Migrating to https
The translation of this document describes the steps you need to take to translate your website from HTTP to HTTPS. Steps can be performed at any speed - either all for a day, or one step per month. The main thing is to do it consistently.
Each step improves your server and is important in itself. However, to make them all is necessary in order to guarantee the safety of your visitors.
Administrators, developers, and their managers are those who maintain sites that currently use only an HTTP connection. At the same time, they want to migrate, or at least support, HTTPS.
If you have not yet received certificates - you must select a supplier, and buy a certificate. Now there are a couple of opportunities to even get certificates for free - for example, they are issued by the RapidSSL office. In addition, in 2015, Mozilla promise to make free issuance of certificates .
')
Copy the received certificates to your front-end server somewhere in / etc / ssl (Linux / Unix) or in an acceptable place for IIS (Windows).
Here we must decide:
- or use hosting by IP, when each host has its own IP
- either refuse to support users who use IE on Windows XP or Android with a version less than 2.3
Most sites have virtual hosting configured that works with domain names (name-based) - this saves IP addresses and is generally more convenient. The problem is that IE and ancient Android do not understand Server Name Indication (SNI), and this is critical for HTTPS to work with name-based hosting.
Someday all these customers will die out. You can track the number of such customers and decide whether to support them or not.
Next, configure support for the certificates you received in your web server. Server configuration can be created via Mozilla configuration generator or SSLMate .
If you have many hosts and subdomains, each of them will require the installation of the appropriate certificate. For subdomains it is better to use certificates with a mask like * .domain.ru
Ideally, you need to redirect all HTTP requests to HTTPS and use Strict Transport Transport Security (see steps 4 and 5)
After that, test the site with the new settings using the Qualys SSL Server Test tool. Make sure that the site deserves an A or A + rating.
Now that your site is running on both HTTP and HTTPS, you need to make it work regardless of the protocol. There may be a problem of mixed protocols - when on the page that is loaded via HTTPS, the resources available via HTTP are indicated. In this case, the browser will warn the user that the protection provided by HTTPS has stopped working at 100%.
By default, many browsers will not load mixed content at all. If these are scripts or styles, the page will stop working. By the way, you can easily include content that is accessible via HTTPS into a page loaded via HTTP.
This problem is solved by replacing full links with relative ones. Instead of this:
need to do this:
or such:
All links should be relative, and the more relative, the better. If possible, remove the protocol (//example.com) or domain (/jquery.js).
It is better to do this with the help of scripts, and do not forget about the content that may be in databases, scripts, styles, redirect rules, link tags. Check the site for the presence of mixed content can be a script from Bram van Damme .
Naturally, there is no need to change protocols in links to other sites.
If your site uses scripts and other resources from third parties, for example, CDN, jquery.com, you have 2 options:
- also use URL without a protocol
- copy these resources to your server. It is safer anyway.
Set the tag
on your pages. This will help search engines to better navigate with you.
Most web servers offer simple redirection solutions. Instructions for Apache and for nginx . Use code 301 (Moved Permanently).
In this step, you are already restricting access to the site only for HTTPS. Strict Transport Security informs clients that they need to connect to the site via HTTPS only, even if the link goes to
Make sure your TLS settings really work — for example, the certificate is not expired. At this step, any error will block access to the site.
Enable HTTP Strict Transport Security through the Strict-Transport-Security header. This page has links to instructions for different servers.
Note: max-age is measured in seconds. Start with small values and increase their confidence as the site grows.
To ensure that clients always send cookies over a secure channel, enable the Secure flag for cookies. This page has instructions for doing this.
Google puts HTTPS presence in sites plus . Google also has instructions on how to go to safe mode without losing positions in the search. Also, Bing has such instructions .
Speed performance
When the server is working normally, the TLS expenses are usually small. For their optimization, read High Performance Browser Networking by Ilya Grigorik and Ivan Ristic's OpenSSL Cookbook and Bulletproof SSL And TLS .
In some cases, TLS can increase performance - this is true when using HTTP / 2.
Referer Headers
Client programs do not send Referer when users follow links from your HTTPS site to other HTTP sites. If you do not like it:
- other sites must also migrate to HTTPS. Offer them this instruction. If they reach at least 2 steps, the situation will improve.
- you can use the new Referrer Policy standard to solve problems with these headers
Since search engines migrate to HTTPS, you will most likely get more Referer headers when you switch to HTTPS.
According to HTTP RFC :
The client MUST NOT include the Referer header in an unsafe HTTP request if the referring page is received using a secure protocol.
Monetization
If advertisements are spinning on your site, a problem may arise –iframe with HTTP will not work on a page with HTTPS. Until all advertisers switch to HTTPS, operators cannot switch to HTTPS without losing advertising revenue. But as long as operators do not migrate to HTTPS, advertisers are not motivated to migrate.
Advertisers should at least offer a version of their services with HTTPS support (just go to step 2 of this instruction). Many do. You may have to postpone the 4th step until most of them support this protocol normally.
Each step improves your server and is important in itself. However, to make them all is necessary in order to guarantee the safety of your visitors.
Who is this manual for?
Administrators, developers, and their managers are those who maintain sites that currently use only an HTTP connection. At the same time, they want to migrate, or at least support, HTTPS.
1: Getting and Installing Certificates
If you have not yet received certificates - you must select a supplier, and buy a certificate. Now there are a couple of opportunities to even get certificates for free - for example, they are issued by the RapidSSL office. In addition, in 2015, Mozilla promise to make free issuance of certificates .
')
Copy the received certificates to your front-end server somewhere in / etc / ssl (Linux / Unix) or in an acceptable place for IIS (Windows).
2: Enable HTTPS on the server
Here we must decide:
- or use hosting by IP, when each host has its own IP
- either refuse to support users who use IE on Windows XP or Android with a version less than 2.3
Most sites have virtual hosting configured that works with domain names (name-based) - this saves IP addresses and is generally more convenient. The problem is that IE and ancient Android do not understand Server Name Indication (SNI), and this is critical for HTTPS to work with name-based hosting.
Someday all these customers will die out. You can track the number of such customers and decide whether to support them or not.
Next, configure support for the certificates you received in your web server. Server configuration can be created via Mozilla configuration generator or SSLMate .
If you have many hosts and subdomains, each of them will require the installation of the appropriate certificate. For subdomains it is better to use certificates with a mask like * .domain.ru
Ideally, you need to redirect all HTTP requests to HTTPS and use Strict Transport Transport Security (see steps 4 and 5)
After that, test the site with the new settings using the Qualys SSL Server Test tool. Make sure that the site deserves an A or A + rating.
3: Make all internal links relative
Now that your site is running on both HTTP and HTTPS, you need to make it work regardless of the protocol. There may be a problem of mixed protocols - when on the page that is loaded via HTTPS, the resources available via HTTP are indicated. In this case, the browser will warn the user that the protection provided by HTTPS has stopped working at 100%.
By default, many browsers will not load mixed content at all. If these are scripts or styles, the page will stop working. By the way, you can easily include content that is accessible via HTTPS into a page loaded via HTTP.
This problem is solved by replacing full links with relative ones. Instead of this:
<h1>Welcome To Example.com</h1> <script src="http://example.com/jquery.js"></script> <link rel="stylesheet" href="http://assets.example.com/style.css"/> <img src="http://img.example.com/logo.png"/> <p>Read this nice <a href="http://example.com/2014/12/24/">new post on cats!</a></p> <p>Check out this <a href="http://foo.com/">other cool site.</a></p> need to do this:
<h1>Welcome To Example.com</h1> <script src="//example.com/jquery.js"></script> <link rel="stylesheet" href="//assets.example.com/style.css"/> <img src="1450829848287066165294"/> <p>Read this nice <a href="//example.com/2014/12/24/">new post on cats!</a></p> <p>Check out this <a href="http://foo.com/">other cool site.</a></p> or such:
<h1>Welcome To Example.com</h1> <script src="/jquery.js"></script> <link rel="stylesheet" href="//assets.example.com/style.css"/> <img src="1450829848287066165294"/> <p>Read this nice <a href="/2014/12/24/">new post on cats!</a></p> <p>Check out this <a href="http://foo.com/">other cool site.</a></p> All links should be relative, and the more relative, the better. If possible, remove the protocol (//example.com) or domain (/jquery.js).
It is better to do this with the help of scripts, and do not forget about the content that may be in databases, scripts, styles, redirect rules, link tags. Check the site for the presence of mixed content can be a script from Bram van Damme .
Naturally, there is no need to change protocols in links to other sites.
If your site uses scripts and other resources from third parties, for example, CDN, jquery.com, you have 2 options:
- also use URL without a protocol
- copy these resources to your server. It is safer anyway.
4: Redirect from HTTP to HTTPS
Set the tag
<link rel="canonical" href="https://…"/> on your pages. This will help search engines to better navigate with you.
Most web servers offer simple redirection solutions. Instructions for Apache and for nginx . Use code 301 (Moved Permanently).
5: Enable Strict Transport Security and Secure Cookies
In this step, you are already restricting access to the site only for HTTPS. Strict Transport Security informs clients that they need to connect to the site via HTTPS only, even if the link goes to
http:// . This helps against attacks such as SSL Stripping and saves time on redirects from the fourth step.Make sure your TLS settings really work — for example, the certificate is not expired. At this step, any error will block access to the site.
Enable HTTP Strict Transport Security through the Strict-Transport-Security header. This page has links to instructions for different servers.
Note: max-age is measured in seconds. Start with small values and increase their confidence as the site grows.
To ensure that clients always send cookies over a secure channel, enable the Secure flag for cookies. This page has instructions for doing this.
Migration issues
Position in search results
Google puts HTTPS presence in sites plus . Google also has instructions on how to go to safe mode without losing positions in the search. Also, Bing has such instructions .
Speed performance
When the server is working normally, the TLS expenses are usually small. For their optimization, read High Performance Browser Networking by Ilya Grigorik and Ivan Ristic's OpenSSL Cookbook and Bulletproof SSL And TLS .
In some cases, TLS can increase performance - this is true when using HTTP / 2.
Referer Headers
Client programs do not send Referer when users follow links from your HTTPS site to other HTTP sites. If you do not like it:
- other sites must also migrate to HTTPS. Offer them this instruction. If they reach at least 2 steps, the situation will improve.
- you can use the new Referrer Policy standard to solve problems with these headers
Since search engines migrate to HTTPS, you will most likely get more Referer headers when you switch to HTTPS.
According to HTTP RFC :
The client MUST NOT include the Referer header in an unsafe HTTP request if the referring page is received using a secure protocol.
Monetization
If advertisements are spinning on your site, a problem may arise –iframe with HTTP will not work on a page with HTTPS. Until all advertisers switch to HTTPS, operators cannot switch to HTTPS without losing advertising revenue. But as long as operators do not migrate to HTTPS, advertisers are not motivated to migrate.
Advertisers should at least offer a version of their services with HTTPS support (just go to step 2 of this instruction). Many do. You may have to postpone the 4th step until most of them support this protocol normally.
Source: https://habr.com/ru/post/252507/
All Articles