URLs as it follows the 301 redirects.

Frequently asked questions

Should I redirect www to non-www (or vice versa) at the same time?

Yes. Pick one canonical form and redirect the other. This avoids duplicate content in search engines:

# Redirect www to non-www (Nginx)
server {
    listen 80;
    listen 443 ssl;
    server_name www.example.com;
    return 301 https://example.com$request_uri;
}

Will the redirect affect SEO?

A 301 redirect passes ranking signals to the destination URL. Google recommends 301 redirects for HTTP-to-HTTPS migration. There may be a small, temporary fluctuation, but long-term SEO improves because of the HTTPS ranking signal.

What about mixed content after redirecting?

The redirect handles page URLs, but if your HTML references resources (images, scripts, CSS) with http:// URLs, browsers will block them or show warnings. See our mixed content fix guide.

How do I test if my redirect is working correctly?

# Check redirect chain
curl -ILs http://yourdomain.com | grep -E '^HTTP|^Location'

Expected output:

HTTP/1.1 301 Moved Permanently
Location: https://yourdomain.com/
HTTP/2 200

The first response should be 301 with an HTTPS Location, and the final response should be 200.

Should I redirect at the DNS level or server level?

Server level (Nginx/Apache config or .htaccess). DNS-level redirects (like Cloudflare’s Page Rules) work but add a network hop and give you less control over the redirect behavior. Server-level redirects are faster and more reliable.