HTTPS Redirect: Sichere Verbindung erzwingen

HTTPS ist Pflicht für jede moderne Website. Hier erfahren Sie, wie Sie alle Anfragen automatisch auf HTTPS umleiten und HSTS aktivieren.

Warum HTTPS?

• Verschlüsselung: Daten vor Abhören schützen
• SEO: Google bevorzugt HTTPS
• Vertrauen: Schloss-Symbol im Browser
• Features: HTTP/2, Service Worker nur mit HTTPS
• DSGVO: Kontaktformulare erfordern Verschlüsselung

Apache: .htaccess

# HTTP zu HTTPS umleiten
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ODER: Mit ServerName
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://example.com%{REQUEST_URI} [L,R=301]

Zusätzlich: www zu non-www (oder umgekehrt)

# www zu non-www + HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,R=301]

# non-www zu www + HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.example.com%{REQUEST_URI} [L,R=301]

Nginx

# HTTP zu HTTPS umleiten
server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;

    return 301 https://example.com$request_uri;
}

# HTTPS Server
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Rest der Konfiguration...
}

# www zu non-www Redirect
server {
    listen 443 ssl http2;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    return 301 https://example.com$request_uri;
}

HSTS (HTTP Strict Transport Security)

HSTS zwingt Browser, NUR HTTPS zu verwenden – selbst wenn Nutzer http:// eingibt.

Apache

# In .htaccess oder VirtualHost
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Nginx

# Im HTTPS server-Block
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

HSTS Parameter

PHP Redirect

<?php
// Am Anfang der index.php
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] !== 'on') {
    $redirectUrl = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
    header('HTTP/1.1 301 Moved Permanently');
    header('Location: ' . $redirectUrl);
    exit;
}

// HSTS Header setzen
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');

Cloudflare

1. SSL/TLS → Overview → Full (strict)
2. SSL/TLS → Edge Certificates → Always Use HTTPS: ON
3. SSL/TLS → Edge Certificates → HSTS: Enable

Let's Encrypt Zertifikat

# Certbot installieren (Ubuntu)
sudo apt install certbot python3-certbot-nginx

# Zertifikat für Nginx
sudo certbot --nginx -d example.com -d www.example.com

# Für Apache
sudo certbot --apache -d example.com -d www.example.com

# Nur Zertifikat (manuell konfigurieren)
sudo certbot certonly --webroot -w /var/www/html -d example.com

# Auto-Renewal testen
sudo certbot renew --dry-run

Mixed Content beheben

Nach HTTPS-Umstellung können HTTP-Ressourcen Probleme machen:

<!-- ❌ Mixed Content Warnung -->
<img src="http://example.com/image.jpg">
<script src="http://cdn.example.com/script.js"></script>

<!-- ✅ Protokoll-relativ oder HTTPS -->
<img src="//example.com/image.jpg">
<img src="https://example.com/image.jpg">

Content-Security-Policy für Mixed Content

# Nur HTTPS-Ressourcen erlauben
Content-Security-Policy: upgrade-insecure-requests

# Oder blockieren
Content-Security-Policy: block-all-mixed-content

Prüfung

# HTTPS und Redirect testen
curl -I http://example.com
# Sollte 301 zu https:// zeigen

curl -I https://example.com
# Sollte 200 und HSTS-Header zeigen

# Online-Tools
# - SSL Labs: ssllabs.com/ssltest
# - Security Headers: securityheaders.com

Weitere Informationen

• 🔒 SSL-Zertifikat einrichten
• ⚡ Nginx vs Apache
• 🔧 Domain Toolkit – SSL prüfen