How do you when it is finally time to make the change in something on your website and you can no more postpone it? Well, when Google starts penalising.
I kept on postponing setting up https for my website https://www.bitfolio.org/ But since Google started penalising sites without https and Google chrome started showing the not safe icon for all the https sites I thought finally setting up SSL certificate for my website.
Chrome says Not Secure
Lets Encrypt was a saviour both in terms of cost and ease of setup. The only downside is that it needs to be renewed every three months. Once you are done with the set up you can check https://www.ssllabs.com/ssltest/analyze.html?d=bitfolio.org&latest to make sure that it is implemented correctly.
Once this was done I thought it should be a easy go. But I was surprised that even after having worked for couple of years in Drupal I was not completely aware of the full set up. I always off loaded this section to my Sys Admin. It took me some time to figure it out and the blogs I found were not really helpful. So I thought of putting it together here.
Assuming that I have a domain example.com I would like to redirect all the variations of this domain to the https version.
There can be six variationsexample.com, [www.example.com](http://www.example.com`), [http://example.com](http://example.com`), [http://www.example.com](http://www.example.com`), [https://example.com](https://example.com`), [https://www.example.com](https://www.example.com`).
I want to make sure that all these variations redirect to [https://www.example.com](https://www.example.com`).
example.com is the naked version of your domain [www.example.com](http://www.example.com`). Goto your domain provider and add A name pointing to IP of your server.
Add A name
Add a C Name to point www version also to the same IP.
Add a C Name
Assuming you are running Apache(There will be similar settings in all servers) goto your virtual host and make sure add both Servername and ServerAlias
<VirtualHost *:80>ServerName example.comServerAlias www.example.com
This will make sure that your server listens both the naked domain and normal domains and points them to you code folder for execution.
Now go to your .htaccess file
Make sure that you have following code.
RewriteEngine on
Set “protossl” to “s” if we were accessed via https://. This is used later
if you enable “www.” stripping or enforcement, in order to ensure that
you don’t bounce between http and https.
RewriteRule ^ — [E=protossl]RewriteCond %{HTTPS} onRewriteRule ^ — [E=protossl:s]
This code just sets a flag called protossl to if you have visited using https. This will ensure that you don’t go into infinite redirections between http and https as mentioned in the comments.
Comment out all other settings related to http and https redirection. Then add the following
Rewrite http(s)://example.com to https://www.example.com
RewriteCond “%{HTTP_HOST}” “!^www\.” [NC]RewriteCond “%{HTTP_HOST}” “!^$”RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Rewrite http://www.example.com to https://www.example.com
RewriteCond %{HTTPS} offRewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This code was provided by https://www.drupal.org/u/mdrescher on https://www.drupal.org/forum/support/post-installation/2018-04-15/forcing-to-https#comment-12723535 Check out his comments on why you need two different rules.
These changes will make sure that all six variations example.com, [www.example.com](http://www.example.com`), [http://example.com](http://example.com`), [http://www.example.com](http://www.example.com`), [https://example.com](https://example.com`), [https://www.example.com](https://www.example.com`) are redirecting to [https://www.example.com](https://www.example.com`)
Hope it will save time for somebody who is moving to https. https is good for overall internet. Do take out sometime this weekend to move your sites to https.
This section was added based on a comment by Ilias.
Ilias el Matani suggested about HSLD and I spent some time looking into it. 302 redirects manually redirect http requests to https. But it also has a window for the hackers to eavesdrop. HSTS preloads make sure that browsers are aware that the website uses https through the header sent to the browsers.
“This sets the Strict-Transport-Security policy field parameter. It forces those connections over HTTPS encryption, disregarding any script’s call to load any resource in that domain over HTTP.”
You can read more about it on https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
To enable HSTS run apachectl -Mand make sure header module is enabled. If not use sudo a2enmod headers to enable headers.
Add the following in your .htaccess file.
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Once you are done with the changes visit https://hstspreload.org/?domain=bitfolio.org to check the status of your domain. If everything is fine then you can submit the form to include your domain in the preload list.
To make it compatible with the suggestions provided I had to comment the first part in the htaccess code.
Rewrite http(s)://example.com to https://www.example.com
#RewriteCond “%{HTTP_HOST}” “!^www\.” [NC]#RewriteCond “%{HTTP_HOST}” “!^$”#RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Rewrite http://www.example.com to https://www.example.com
RewriteCond %{HTTPS} offRewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
While this makes sure that you are always redirected to https version and HSTS is enabled, it considered www and naked versions as different. I am still checking if there is a way around this. If you have figured this out please comment.