CloudStick is a server control panel for developers and agencies that lets you manage cloud servers on AWS, DigitalOcean, Vultr, Linode, and Hetzner without using the command line. Plans start at $9/month — the Basic plan covers 1 server with unlimited websites; Pro at $19/month and Business at $49/month cover unlimited servers.

Will features I pay for ever get moved to a higher plan?

No. CloudStick is committed to keeping all features you currently pay for within your existing plan. New features may be added to higher tiers, but existing plan features will never be removed or require a forced upgrade.

What happens to my servers if I cancel CloudStick?

Your servers remain fully operational after cancellation. CloudStick does not host your servers — it manages them. If you cancel, you lose access to the CloudStick dashboard, but your servers continue running on your cloud provider.

Is there a free trial for CloudStick?

Yes. CloudStick offers a 7-day free trial on all paid plans with no credit card required. You can explore every feature and upgrade, downgrade, or cancel at any time during or after the trial.

SSL & SECURITY

Jun 24, 2026

How to Force HTTPS Across Your Entire Website

8 min read

CloudStick Team

Backend Developer

Share this article

How to Force HTTPS Across Your Entire Website

HTTP → HTTPS everywhere

Why Forcing HTTPS Is Non-Negotiable

Installing an SSL certificate is only half the job. Without an HTTP-to-HTTPS redirect, visitors who type your domain without https:// or follow an old link still land on the unencrypted version of your site. Google treats HTTP and HTTPS as different URLs, so failing to redirect causes duplicate content issues and loses any link equity pointing to the HTTP version. Chrome marks HTTP pages as "Not secure" in the address bar, and modern browser security features like Secure cookies and Service Workers require HTTPS.

The redirect must be a 301 (permanent) not a 302 (temporary). A 301 tells search engines to transfer all ranking signals from the HTTP URL to the HTTPS version. A 302 does not transfer link equity and implies you might switch back to HTTP someday.

Redirect HTTP to HTTPS in Nginx

The cleanest approach is a dedicated HTTP server block that does nothing except redirect to HTTPS. Avoid placing the redirect inside a location block or using rewrite rules — a dedicated server block is simpler and performs better:

# HTTP server block — redirects everything to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com www.yourdomain.com;
    # Let Certbot validation pass before redirecting
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
# HTTPS server block handles all real traffic
server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;
    ssl_certificate     /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    # ... rest of config
}

Redirect with .htaccess (Apache)

For Apache-based stacks or servers where Apache handles PHP behind Nginx (like the CloudStick Nginx+Apache stack), .htaccess rules also work for the HTTPS redirect. Place this in your document root:

RewriteEngine On
# Skip redirect for ACME challenge
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
# Redirect HTTP to HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Redirect www to non-www (optional)
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]

TIP

On servers behind a load balancer or Cloudflare proxy, %{HTTPS} may always be off even for HTTPS requests. In that case check %{HTTP:X-Forwarded-Proto} instead: RewriteCond %{HTTP:X-Forwarded-Proto} !https.

WordPress-Specific Steps

After setting up the server-level redirect, WordPress needs its site URLs updated. If you don't update them, WordPress will generate HTTP URLs in its HTML even though the connection is HTTPS, causing mixed content warnings:

# Update WordPress URLs via WP-CLI
wp option update siteurl https://yourdomain.com
wp option update home https://yourdomain.com
# Run search-replace to update all stored URLs in the database
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables

Fix Mixed Content After the Redirect

Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets, iframes) over HTTP. Browsers either block these resources or show a security warning. After forcing HTTPS you'll want to audit for mixed content. The browser DevTools console shows blocked resources in red. For a full audit, tools like SSL Checker, Why No Padlock, or the Lighthouse audit in Chrome DevTools will flag every mixed content source. Fix them by updating URLs in your database, theme files, or plugin settings to use https:// or protocol-relative URLs (//example.com/asset.js).

CloudStick Handles This for You

When you enable SSL on a website in CloudStick, the HTTP-to-HTTPS redirect is configured automatically. CloudStick updates the Nginx vhost to add the 301 redirect in the HTTP server block and ensures the /.well-known/acme-challenge/ path remains accessible so future certificate renewals pass. For WordPress sites managed through CloudStick, the site URL update happens as part of the SSL activation flow, eliminating the manual WP-CLI steps. The entire process takes under 30 seconds from the dashboard.