Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
changing to a secure website, ie, http to https
Howdi.
Has anyone had the experience of changing their txp site recently from http to https?
Is there a convenient guide somewhere?
And, I guess more fundamentally, is it worth it?
Offline
Re: changing to a secure website, ie, http to https
i recently did on a shopfiy site. I recall it is part of a setting in shopify, so it was easy to implement. i did as it is an eCommerce site.
…. texted postive
Offline
Re: changing to a secure website, ie, http to https
I run my own servers on providers that provide root access, Digital Ocean being my primary vendor.
I set up Let’s Encrypt to create and auto-renew SSL certs for ~40 domains and subdomains. There was an element of trial and error to get it working, but it’s set-and-forget now.
I created the original certs but didn’t set the sites to force SSL, so https visitors would be able to use them. After the first two renewals went through OK, I started to force SSL with this directive in .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Offline
Re: changing to a secure website, ie, http to https
gaekwad wrote #300460:
I run my own servers on providers that provide root access, Digital Ocean being my primary vendor.
I set up Let’s Encrypt to create and auto-renew SSL certs for ~40 domains and subdomains. There was an element of trial and error to get it working, but it’s set-and-forget now.
I created the original certs but didn’t set the sites to force SSL, so https visitors would be able to use them. After the first two renewals went through OK, I started to force SSL with this directive in .htaccess:
RewriteEngine On...
Excellent. Thank you.
Not so difficult after all.
I’m considering this as I believe Google thinks more kindly of a secure address.
Last edited by detail (2016-08-02 20:07:12)
Offline
Re: changing to a secure website, ie, http to https
detail wrote #300474:
I’m considering this as I believe Google thinks more kindly of a secure address.
Offline
Re: changing to a secure website, ie, http to https
Finally instigated the process to become secure for a big 5 sites. Man, that is expensive, ie, the certificates.
But.
I am hosting 10 different domain names on one hosting account, as sub lets. It has one .ht access file.I want to make the .ht access force the secure addresses, websites with those certificates, but obviously not for those which are not secure.
I had a test with this code:
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]This forces all the websites to a https address.
How would I write this so that it forces https://website1 .co .nz and https://website2 .co .nz, but ignores http://website3 .co .nz ?
Offline
Re: changing to a secure website, ie, http to https
detail wrote #303788:
Finally instigated the process to become secure for a big 5 sites. Man, that is expensive, ie, the certificates.
Expensive? Try free: LetsEncrypt
I want to make the .ht access force the secure addresses, websites with those certificates, but obviously not for those which are not secure. How would I write this so that it forces https://website1 .co .nz and https://website2 .co .nz, but ignores http://website3 .co .nz ?
Something like this:
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(website1\.co\.nz|website2\.co\.nz)$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Offline
Re: changing to a secure website, ie, http to https
ruud wrote #303800:
Expensive? Try free: LetsEncrypt
I think I looked at that option, but my web host doesn’t allow it somehow.
Hooray, that looks straight forward. And oh so obvious if you know what you are doing.
Thanks muchly.
Last edited by detail (2017-02-02 19:49:44)
Offline
Re: changing to a secure website, ie, http to https
Unfortunately my host issues its own certificates and doesn’t allow automatic re-installation of free ones. Because the free certificates only have a 90 day life you would need to manually install them every month or so. I guess I am paying for the set and forget convenience.
Without Shell Access
The best way to use Let’s Encrypt without shell access is by using built-in support from your hosting provider. If your hosting provider offers Let’s Encrypt support, they can request a free certificate on your behalf, install it, and keep it up-to-date automatically. For some hosting providers, this is a configuration setting you need to turn on. Other providers automatically request and install certificates for all their customers.
Check our list of hosting providers to see if yours is on it. If so, follow their documentation to set up your Let’s Encrypt certificate.
. . .
If your hosting provider doesn’t want to integrate Let’s Encrypt, but does support uploading custom certificates, you can install Certbot on your own computer and use it in manual mode. In manual mode, you upload a specific file to your website to prove your control. Certbot will then retrieve a certificate that you can upload to your hosting provider. We don’t recommend this option because it is time-consuming and you will need to repeat it several times per year as your certificate expires. For most people it is better to request Let’s Encrypt support from your hosting provider, or switch providers if they do not plan to implement it.Offline
Re: changing to a secure website, ie, http to https
I’ve been testing the .ht access file code that Ruud suggested.
It’s interesting that two of my small websites are being forced loaded successfully. There’s the green secure and https coming up from the revised .ht access file. Great, they are my business sites that I wanted to be secure to boost my Google ranking. This is despite being a few insecure links on each page.
The two bigger, ie, 1000 page sites, with almost 4000 images, are not converting to https, and in fact are failing to load when you try with the https address. Seems that the high proportion of insecure links are making the site as a whole insecure.
I have been using the why no padlock website to test what links need to be updated.
This shows exactly what internal or external links are using a non-secure, http, address.
Have to now go through each txp page base code and update all non-secure links to new secure links.
Lucky it’s a long weekend here in NZ . . .
Offline