How do I enable HTTPS for Drupal?

To enable HTTPS for Drupal, configure your web server (Apache/Nginx) to serve content over SSL/TLS and set the site URL to https:// in settings.php. Add $settings['reverse_proxy'] = TRUE; and $settings['trusted_proxies'] = ['your-proxy-ip']; to ensure correct protocol detection. Force redirects in .htaccess or Nginx config to enforce HTTPS across all pages.

Hosting Duty

Enabling HTTPS in Drupal

At HostingDuty, we treat HTTPS as a baseline security requirement. Drupal itself does not generate SSL certificates; it relies on the web server to terminate TLS and serve content over HTTPS. You must configure your server to use a valid certificate, then instruct Drupal to trust the HTTPS protocol.

Server-side SSL Configuration

Your web server must be configured to listen on port 443 and serve Drupal over HTTPS. For Apache, this typically involves enabling the mod_ssl module and configuring a virtual host with SSLEngine on, SSLCertificateFile, and SSLCertificateKeyFile. For Nginx, you configure listen 443 ssl; and point to your certificate paths. HostingDuty provides Let's Encrypt integration for automated certificate renewal, which simplifies this process.

Drupal Protocol Settings

Drupal must be told to generate URLs using the HTTPS protocol. Edit your sites/default/settings.php file and set the $base_url to an HTTPS URL:

``php $base_url = 'https://example.com';`

If you are behind a reverse proxy or load balancer, you must also configure Drupal to trust the proxy. Add the following to settings.php:

`php $settings['reverse_proxy'] = TRUE; $settings['trusted_proxies'] = ['your-proxy-ip'];`

This ensures Drupal correctly detects the incoming protocol and generates secure links. For more details, see our guide on configuring reverse proxies.

`Enforcing HTTPS Redirects`

To ensure all traffic uses HTTPS, configure your server to redirect HTTP requests to HTTPS. In Apache, add the following to .htaccess:

`apache RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]`

For Nginx, add a server block that listens on port 80 and redirects to HTTPS:

`nginx server { listen 80; server_name example.com; return 301 https://$host$request_uri; }`

HostingDuty's SSL configuration guide provides step-by-step instructions for both Apache and Nginx. Note that redirect rules should be placed before Drupal's internal rewrite rules to avoid conflicts.

`Common Pitfalls`

A frequent issue is mixed content, where some resources (images, scripts) are still loaded over HTTP. Ensure all asset URLs in your theme and modules use relative paths or the https:// protocol. Drupal's file_url() and theme() functions handle this automatically if $base_url is set correctly.

For troubleshooting, check your browser console for mixed content warnings. You can also use tools like SSL Labs to validate your certificate chain and protocol configuration.

`Security Best Practices`

Beyond enabling HTTPS, we recommend enabling HTTP Strict Transport Security (HSTS) to instruct browsers to always use HTTPS. Add the following header to your server configuration:

`apache Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"`

This prevents downgrade attacks and ensures long-term security compliance. For more on Drupal security hardening, see our security checklist.

`Conclusion`

Enabling HTTPS for Drupal requires server-side SSL configuration, correct $base_url` settings, and enforced redirects. HostingDuty automates certificate management, but you must configure Drupal and your server to work together securely. Always test your setup with tools like SSL Labs and monitor for mixed content issues.