Forcing Redmine to use SSL on Apache

At first you need to make sure that your SSL website works, that certificates are good and properly installed, and there is no firewall blocking your server's 443 port.

Placing standard .htaccess file which redirects to SSL might not work in case of Passenger and Apache, so the proper way to really force SSL is by placing the peace of generic force SSL code to your apache's server conf file.

In a case you have installed and configured your server properly, by following the book tutorials you should edit your /etc/apache2/sites-enabled/ file

And place the below peace of code, after your server name, on virtual-host listening on port 80

So, this peace is a generic code, that will always work, and always force redirect users to SSL, and you can use it for PHP stuff as well, wordpresses, cakephp etc...

RewriteEngine On

RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

One note for IT company managers and HR people, please prevent your "wunderkids" and your young programmers from posting online and writing tutorials, first they need to learn and work for a while (10+ years) then they should write tutorials, becase I've found many faulty tutorials and advices how to force SSL.

Anothet thing that you need to do is having Redmine work on SSL, I'm not sure exactly is it required and doing anything, but let's turn it on:

Navigate to Administration | Settings  and choose HTTPS from the Protocol dropdown

And now some advanced stuff, kids mentioned above, please stop reading, or you might end-up paying someone for support :D

If you force SSL the above way, you can't use the following passenger directive in a same virtual server's conf file:


because it's conflicting with Apache's mod rewrite, as explained in passenger's apache module docs, here

So, in order to force SSL, you should do it with Rails and Redmine itself, actually, to do so, edit the redmine's application.rb file placed in config directory.

Uncommenting the config.plugins = [ :ssl_requirement ] line does nothing on Redmine 3.3 ...

However, placing the below code:

config.force_ssl = true

Anywhere in your redmine's /config/application.rb will in fact force SSL for real!

As a matter of fact I'm now going to suggest it to core developers to make that work like that, since https setting obviously does nothing.

You can track it here...