Updated content, originally published in June 2018
Got a site stuck on HTTP, flashing “Not Secure” warnings in browsers? Or maybe Google’s rankings aren’t showing the love. A 301 redirect to HTTPS is like herding all visitors to the main entrance—secure, SEO-friendly, and hassle-free. This guide breaks down how to set it up on Apache or Nginx, with practical tips to dodge common pitfalls. Updated for 2025, it’s packed with the latest know-how to get it done right.
Imagine a site reachable at http://example.com, https://example.com, and http://www.example.com. To Google, that’s like three sites battling for the same spotlight, splitting SEO power. A 301 redirect funnels everyone—visitors, search engines—to one URL, keeping traffic and rankings steady.
HTTPS is the standard now. It encrypts user data, stops browsers from scaring folks with warnings, and earns a small SEO boost from Google. Without a redirect, HTTP visitors might bolt when Chrome slaps a “Not Secure” label on the page. Plus, 301 redirects are key for rebrands, site mergers, or switching to HTTPS.
When to Use a 301 Redirect:
Fun fact: Chrome’s 2018 update made HTTPS basically mandatory. Curious? Read our article.
1. Confirm HTTPS Is Ready Before touching redirects, ensure HTTPS is set up. Grab an SSL certificate—Let’s Encrypt offers free ones that work great. Most hosting panels like cPanel or Plesk simplify the process, or a CDN like Cloudflare can handle it. After setup, test the certificate with SSL Labs. Aim for an A or A+ score to keep things solid.
2. Set Up Apache Redirects with .htaccess For Apache servers, the .htaccess file is the go-to for redirects. First, verify the mod_rewrite module is enabled. It’s usually on, but if not, add this to the server config:
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
Then restart Apache with:
sudo apache2ctl restart
Open the .htaccess file in the site’s root folder. For a simple HTTP-to-HTTPS redirect, use this:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
To drop the www (or keep it), here’s a snippet for redirecting to https://example.com without www:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
Typos in .htaccess can cause headaches, so double-check the code.
3. Configure Nginx Redirects On Nginx, redirects live in the virtual host config, either in nginx.conf or a file like sites-enabled/example.conf. For a basic HTTP-to-HTTPS redirect:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
For HTTPS with www:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://www.example.com$request_uri;
}
For HTTPS without www:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
To redirect HTTPS non-www to HTTPS with www:
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
root /var/www/example;
# Add other settings here...
}
If the hosting panel blocks separate vhosts, add the redirect to the main server block:
server {
listen 80;
listen 443 ssl http2;
server_name www.example.com example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
root /var/www/example;
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
# Add other settings...
}
4. Test the Redirect Thoroughly After setting up the redirect, use Redirect Checker to confirm it works. Load the site via HTTP—does it switch to HTTPS? Check Chrome or Firefox for “mixed content” errors (when HTTP assets sneak onto an HTTPS page). Those need fixing to avoid issues.
Quick tip: Mixed content can be sneaky. Look up proxy mirror protection guides for extra security tips.
5. Update Google Search Console To keep Google in the loop about the HTTPS switch:
Add https://example.com as a new property in Google Search Console.
Submit an updated sitemap.xml.
Review “Crawl Errors” and fix any problems.
Use the “URL Inspection” tool to request reindexing.
Skipping Search Console updates can slow down the ranking recovery.
6. Add HSTS for Extra Security To force browsers to use HTTPS, enable HTTP Strict Transport Security (HSTS). Add this:
For Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
For Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
For maximum protection, consider adding the site to the HSTS Preload List.
7. Simplify with CMS Running WordPress, Joomla, or PrestaShop? Skip the code. For WordPress, the Really Simple SSL plugin handles HTTP-to-HTTPS redirects effortlessly. On cPanel or Plesk, look for a “Force HTTPS” option in domain settings. It’s quick and painless.
A small coffee shop in Austin recently switched to HTTPS. The old HTTP site was slipping in Google rankings, and browser warnings were driving customers away. A 301 redirect via Nginx, plus a cleanup of mixed content, did the trick. After testing in a staging environment, traffic climbed 15% in two months, and the bounce rate dropped from 48% to 39%. A Hostiserver CDN added a speed boost for good measure. Testing was the key to avoiding chaos.