Secure your SPIP website with https://

How to easily migrate your SPIP website from http:// to https://

https:// protocol is largely spreading:

  • most big websites are early adopters
  • it’s recommanded for better data transactions’ privacy
  • web browsers now flag http:// websites as “Not Secure”
  • it’s part of quite every search engine guidelines for SEO
  • ...

Hopefully, in most case it’s really simple to get SPIP ready for https://. This post shows you how to do it.

Step 1 - Get a SSL certificate for HTTPS

On shared hostings, the option has to be available and should be activated on domain level or, desired sub-domain.

On dedicated servers, Let’s encrypt is the solution that let’s you generate your own certificates.

Install Let’s Encrypt ssl certificate on debian/ubuntu

Step 2 - Modify website’s canonical URL

In the admin area:

  • Go to menu configuration > Site identity > Website URL
    Change the adresse from http://www.your-domain.tld to https://www.your-domain.tld (add www. or not, depending on your .htaccess branding/redir. policy)
  • Save the changes then, go empty your cache via menu Maintenance > Empty the cache

If your templates use the #CHEMIN tag, as normally requested, the update to do should be minimal, addresses already being path relative (normally).

Don’t forget to check on those points:

  • External ressources (fonts, styles, libs, js, ...) should all be called and accessible with https://. => Eg. each & every http://cdn.something.tld/some.js becomes https://cdn.something.tld/some.js
  • Sounds obvious but browse your website to check on your browser is not detecting any glitch.

For example with Firefox:

It Works ! https:// version is up & running
https:// is up but some ressources are still called with http://

Google Chrome’s consol also provides with mixed http / https content errors

Step 4 - Set up .htaccess file to force HTTPS

Once HTTPS is set up, we force redirect all HTTP requests toward their equivalent HTTPS URLs, by adding the foillowing custom setting to the .htaccess file:

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Known issue

If your server is mis-configured and/or doesn’t provide any $_SERVER['HTTPS'] variable, then you may experience some troubles with mixed content issues.

To bypass that, add the following lines to your config/mes_options.php :

$_SERVER['HTTPS'] = 'on';
$_SERVER['SERVER_PORT'] = '443';

updated on 2 December 2018


Aucune discussion

Ajouter un commentaire

Who are you?
[Log in]

To show your avatar with your message, register it first on (free et painless) and don’t forget to indicate your Email addresse here.

Enter your comment here

This form accepts SPIP shortcuts {{bold}} {italic} -*list [text->url] <quote> <code> and HTML code <q> <del> <ins>. To create paragraphs, just leave empty lines.

Add a document

Follow the comments: RSS 2.0 | Atom