Drupal 7 HTTPS

In order to keep up with Google’s HTTPS recommendations and related SEO implications, and in order to take advantage of CloudFlare’s recent move to support SSL for all sites, including free plans, with its “Universal SSL” initiative, we at Origin Eight are setting up all future Drupal sites (at least those that we host under our DripDrop Hosting umbrella) with site-wide HTTPS,  using CloudFlare’s Flexible SSL at a minimum.

For Drupal 7, we found the following configuration works quite well:

Add the following text in the gray box to .htaccess right after it says “RewriteEngine on”, or, even better, add to the webserver config in a site-specific manner so that upgrading Drupal core does not wipe out the .htaccess file:

# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on

RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

# Set "protossl" to "s" if we were accessed via https://.  This is used later
# if you enable "www." stripping or enforcement, in order to ensure that
# you don't bounce between http and https.
RewriteRule ^ - [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=protossl:s]

Then, add

$_SERVER['HTTPS'] = 'on';

to local.settings.php, ensuring local.settings.php starts with <?php and does not include a closing ?>, also ensuring the local.settings.php file is included via settings.php like so (make sure to clear your caches afterwards):

  # Additional site configuration settings.
  if (file_exists('/PATH_TO_DRUPAL_INSTALL/sites/www.SITENAME.com/local.settings.php')) {