Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
How do you when it is finally time to make the change in something on your website and you can no more postpone it? Well, when Google starts penalising.
I kept on postponing setting up https for my website https://www.bitfolio.org/ But since Google started penalising sites without https and Google chrome started showing the not safe icon for all the https sites I thought finally setting up SSL certificate for my website.
Lets Encrypt was a saviour both in terms of cost and ease of setup. The only downside is that it needs to be renewed every three months. Once you are done with the set up you can check https://www.ssllabs.com/ssltest/analyze.html?d=bitfolio.org&latest to make sure that it is implemented correctly.
Once this was done I thought it should be a easy go. But I was surprised that even after having worked for couple of years in Drupal I was not completely aware of the full set up. I always off loaded this section to my Sys Admin. It took me some time to figure it out and the blogs I found were not really helpful. So I thought of putting it together here.
Assuming that I have a domain example.com I would like to redirect all the variations of this domain to the https version.
There can be six variationsexample.com, www.example.com, http://example.com, http://www.example.com, https://example.com, https://www.example.com.
I want to make sure that all these variations redirect to https://www.example.com.
example.com is the naked version of your domain www.example.com. Goto your domain provider and add A name pointing to IP of your server.
Add a C Name to point www version also to the same IP.
Assuming you are running Apache(There will be similar settings in all servers) goto your virtual host and make sure add both Servername and ServerAlias
<VirtualHost *:80> ServerName example.com ServerAlias www.example.com
This will make sure that your server listens both the naked domain and normal domains and points them to you code folder for execution.
Now go to your .htaccess file
Make sure that you have following code.
RewriteEngine on # Set âprotosslâ to âsâ if we were accessed via https://. This is used later # if you enable âwww.â stripping or enforcement, in order to ensure that # you donât bounce between http and https. RewriteRule ^ â [E=protossl] RewriteCond %{HTTPS} on RewriteRule ^ â [E=protossl:s]
This code just sets a flag called protossl to if you have visited using https. This will ensure that you donât go into infinite redirections between http and https as mentioned in the comments.
Comment out all other settings related to http and https redirection. Then add the following
# # Rewrite http(s)://example.com to https://www.example.com # RewriteCond â%{HTTP_HOST}â â!^www\.â [NC] RewriteCond â%{HTTP_HOST}â â!^$â RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # # Rewrite http://www.example.com to https://www.example.com # RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This code was provided by https://www.drupal.org/u/mdrescher on https://www.drupal.org/forum/support/post-installation/2018-04-15/forcing-to-https#comment-12723535 Check out his comments on why you need two different rules.
These changes will make sure that all six variations example.com, www.example.com, http://example.com, http://www.example.com, https://example.com, https://www.example.com are redirecting to https://www.example.com
Hope it will save time for somebody who is moving to https. https is good for overall internet. Do take out sometime this weekend to move your sites to https.
This section was added based on a comment by Ilias.
Ilias el Matani suggested about HSLD and I spent some time looking into it. 302 redirects manually redirect http requests to https. But it also has a window for the hackers to eavesdrop. HSTS preloads make sure that browsers are aware that the website uses https through the header sent to the browsers.
âThis sets the Strict-Transport-Security policy field parameter. It forces those connections over HTTPS encryption, disregarding any scriptâs call to load any resource in that domain over HTTP.â
You can read more about it on https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
To enable HSTS run apachectl -Mand make sure header module is enabled. If not use sudo a2enmod headers to enable headers.
Add the following in your .htaccess file.
Header always set Strict-Transport-Security âmax-age=63072000; includeSubDomains; preloadâ
Once you are done with the changes visit https://hstspreload.org/?domain=bitfolio.org to check the status of your domain. If everything is fine then you can submit the form to include your domain in the preload list.
To make it compatible with the suggestions provided I had to comment the first part in the htaccess code.
# # Rewrite http(s)://example.com to https://www.example.com # #RewriteCond â%{HTTP_HOST}â â!^www\.â [NC] #RewriteCond â%{HTTP_HOST}â â!^$â #RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # # Rewrite http://www.example.com to https://www.example.com # RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
While this makes sure that you are always redirected to https version and HSTS is enabled, it considered www and naked versions as different. I am still checking if there is a way around this. If you have figured this out please comment.
Redirecting all variants of your domain to https Version was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.