moving your website to https / ssl: tips & tricks

Download Moving your website to https / SSL: tips & tricks

Post on 16-Jul-2015




0 download

Embed Size (px)


  • Moving your website to https / SSL: tips & tricks

    In January I wrote about our plans in moving to SSL.We've since done that, with great results from an SEO perspective: wehad?no?negative effect on traffic, whatsoever. Two weeks ago, we also moved our tool Quix to https.There are quite a few things we learned in the process of moving these two sites to SSL that wethought would be worth sharing with all of you. Also, some things happened in the last few weeksthat make SSL a hot topic, so we'll discuss those first.

    Ranking benefit for completely SSL sites?

    Last month, Search Engine Land reported that Matt Cutts had said about SSL that he'd "personallylove to make it part of the ranking algorithm". The Wall Street Journal picked up on this two daysago. Whether or not this?actually happens (or, perhaps, has already happened) doesn't really makemuch of a difference to me. A completely SSL site looks more trustworthy than a non-SSL one[reference needed].

    From a spam fighting perspective I think I can see why Matt would like it. I don't think many spamnetwork creators would go through the hassle of setting up SSL for all their sites and buyingcertificates for all of them. The cost would soon become higher than the profit in many niches.

  • Heartbleed

    The recent Heartbleed debacle (if you don't know what itis, read this and / or this simple explanation) showed usonce again how vulnerable the web can?be. The good thingabout it is that when you think about people being able to"listen" to your web traffic, you suddenly realize it mightactually make sense to encrypt a whole lot more of it.

    Moving your site to https

    In moving completely to https / SSL we figured out there's a few things you need to beaware of:

    All of your internal links should start to use https, not just to pages, but for images, JavaScript, CSS, etc. This means going throughyour theme with a fine comb and cleaning all of those up. Of course you can have your web serverredirect http to https (more on that below), but not having to do the redirect is a lot cheaper.Your CDN needs to support SSL too. Of course, we use and love MaxCDN and they can set up SSLfor your CDN subdomain very easily.SPDY, a networking protocol primarily developed by Google that you can enable for SSL traffic, isawesome. It makes your website faster and funnily enough that means that your fully SSLed sitecould actually be faster for those people who visit your site with modern browsers than your plainhttp site.Not all SSL setups are equally safe. Once you've set up your site with SSL, it's important to thenmake a conscious decision about how safe you want your traffic to be and act on that, more below.You will need a static and unique IP for your site. This is "logical" if you know how SSL works, but italso means that most shared hosting servers won't allow you to do this. - As mentioned by David inthe comments: if your server supports Server Name Indication you don't even need a dedicated IP.https & SSL Web server config

    Because is hosted on Synthesis, we didn't have to do much to allow for SSL with fullsupport for SPDY, as they took care of all the details for that, which is only part of the reason we

  • love them. For we had to do it ourselves, which meant re-compiling our NGINX withSPDY support and a few more bits and bobs. For most people it's probably a better choice to eithergo with a smart hosting provider like Synthesis or hire someone to do this for you. If you're not surewhether your current setup supports SPDY, you can use to check, or simply type spdyin Quix.

    We did tweak our setup quite a bit though, as SSL can require more resources on your server andnot setting it up properly could lead to load issues and delays. Below are the specific lines from ourNGINX config related to the SSL session cache:

    ssl_session_cache shared:SSL:20m;ssl_session_timeout 10m;

    The next thing to tweak are the available ciphers. If you're implementing this, I'd suggest referringto this article about hardening your web servers SSL ciphers?as it explains in detail some of thesettings below. That article is kept up to date so it's better to check that than the code below, but forreference, this is what we currently use on

    ssl_prefer_server_ciphers On;ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;ssl_ciphersECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

    Strict Transport Security header

    One of the other cooler things you can do is add a Strict Transport Security header. This will forcethe browser to load all subsequent requests from the same host over https, even when you've linkedto http.

    In NGINX, you add this like this:

    # This forces every request after this one to be over HTTPSadd_header Strict-Transport-Security "max-age=31536000";

    For other servers, including Apache, check the WikiPedia page on the Strict Transport Securityheader, more specifically the implementation section. Note that if you run subdomains, you couldalso add those, but unfortunately not ALL our subdomains are on SSL yet, so we haven't been able todo that yet. Luckily, our friends at MaxCDN were nice enough to turn it on for us.

    BTW if you're wondering why I use MaxCDN, their new tools site shows nicely how fast the alreadyblazing fast is in comparison to, which is running at rocket speed, comparethe two here. That tool is pretty useful to compare two sites in speed.

  • SSL test

    If you've done the above correctly, you should be able to pass the Qualys SSL testwith flying colors, we sure do. If you use Quix, you can run that test on any domain simply by typingthe command ssltest. I think you should aim for at least A in this test, though A+ is easily achievablewhen you add the above Strict Transport Security header.

    Redirect from http to https

    This last bit will help you tremendously when you've not updated every single link in your site yet.You can just add a straight server level redirect from http to https. In NGINX, we do this by havingtwo servers defined in our config, the "right" one, that listens on port 443 and a simple one thatlistens on port 80 (normal http) and has just this:

    serverlisten 80;server_name;return 301$request_uri;

    This seems to be the fastest way of doing this in NGINX, inApache you'd do something like this:

    RewriteEngine OnRewriteCond %HTTPS offRewriteRule (.*) https://%HTTP_HOST%REQUEST_URI [R=301,L]

    What type of SSL certificate should you get?

    In my opinion, if you're going to invest serious time in doing this, it's only worth it when you makesure you get the maximum benefit. With Extended Validation certificates you get the green addressbar, which is what you want:

  • If you think that's expensive, think again. For instance here at Namecheap an EV SSL cert could costyou as little as $139 a year, so go for that but be sure to check their different offers if you havemultiple domains. Of course if you're cheap you could get just a domain validation certificate whichwould cost you like $9 a year.

    So... Should you move your website to https?

    If you're a web shop or otherwise transactional website you probably already have SSL for yourcheckout. If so, moving your entire website to https makes a LOT of sense to me, it's probablyactually easier to maintain and makes sure that you're doing everything to make sure your SSLtraffic (and thus the most important section of your site) is as fast as possible.

    If you're a purely informational website you might not need to make the move, but if some of thatinformation could be privacy sensitive, I think it'd be a good idea to implement SSL anyway.

    Would love to hear your ideas on moving your website to https and SSL in the comments!;utm_campaign=move-website-https-ssl


View more >