HTTPS Upgrade Guide

In the previous article I introduced the HTTP/2 protocol, which only takes effect on HTTPS environments.

In order to upgrade to the HTTP/2 protocol, you must first enable HTTPS. If you do not understand the HTTPS protocol (the scientific name of the TLS protocol), you can refer to my previous article.

• Overview of the HTTPS protocol
• "Illustrated HTTPS Protocol"
• Seven misconceptions of the HTTPS protocol
• How much delay is the HTTPS protocol? 》

This article describes how to upgrade an HTTP Web site to HTTPS.

First, obtain the certificate

The first step in upgrading to the HTTPS protocol is to obtain a certificate.

A certificate is a binary file that contains a certified public key and some meta data to be purchased from a reseller.

• Gogetssl
• Ssls.com
• Sslmate.com

There are many types of certificates, first divided into three levels of authentication.

• Domain Validation: The lowest level of certification, you can confirm that the applicant owns the domain name. For such a certificate, the browser displays a lock in the address bar.
• Company Validation: Confirm which company the domain name owner is, and the certificate contains company information.
• Extended certification (Extended Validation): The highest level of authentication, the browser address bar displays the company name.

Also divided into three kinds of coverage.

• Single Domain certificate: A certificate that can only be used for a single domain name foo.com cannot be used forwww.foo.com
• Wildcard Certificate: Can be used with a domain name and all of its primary sub-domains, such as *.foo.com certificates that can be used foo.com or used forwww.foo.com
• Multi-Domain Certificate: can be used for multiple domain names, such as foo.combar.com

The higher the certification level, the more extensive the coverage of the certificate, the more expensive the price.

There is also a choice of free certificates. To promote the HTTPS protocol, the Electronic Sentinel Foundation EFF established let's Encrypt, which provides free certificates (tutorials and tools).

After you get the certificate, you can check with SSL Certificate to see if the information is correct.

Second, installation certificate

The certificate can be placed in a /etc/ssl directory (Linux system) and then configured according to the Web server you are using.

• Certificate configuration file Generator, by Mozilla
• Configuration file Template by Sslmate

If you use let's Encrypt certificate, use the Auto-install tool Certbot.

After the installation is successful, use SSL Labs Server test to check that the certificate is in effect.

Third, modify the link

Next, the Web page loaded HTTP resources, to all change to HTTPS link. The browser does not load those resources if there are non-encrypted resources within the encrypted Web page.

<src="Http://foo.com/jquery.js" ></script>   

The above line loads the command, and there are two ways to change it.

<!--conversion----<src="Https://foo.com/jquery.js" ></script><!--modification Two-- <src="//foo.com/jquery.js" ></script>         

Among them, the second will be based on the current Web page protocol, load the same protocol external resources, more flexible.

Also, if the page header is used rel="canonical" , it should be changed to HTTPS URL.

<link rel= "canonical" Href="https://foo.com/bar.html"/>  

Four, 301 redirects

Next, modify the WEB server's configuration file and use 301 redirects to direct the HTTP protocol's access to the HTTPS protocol.

The wording of Nginx.

server {a  ;  server_name domain.com www.domain.com;  301 https://domain.com$request _uri;}   

The Apache notation ( .htaccess file).

Onoffrewriterule (. *) https://%{http_host}%{request_uri} [r=301,l]   

V. Security measures

The following measures can further ensure the security of communications.

5.1 HTTP Strict Transport Security (HSTS)

When visiting a website, users rarely enter directly into the address bar https:// , always by clicking on a link, or by 3xx redirection, from the page to the HTTP HTTPS page. An attacker could HTTP hijack and tamper with the request when the user makes a request.

Another scenario is when a malicious Web site uses a self-signed certificate to impersonate another site, and the browser gives a warning, but many users ignore the warning to continue accessing it.

The role of HTTP strict transport security (HSTS) is to force the browser to make only HTTPS requests and prevent users from accepting unsafe certificates.

It adds a mandatory statement inside the response header of the website. The following example is excerpted from Wikipedia.

strict-transport-max-age=31536000; includesubdomains  

The above header information has two functions.

(1) in the following year (that is, 31.536 million seconds), the browser example.com must use HTTPS to initiate a connection whenever it sends an HTTP request to or its subdomain name. When a user clicks a hyperlink or enters it in the address bar http://www.example.com/ , the browser should automatically http write to it and send the https https://www.example.com/ request directly.

(2) in the following year, if the example.com server sends a certificate that is not valid, the user cannot ignore the browser warning and will not be able to continue accessing the site.

HSTS to a large extent resolves the SSL Peel attack. As long as the browser has established a secure connection with the server, then the browser will be forced HTTPS to use, even if the link was replaced HTTP .

The main disadvantage of this approach is that users are not protected from HSTs when they first visit the site to make an HTTP request.

5.2 Cookies

Another area to note is to ensure that the browser only sends cookies when using HTTPS.

Site response header, the Set-Cookie field plus a Secure flag.

Set-cookie:lsid=dqaaak ... Eaem_vyg; Secure

Vi. Reference Links

• How to Migrate to HTTPS, by Chris Palmer
• Complete guide–how to Migrate from HTTP to HTTPS, by KEYCDN
• What are need to Know about changing from Http to Https, by Matt Mansfield

HTTPS Upgrade Guide