Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to make a website hosted in Plesk permanently use a secure connection over HTTPS?
Answer
Before enabling permanent HTTPS redirection for a domain, make sure that the website is accessible over HTTPS:
-
The setting SSL/TLS support is enabled in Hosting Settings of a domain.
-
In Plesk, go to Domains > example.com > Hosting Settings.
-
Enable the setting Permanent SEO-safe 301 redirect from HTTP to HTTPS and select your certificate from the drop-down menu. Apply the changes.
Note: If the setting Permanent SEO-safe 301 redirect from HTTP to HTTPS is grayed out, please contact your service provider for assistance with permanent HTTPS redirection.
-
In Plesk, go to Domains > example.com > Apache & nginx Settings.
-
Copy the following directives to the Additional directives for HTTP field:
Note: If you are a domain owner and Apache & nginx Settings is not available for you, please contact your service provider for assistance with permanent HTTPS redirection.
CONFIG_TEXT: <IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,QSA]
</IfModule> -
Copy the following directives to the Additional nginx directives field, if nginx is used:
CONFIG_TEXT: if ($ssl_protocol = "") {
rewrite ^/(.*) https://$server_name/$1 permanent;
}
Note: This solution is applicable only if website is processed by Apache.
-
In Plesk, go to Domains > example.com > File Manager.
-
Open the .htaccess file, if available, or create a new one: click > Create File > type .htaccess in the File Name field > click OK. Once created, click on the file and paste the following content:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,QSA]
</IfModule> -
Click OK.
-
In Plesk, go to Domains > example.com > File Manager, open the web.config file and put the following content right before </system.webServer>:
Note: If the <rewrite>/<rules> sections already present in the web.config file, put the content below without tags <rewrite><rules>... </rules></rewrite> inside existing <rules> section.
CONFIG_TEXT: <rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>Click on the picture to enlarge
-
Connect to a Plesk server via RDP.
-
Start Internet Information Service (IIS) Manager at Windows Start > All Programs > (Windows) Administrative Tools.
-
In IIS Manager, expand SERVERNAME > Sites > click on a required site name > double-click URL Rewrite.
Note: If the URL Rewrite button is missing, install the component "IIS URL Rewrite Module" using this KB article.
-
Click Add rule(s)... on the right pane > under the Inbound rules select Blank rule and click OK:
-
Configure the new rule:
-
Set the rule name in the field Name.
- Match URL section
- Requested URL: Matches the Pattern
- Using: Regular Expressions
-
Pattern: (.*)
-
Conditions section
Expand the Conditions section > click Add... and fill in the fields:- Condition input: {SERVER_PORT_SECURE}
-
Check if input string: Matches the Pattern
-
Pattern: ^0$
- Action section:
- Action type: Redirect
- Redirect URL: https://{HTTP_HOST}{REQUEST_URI}
-
Redirect type: Permanent (301)
-
Click Apply on the right pane to save the rule.
-
Comments
17 comments
What if someone wants to disable HTTP access completely, rather than redirecting?
In other words, http://www.example.com should be unavailable, while https://www.example.com should.
@Marco, this is a custom scenario that is not covered by this article. Plesk does not provide such possibility however, the instruction can be found somewhere in google, I guess.
How to enable SSL for both www and non-www domain address.
If is used with www - https://www.example.com - Chrome indicate that the site is secure: Certificate Valid, Cookies 0 in use.
If is used without www - https://example.com - Chrome indicate that the site is NOT secure: Certificate Valid, Cookies 6 in use.
When accessing Plesk panel using https://www.example.com:8443 or https://example.com:8443, both Chrome and IE shows not secure website.
Hello @loan,
Please, make sure that the certificate includes example.com or *.example.com.
For example, when using Let's Encrypt extension, both example.com and www.example.com will be secured:
To secure Plesk login page you need to additionally apply the following instruction:
https://support.plesk.com/hc/en-us/articles/213954265-How-to-secure-Plesk-login-page-URL-with-SSL-certificate
Why webmail is not redirected to HTTPS ?
What should we add in order to redirect from HTTP to HTTPS://webmail.domain.tld ?
(OFC, webmail is secured, before it come to your mind asking if it is).
Hello lenala,
To enable redirection to https for webmail proceed with the resolution from this article for Linux:
https://support.plesk.com/hc/en-us/articles/213951265-How-to-redirect-webmail-from-HTTP-to-HTTPS-on-a-Plesk-for-Linux-server
And these two if you are using Windows server:
https://support.plesk.com/hc/en-us/articles/115003935334-How-to-create-a-permanent-redirect-for-MailEnable-WebMail-from-HTTP-to-HTTPS-
https://support.plesk.com/hc/en-us/articles/115001586434-How-to-force-Horde-webmail-to-use-SSL-only
I've noticed that if I enable redirect using the first set of recommended instructions (Enabling HTTPS redirection in domain settings in Plesk), that it locks the subscription from syncing (undesired).
Then, if I "unlock and resync", the checkmark for "Permanent SEO-safe 301 redirect from HTTP to HTTPS" is removed, but the redirection appears to silently remain.
Is this a bug?
@Bob B,
I wasn't able to reproduce the described behavior neither on Plesk Onyx 17.8 nor on the latest Plesk Obsidian microupdate.
If the issue is still reproducible on your server, please submit the request to our Technical Support Team so they can check the issue thoroughly.
@Anzhelika Khapaknysh,
In my case, the permission "Hosting settings management" is usually disabled, in the hosting plan. In this case, it seems enabling "HTTPS redirection" locks the subscription.
Best Regards,
Bob
@Bob B
Hello,
The situation can be reproduced when the subscription's service plan has "Permanent SEO-safe 301 redirect from HTTP to HTTPS" option disabled in Hosting Parameters. This way a subscription indeed gets into a Locked status which is correct according to the Plesk logic: you customized the subscription adding an option that is missing in the service plan. To prevent subscription from locking, add "Permanent SEO-safe 301 redirect from HTTP to HTTPS" option on a service plan level.
The fact that the HTTP->HTTPS redirection still remains after you click "unlock and resync" means that the data has been cached in your browser. Clear browser cache or try different browser. Also make sure you manually enter http://yoursitename instead of clicking "Open in web" in Plesk since "Open in web" option opens site over HTTPS.
@Yulia Plokhotnikova,
Thanks for your reply.
In my opinion, that's unfortunate logic. The option to redirect HTTP to HTTPS should be left to each end user customer, without allowing everything else controlled by "Hosting Parameters" in the service plan.
Best Regards,
Bob
Hello Bob B
Thank you for the feedback.
Feel free to create a feature suggestion about it at our User-voice portal.
Popular suggestions are likely to be implemented.
For now, please, follow recommendations from my colleagues.
Hello,
I have installed WordPress in a subdirectory /wp .
Do I have to copy the code for Apache:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,QSA]
</IfModule>
Just under http or also under https apache directives?
As I have a Subdirectory Install /wp do I have to change the Rewrite Rule for Apache or the Nginx Rewrite Code (URL) ? Are the 2 Codes redirecting all Versions http://, http://www, and https://www. to https://domain.com?
Thank You
Hello, Chris!
Should be done under "Additional directives for HTTP" - and the redirect should work for those.
Thanks
Hello Renan, thanks for the information. As i use also Nginx as Reverse Proxy, do i additionally have to copy also this code to the nginx directives:
if ($ssl_protocol = "") {
rewrite ^/(.*) https://$server_name/$1 permanent;
}
Or is the additional nginx code just needed, when nginx only webserver is used without apache?
Thx
Chris
Hello Pradip Bade
Looks like you don't have admin access to Plesk. These permissions are adjusted in the Service Plan. So, for you it's required to contact the service provider, who provides hosting.
As redirect to HTTPS is already enabled in Plesk you won't be able to disable it via site code.
Chris
As Nginx is used, Nginx directives are also required.
Please sign in to leave a comment.