Home

How to redirect Drupal or Ubercart to a SSL connection with htaccess.

This tutorial outlines a quick and easy way of securing Ubercart by redirecting the cart and other directories to the SSL version.

Add the text below to the .htaccess file in your Drupal root directory AFTER any Drupal redirects you are already using. You will need to modify the RewriteRule lines below if your URLs do not match the ones I use in this example.

# Start code copy RunSSL.com Ubercart .htaccess redirect to SSL.
#
# Technique below is preferred over RewriteCond %{SERVER_PORT} 80
# because it does not require mod_ssl to be loaded
# and it does not assume that the non SSL web server is running on port 80.
#
RewriteCond %{HTTPS} !=on
#
# Begins all the paths that you want to secure over SSL.
# All directories (user|cart|admin) include sub directories
# Example: "cart" protects http://www.runssl.com/cart and http://www.runssl.com/cart/checkout.
# If the URL BEGINS with the word cart or cart/anything it will redirect to SSL.
#
# You can add as many directories as you need by adding them to the (user|cart|admin) section below.
# Example: (user|cart|admin|secure|anything|example) would redirect http://www.runssl.com/secure and
# http://www.runssl.com/anything and http://www.runssl.com/example to the https version of the URL.
#
RewriteRule ^/?(user|cart|admin) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#
# Now we can also redirect all traffic to non SSL when accessing specific URLs
# This can be useful for performance reasons. This can also give warning messages in
# Firefox and Internet Explorer. Suggested setting is to comment the lines below out.
# Comment lines out by adding a # and space in front of the command.
#
RewriteCond %{HTTPS} !=off
#
# Below you can add any directories or URLs that you do not want secure.
# using the same technique as above.
#
RewriteRule ^/?(content|category) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#
# Stop code copy RunSSL.com Ubercart .htaccess redirect to SSL.

RunSSL operates under the assumption that if you accessed cart, admin or user then you should stay on the SSL connection but this can slow your website down due to the over head of your web server encrypting and decrypting every request sent over SSL. That is why I added the ability to turn SSL off depending on the URL accessed. I suggest if you are having performance problems due to SSL it is time to upgrade your server. This RewriteRule can create a warning message when a users goes from a SSL to non SSL connection if they have the "Warn me when I leave a encrypted page for one that isn't encrypted." setting checked in Firefox so please use with caution.

Some people have asked "Why not use secure pages? http://drupal.org/project/securepages"
The answer is simple. Secure pages are currently in beta, and htaccess is not affected by Drupal version or upgrades.

Basic setup used for the tutorial.
Clean URLs are enabled.
Drupal 5.1.2 http://drupal.org/drupal-6.6
Ubercart 5.x-1.6 http://drupal.org/project/ubercart

Below modules are not required for this tutorial but have been enabled in the testing of our example.
Pathauto 5.x-2.3 http://drupal.org/project/pathauto
Path Rediect 5.x-1.2 http://drupal.org/project/path_redirect
Global Redirect 5.x-1.3-1 http://drupal.org/project/globalredirect

Same code as above but without the comments.
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(user|cart|admin) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} !=off
RewriteRule ^/?(content|category) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]