I already use https with an SSL certificate for my orders, but given the rumblings from Google, I thought it would be nice to make sure the whole site uses secure links and definitely uses https links when I am connecting to pages where I collect customer input. Although, as we’ll see below, since I redirect the whole site to https, it doesn’t matter if I explicitly use https links to pages that receive customer data.
The first thing I did was to check for places in the text where I have hard coded a link to the site. These are mostly from manuals for apps that I copied from the app. A few are from links to manuals that were copied from the URL field and not cleaned up. All I need to do is remove the website portion and they will resolve as https links. There are also a few from redirects and they just need an ‘s’ added. The code I used is:
grep -r --exclude=\*.{png,jpg,pdf,pdf,odt,ods,svg,exe,dmg,psd, indd} "http://www.wellgolly"
Note that I have a bunch of pdf files and graphics files as well as the master LibreOffice and Photoshop files that I don’t want to search. Using this list excludes them for me. Your list may be different.
There are still a bunch of links that are not https and to see what they are, I changed the search slightly to print the file name and the part of the line that matches the search term. The option ‘o’ shows the part of the line that matches the search pattern. Not particularly useful if the pattern is ‘http:’ but more informative if the pattern is ‘http:.*’. There are lots of these, probably not worth changing now, but something to keep in mind when updating that portion of the site.
After I did this I noticed that the -I option excludes binary files. This is much shorter.
grep -roI "http:.*"
One more step and you are done. It took a while to find this and I should have looked on the Apache site first, but I didn’t. The preferred way to redirect your site is not with mod_rewrite, which is what most of the pages that turn up in a search suggest, but with a redirect directive inside your virtual host. Since I only have one website of many that I am converting, this solution works for me. I simply commented out my Document Root line and added a permanent redirect to the SSL section.
#DocumentRoot /www/WG/wellgolly
Redirect permanent / https://www.wellgolly.com/
Restart Apache and it works.
You can test your server at SSL Labs:
https://www.ssllabs.com/ssltest/analyze.html?d=www.wellgolly.com
Once you have it up and running, open all of your pages and see if you get the secure lock at the top of the page. If you missed any links to content that is displayed on your page—images, Facebook like buttons, etc. then it won’t be locked. I like to use Chrome for testing since the lock is bright green. Links to things outside of your site can still be http.
Once thing that I was concerned about was that the links to Yahoo’s Pure CSS files are not https. It doesn’t affect the browser’s reporting the the page is secure but it won’t load the styles either. I copied them to my server and now they load. I don’t know if it is a Safari security feature or if it is from Ghostery.
A couple of things to note. My SSL certificate only covers the www portion of the domain. So things like beta.wellgolly.com will not redirect to https. This change only affects the website so if you are adding SSL to your site, you might want to change your mail delivery as well to use the certificate.