In the previous article I introduced the HTTP/2 protocol, which only takes effect on HTTPS environments.
In order to upgrade to the HTTP/2 protocol, you must first enable HTTPS. If you do not understand the HTTPS protocol (the scientific name of the TLS protocol), you can refer to my previous article.
- Overview of the HTTPS protocol
- "Illustrated HTTPS Protocol"
- Seven misconceptions of the HTTPS protocol
- How much delay is the HTTPS protocol? 》
This article describes how to upgrade an HTTP Web site to HTTPS.
First, obtain the certificate
The first step in upgrading to the HTTPS protocol is to obtain a certificate.
A certificate is a binary file that contains a certified public key and some meta data to be purchased from a reseller.
- Gogetssl
- Ssls.com
- Sslmate.com
There are many types of certificates, first divided into three levels of authentication.
- Domain Validation: The lowest level of certification, you can confirm that the applicant owns the domain name. For such a certificate, the browser displays a lock in the address bar.
- Company Validation: Confirm which company the domain name owner is, and the certificate contains company information.
- Extended certification (Extended Validation): The highest level of authentication, the browser address bar displays the company name.
Also divided into three kinds of coverage.
- Single Domain certificate: A certificate that can only be used for a single domain name
foo.com
cannot be used forwww.foo.com
- Wildcard Certificate: Can be used with a domain name and all of its primary sub-domains, such as
*.foo.com
certificates that can be used foo.com
or used forwww.foo.com
- Multi-Domain Certificate: can be used for multiple domain names, such as
foo.com
bar.com
The higher the certification level, the more extensive the coverage of the certificate, the more expensive the price.
There is also a choice of free certificates. To promote the HTTPS protocol, the Electronic Sentinel Foundation EFF established let's Encrypt, which provides free certificates (tutorials and tools).
After you get the certificate, you can check with SSL Certificate to see if the information is correct.
Second, installation certificate
The certificate can be placed in a /etc/ssl
directory (Linux system) and then configured according to the Web server you are using.
- Certificate configuration file Generator, by Mozilla
- Configuration file Template by Sslmate
If you use let's Encrypt certificate, use the Auto-install tool Certbot.
After the installation is successful, use SSL Labs Server test to check that the certificate is in effect.
Third, modify the link
Next, the Web page loaded HTTP resources, to all change to HTTPS link. The browser does not load those resources if there are non-encrypted resources within the encrypted Web page.
<src="Http://foo.com/jquery.js" ></script>
The above line loads the command, and there are two ways to change it.
<!--conversion----<src="Https://foo.com/jquery.js" ></script><!--modification Two-- <src="//foo.com/jquery.js" ></script>
Among them, the second will be based on the current Web page protocol, load the same protocol external resources, more flexible.
Also, if the page header is used rel="canonical"
, it should be changed to HTTPS URL.
<link rel= "canonical" Href="https://foo.com/bar.html"/>
Four, 301 redirects
Next, modify the WEB server's configuration file and use 301 redirects to direct the HTTP protocol's access to the HTTPS protocol.
The wording of Nginx.
server {a ; server_name domain.com www.domain.com; 301 https://domain.com$request _uri;}
The Apache notation ( .htaccess
file).
Onoffrewriterule (. *) https://%{http_host}%{request_uri} [r=301,l]
V. Security measures
The following measures can further ensure the security of communications.
5.1 HTTP Strict Transport Security (HSTS)
When visiting a website, users rarely enter directly into the address bar https://
, always by clicking on a link, or by 3xx redirection, from the page to the HTTP
HTTPS
page. An attacker could HTTP
hijack and tamper with the request when the user makes a request.
Another scenario is when a malicious Web site uses a self-signed certificate to impersonate another site, and the browser gives a warning, but many users ignore the warning to continue accessing it.
The role of HTTP strict transport security (HSTS) is to force the browser to make only HTTPS
requests and prevent users from accepting unsafe certificates.
It adds a mandatory statement inside the response header of the website. The following example is excerpted from Wikipedia.
strict-transport-max-age=31536000; includesubdomains
The above header information has two functions.
(1) in the following year (that is, 31.536 million seconds), the browser example.com
must use HTTPS to initiate a connection whenever it sends an HTTP request to or its subdomain name. When a user clicks a hyperlink or enters it in the address bar http://www.example.com/
, the browser should automatically http
write to it and send the https
https://www.example.com/
request directly.
(2) in the following year, if the example.com
server sends a certificate that is not valid, the user cannot ignore the browser warning and will not be able to continue accessing the site.
HSTS to a large extent resolves the SSL Peel attack. As long as the browser has established a secure connection with the server, then the browser will be forced HTTPS
to use, even if the link was replaced HTTP
.
The main disadvantage of this approach is that users are not protected from HSTs when they first visit the site to make an HTTP request.
5.2 Cookies
Another area to note is to ensure that the browser only sends cookies when using HTTPS.
Site response header, the Set-Cookie
field plus a Secure
flag.
Set-cookie:lsid=dqaaak ... Eaem_vyg; Secure
Vi. Reference Links
- How to Migrate to HTTPS, by Chris Palmer
- Complete guide–how to Migrate from HTTP to HTTPS, by KEYCDN
- What are need to Know about changing from Http to Https, by Matt Mansfield
HTTPS Upgrade Guide