1. Look for this line in your .htacess file - "# If you must add RewriteRules to change hostname, add them directly below (above all the others)". You need to add the rewrite rule below this line.

2. This is how I handle my rewrite

#First redirect all Http request to https
#Ensure that we exclude any sub-domains
RewriteCond %{HTTP_HOST} ^(www\.)?campuskarma.in$ [NC]
RewriteCond %{HTTPS} off
RewriteRule ^ https://www.campuskarma.in%{REQUEST_URI} [NC,L,R]
#Secondly redirect all non-www to www
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [NC,L,R]

The above code will do 3 things, first it will redirect all the http request to https, it will not add any https to any sub-domain and it will redirect all non-www request to www request.

3. Nope, you need to keep https in the advance setting otherwise it will lead to unnecessary redirection based on your .htaccess rewrite rule.

4. Nope, you don't have to do anything at database level.

Rohit Sir,

Thanks for your kind reply and detailed step by step instruction. I read it today just few mins back, but  I have already made changes in a bit different way and its working, but now confused after reading your post  that if I should change it the way you have detailed in your step by step instruction.

I would like to first share the way I have done it in Elgg 2.3.8.

1. First, I changed the http to https in advance option of Admin Menu. Saved it and ran an update. Logged into my DB and saw that "https" instead of http. At this stage my site was not automatically redirecting all request to https, but when I logged in, it showed https. Logged out and cleared the cookies. and same situation that its not automatically redirecting to https. 

2. Secondly, to correct it, I edited the .httaccess file and added:

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Immediately after 

I############################
# REWRITE RULES
<IfModule mod_rewrite.c>
RewriteEngine on

3. Saved the file. Ran an update, and now I see the followings:

a. All non www and http requests are automatically redirecting to https://www.myhotfb.com/ as a standard. I also see a green lock.

3. Optionally, I updated the elgg.cron.1min.plist  file and changed the http to 

<string>https://www.myhotfb.com/cron/run/</string>

and then also updated google webmaster tools.

Now that you have read what i have done, please advice if I should make changes as per your detailed instruction. Just for your review, here is the complete .httaccess file, where I have added some extra MIMEs as well, but I don't think they are useful.

# Elgg htaccess directives


# Don't allow listing directories

Options -Indexes


# Follow symbolic links

Options +FollowSymLinks


# Default handler

DirectoryIndex index.php



############################

# BROWSER CACHING


# Make sure .ico has proper MIME type, allowing mod_expires to handle them.

<IfModule mod_mime.c>

 AddType image/vnd.microsoft.icon .ico

# AddType TYPE/SUBTYPE EXTENSION - jPlayer

 AddType audio/mpeg mp3

 AddType audio/mp4 m4a

 AddType audio/ogg ogg

 AddType audio/ogg oga

 AddType audio/webm webma

 AddType audio/wav wav

 AddType video/mp4 mp4

 AddType video/mp4 m4v

 AddType video/ogg ogv

 AddType video/webm webm

 AddType video/webm webmv

</IfModule>


# The expires module controls the Expires and Cache-Control headers. Elgg sets

# these for dynamically generated files so this is just for static files.

<IfModule mod_expires.c>

ExpiresActive On

ExpiresDefault "access plus 1 year"

</IfModule>


# Conditional requests are controlled through Last-Modified and ETag headers.

# Elgg sets these on dynamically generated cacheable files so this is just for

# static files. Note: Apache sends Last-Modified by default on static files so

# I don't think we need to be sending ETag for these files.

<FilesMatch "\.(jpg|jpeg|gif|png|mp3|flv|mov|avi|3pg|html|htm|swf|js|css|ico)$">

FileETag MTime Size

</FilesMatch>



############################

# PHP SETTINGS

# Don't forget to keep these two IfModules in sync!

#

<IfModule mod_php5.c>

# If using PHP 5.6


# limit the maximum memory consumed by the php script to 64 instead 128 MB

php_value memory_limit 128M

# post_max_size is the maximum size of ALL the data that is POST'ed to php at a time (8 instead 64 MB converted to Bytes (in binary))

php_value post_max_size 67108864

# upload_max_filesize is the maximum size of a single uploaded file (5 instead 32 MB converted to Bytes (in binary))

php_value upload_max_filesize 33554432

# on development servers, set to 1 to display errors. Set to 0 on production servers.

php_value display_errors 0

</IfModule>

<IfModule mod_php7.c>

# If using PHP 7.x // Synced as per 5.6 with PHP 7.0 converted to Bytes (in binary)


# limit the maximum memory consumed by the php script to 64/128 MB

php_value memory_limit 128M

# post_max_size is the maximum size of ALL the data that is POST'ed to php at a time (8/64 MB)

php_value post_max_size 67108864

# upload_max_filesize is the maximum size of a single uploaded file (5/32 MB)

php_value upload_max_filesize 33554432

# on development servers, set to 1 to display errors. Set to 0 on production servers.

php_value display_errors 0

</IfModule>



############################

# COMPRESSION


# Turn on mod_gzip if available

<IfModule mod_gzip.c>

mod_gzip_on yes

mod_gzip_dechunk yes

mod_gzip_keep_workfiles No

mod_gzip_minimum_file_size 1000

mod_gzip_maximum_file_size 1000000

mod_gzip_maximum_inmem_size 1000000

mod_gzip_item_include mime ^text/.*

mod_gzip_item_include mime ^application/javascript$

mod_gzip_item_include mime ^application/x-javascript$

# Exclude old browsers and images since IE has trouble with this

mod_gzip_item_exclude reqheader "User-Agent: .*Mozilla/4\..*\["

mod_gzip_item_exclude mime ^image/.*

</IfModule>


## Apache2 deflate support if available

##

## Important note: mod_headers is required for correct functioning across proxies.

##

<IfModule mod_deflate.c>

AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript image/svg+xml

BrowserMatch ^Mozilla/4 gzip-only-text/html

BrowserMatch ^Mozilla/4\.[0678] no-gzip

BrowserMatch \bMSIE !no-gzip


<IfModule mod_headers.c>

Header append Vary User-Agent env=!dont-vary

</IfModule>


# The following is to disable compression for actions. The reason being is that these

# may offer direct downloads which (since the initial request comes in as text/html and headers

# get changed in the script) get double compressed and become unusable when downloaded by IE.

SetEnvIfNoCase Request_URI action\/* no-gzip dont-vary

SetEnvIfNoCase Request_URI actions\/* no-gzip dont-vary


</IfModule>



############################

# REWRITE RULES


<IfModule mod_rewrite.c>


RewriteEngine on

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


# If Elgg is in a subdirectory on your site, you might need to add a RewriteBase line

# containing the path from your site root to elgg's root. e.g. If your site is

# http://example.com/ and Elgg is in http://example.com/sites/elgg/, you might need

#

#RewriteBase /sites/elgg/

#

# here, only without the # in front.

#

# If you're not running Elgg in a subdirectory on your site, but still getting lots

# of 404 errors beyond the front page, you could instead try:

#

#RewriteBase /



# If your users receive the message "Sorry, logging in from a different domain is not permitted"

# you must make sure your login form is served from the same hostname as your site pages.

# See http://learn.elgg.org/en/stable/appendix/faqs/general.html#login-token-mismatch for more info.

#

# If you must add RewriteRules to change hostname, add them directly below (above all the others)


# explicity allow access for the .well-known directory

RewriteRule "^.well-known/" - [L]


# hide all dot files/dirs (.git)

RewriteRule (^\.|/\.) - [F]


# Everything else that isn't a file gets routed through Elgg

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule ^(.*)$ index.php?__elgg_uri=$1 [QSA,L]

</IfModule>

Rohit Sir,

My Site acting funny.... sometimes, it redirected non www to www but not always, as a result i got both types of redirection https: with www, and non www..Additionally, the green lock disappeared for a while, and then again came back, and even one time gave me warning that site is not properly configured for ssl.

so, i took you advice, and changed it to following

# If you must add RewriteRules to change hostname, add them directly below (above all the others)
#First redirect all Http request to https
#Ensure that we exclude any sub-domains
RewriteCond %{HTTP_HOST} ^(www\.)?myhotfb.com$ [NC]
RewriteCond %{HTTPS} off
RewriteRule ^ https://www.myhotfb.com%{REQUEST_URI} [NC,L,R]
#Secondly redirect all non-www to www
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [NC,L,R]
# explicity allow access for the .well-known directory 
RewriteRule "^.well-known/" - [L]

Note, the bottom two lines were already there and since you didn't mention anything, I kept it the way it was. 

I have truncated the following lines which were suggested by the web hosting support.

#RewriteCond %{HTTPS} off 
#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Let's see what happens now. I hope it will work as you have suggested. But curious about one thing. Why did we turn of https for sub domain. What if I need to have https for my subdomain in future for some projects like dating.myhotfb.com? You have already helped me and educated me on https/ ssl. I would appreciate if you kindly educate me a little more about what advantage did we gain by turning off https for sub domain.

Thanking you in anticipation.