How to Move a Website from HTTP to HTTPS
HTTPS is the new standard of encryption that must be used, if you care about your customers. This article will guide you through movement from HTTP to HTTPS on different types of servers with the help of a few simple commands.
In order to ensure stable website performance and advanced security, you should deploy modern encryption methods, and switching to HTTPS is an essential step in this direction. This article covers some important aspects you need to consider when resolving to the switch.
To draw users’ attention to the important of encryption of sensitive data, Google Chrome has started to display a warning text near the address bar on the websites that don’t encrypt sensitive data (for instance, forms).
To ensure that Googlebot can re-index your website faster after the move, it’s better to migrate to https:// during low-traffic time. Thus, Googlebot can exploit more of your server’s resources. When it comes to a medium-sized website, it will take some time to restore rankings. If you have a sitemap, Googlebot will re-index your website way quicker.
If you’re short of cash, and have medium technological knowledge, you can try Let’s Encrypt to acquire a free certificate.
If you’re in charge of your own web server, there are several things you should consider to enable server configuration before activating your SSL certificates. Here are several steps to be taken to adjust your server.
Open the file and perform the following steps:
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
The last line activates a file with the list of trusted CA certificates. It can be used to verify client certificates when OCSP is being used.
When the lines are added to the file, check whether configuration is still valid by running nginx configtest. If so, reload Nginx with nginx reload command.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Now you only need to reload Apache section.
add_header Strict-Transport-Security max-age=31536000;
To check whether your SSL certificate is functioning correctly, you can go to SSL Labs, fill in the domain name and see the score you get.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Just like in the above-mentioned cases, don’t forget to reload Apache.
server {
listen 80;
server_name your-site.com www.your-site.com;
return 301 https://your-site.com$request_uri;
}
Reload Nginx before testing these alterations.
The type of certificate depends on your budget and requirements. Take your time and find a perfect solution!
In order to ensure stable website performance and advanced security, you should deploy modern encryption methods, and switching to HTTPS is an essential step in this direction. This article covers some important aspects you need to consider when resolving to the switch.
A short historic reference
HTTPS turned into a buzzword back in 2014 after outspread of the Heartbleed bug that allowed ill-intended users to observe the traffic delivered via SSL/TLS. It also gave people the opportunity to read and hijack data. The bug was blocked soon after its discovery, but the incident has shown that proper encryption of user information was a dire necessity since then, not just an optional thing.To draw users’ attention to the important of encryption of sensitive data, Google Chrome has started to display a warning text near the address bar on the websites that don’t encrypt sensitive data (for instance, forms).
How to make the switch?
How to easily move your website to HTTPS? Once you decide to do it, there are some things you need to take care of to guarantee flawless work of your website.- First, you should change all internal links, and don’t forget to update links to assets, if necessary. Go through themes, after references to JavaScript files, CSS and images. Besides, you can make your links start with // instead of https://, which will make up for protocol-relative URLs.
- You need to make sure your CDN supports SSL encryption: many providers allow for easily setting up SSL on CDN subdomains.
- You should have a a canonical link present in the <head> section of your site to redirect the incoming traffic from http:// to https://.
Will my ranking be influenced?
Many users ask “Can you benefit moving your website to https and SSL? Are there any outcomes?” In fact, switching from HTTP to HTTPS can slightly affect your rankings, if you don’t plan everything beforehand. But in long term, moving to HTTPS is beneficial for ranking. Since 2014, Google considers presence of SSL certificate as a positive ranking factor, so the move is definitely worth all effort spent.To ensure that Googlebot can re-index your website faster after the move, it’s better to migrate to https:// during low-traffic time. Thus, Googlebot can exploit more of your server’s resources. When it comes to a medium-sized website, it will take some time to restore rankings. If you have a sitemap, Googlebot will re-index your website way quicker.
How to set up HTTPS & SSL on your server
Hosting providers offer a service that allows enabling HTTPS and ordering a certificate. There are several types of certificates you can select from, and they slightly differ. Besides, each variant has different price, so before opting for something certain, you should figure out a certificate that fits your requirements and budget.If you’re short of cash, and have medium technological knowledge, you can try Let’s Encrypt to acquire a free certificate.
If you’re in charge of your own web server, there are several things you should consider to enable server configuration before activating your SSL certificates. Here are several steps to be taken to adjust your server.
OCSP stapling
When the validity of an SSL certificate is being checked, it can slightly affect loading speed. To avoid that, you can use OCSP stapling – a feature that helps server to download the copy of certificate vendor’s response when the SSL certificate is checked. Therefore, once a browser connects with the server, it checks the validity of the certificate based on this copy instead of requesting the certificate from the vendor. That boosts performance considerably.Apache
Prior to enabling OCSP stapling on your Apache server, check that you run version version 2.3.3+ of Apache. How to do that? Run the command apache2 -v (or httpd -v) on your server. Lower Apache versions aren’t compatible with this feature.VirtualHost
If you have completed the process of setting up HTTPS on your server as described above, now you need to adjust VirtualHost configuration for using HTTPS and SSL.Open the file and perform the following steps:
- Add SSLUseStapling on inside the <VirtualHost></VirtualHost> section.
- Above <VirtualHost></VirtualHost> section, add SSLStaplingCache shmcb:/tmp/stapling_cache(128000).
- Run apachectl –t to make sure that the configuration is valid. If yes, reload Apache with apache2 reload.
Nginx
Nginx also supports OCSP stapling, but it concerns versions starting from 1.3.7+ and higher. If you have set up HTTPS on your server, you can proceed to work with Nginx configuration. In the file, add the following lines in server {} section:ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
The last line activates a file with the list of trusted CA certificates. It can be used to verify client certificates when OCSP is being used.
When the lines are added to the file, check whether configuration is still valid by running nginx configtest. If so, reload Nginx with nginx reload command.
Strict Transport Security header
The Strict Transport Security Header (HSTS) is one more feature that makes browsers use HTTPS instead of HTTP. Enabling this feature is pretty easy.Apache
First, enable Apache Headers module with a2enmod headers. After that, you just need to add one line to your VirtualHost configuration in <VirtualHost></VirtualHost> section:Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Now you only need to reload Apache section.
Nginx
If you use Nginx, you need to add the following line in server {} section:add_header Strict-Transport-Security max-age=31536000;
To check whether your SSL certificate is functioning correctly, you can go to SSL Labs, fill in the domain name and see the score you get.
Redirecting URLs
To make sure that the requests are properly redirected to HTTPS URL, you should add an extra line to your configuration. That will automatically redirect the incoming traffic to HTTPS.Apache
Open the default VirtualHost configuration, and add the following lines to ensure proper redirection of URLs:RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Just like in the above-mentioned cases, don’t forget to reload Apache.
Nginx
When it comes to Nginx, you need to change the default configuration file that’s used for HTTP requests:server {
listen 80;
server_name your-site.com www.your-site.com;
return 301 https://your-site.com$request_uri;
}
Reload Nginx before testing these alterations.
Bottomline
If you still doubt whether you should switch to HTTPS, don’t hesitate: you definitely should. HTTPS encrypts users’ private information that’s sent across the web and delivers it in a more secure way. HTTPS is especially necessary for those who handle transactions online.The type of certificate depends on your budget and requirements. Take your time and find a perfect solution!
Comments