How to force Roundcube to use SSL

roundcube ssl redirect

Roundcube is a web-based IMAP email tool. It simply allows you to browse and manipulate content from email server easily using your browser. However if you are a system administrator of if you have your own mail server it is highly recommended to use a SSL certificate when you are going to read your emails.

This way, you avoid interception of connection credentials and emails content, especially when you are connecting from free WiFi networks.

As you may have seen, roundcube is not redirecting HTTP traffic to HTTPS. So, what I will show you forward is how to do this thing, assuming that you already have installed certificate. If you don’t have a signed certificate then will be used default certificate generated by Apache web server. Please note that doing this will result in a browser warning.

Method 1:

This method is the most recommended and it applies to any Linux distribution using both Apache or Nginx.

All you have to do is to go to directory were roundcube is located >> config and edit file

Assuming that roundcube is installed in /var/www/roundcube, you will have this command: sudo vi /var/www/roundcube/

Now look for the following two lines and change from:

$config['use_https'] = false;


$config['use_https'] = true;

This method is the easiest and should work. However if it is not working (like in my case) you may want to try another approach. Please read bellow:


All what we do using this method is to redirect any HTTP traffic to our webmail to HTTPS directly from Apache web server! Please note that it works only if your server is powered by Apache!

This is possible to do this directly from apache .conf file, but we will do it a little bit simple using an .htaccess file.

All you have to do is to create a .htaccess file with the following content:

<IfModule mod_rewrite.c>
   RewriteEngine On 
   RewriteCond %{HTTPS} !=on
   RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

and place it on the root of roundcube directory, where php files are located. This will force any incoming request to use HTTPS instead of HTTP.

That’s all, now you can read your emails a little bit more safe!

5 Comments on "How to force Roundcube to use SSL"

  1. Bjarne says:

    Worked for me! Great when typing urls and forgetting https://

    Thanks 🙂

  2. Maxwell Smart says:

    I believe you are only supposed to use ‘use_https’ OR ‘force_https’, not both. Using the latter works for me…

  3. kerbi says:

    It works only for my if ‘use_https=true’ and ‘force_https=false’,
    Not both.

  4. Tom says:

    No wonder that Method 1 is not working to you. You should read the written description for config options. ‘use_https’ means:
    // tell PHP that it should work as under secure connection
    // even if it doesn’t recognize it as secure ($_SERVER[‘HTTPS’] is not set)
    // e.g. when you’re running Roundcube behind a https proxy
    // this option is mutually exclusive to ‘force_https’ and only either one of them should be set to true.

    DO NOT SET THIS. In normal environment it must be set to FALSE

  5. Kaj Kandler says:

    Maxwell is right, the documentation says the two options are mutually exclusive, so use one or the other, NOT both true at the same time.

    If you are using nginx, then you can add:

    # Redirect HTTP to HTTPS on the same port
    error_page 497 https://$host:$server_port$request_uri;

Got something to say? Go for it!