Secure your SPIP website with https://

How to easily migrate your SPIP website from http:// to https://

https:// protocol is largely spreading:

  • most big websites are early adopters
  • it’s recommanded for better data transactions’ privacy
  • web browsers now flag http:// websites as “Not Secure”
  • it’s part of quite every search engine guidelines for SEO
  • ...

Hopefully, in most case it’s really simple to get SPIP ready for https://. This post shows you how to do it.

Step 1 - Get a SSL certificate for HTTPS

On shared hostings, the option has to be available and should be activated on domain level or, desired sub-domain.

On dedicated servers, Let’s encrypt is the solution that let’s you generate your own certificates.

Install Let’s Encrypt ssl certificate on debian/ubuntu

Step 2 - Modify website’s canonical URL

In the admin area:

  • Go to menu configuration > Site identity > Website URL
    Change the adresse from http://www.your-domain.tld to https://www.your-domain.tld (add www. or not, depending on your .htaccess branding/redir. policy)
  • Save the changes then, go empty your cache via menu Maintenance > Empty the cache

If your templates use the #CHEMIN tag, as normally requested, the update to do should be minimal, addresses already being path relative (normally).

Don’t forget to check on those points:

  • External ressources (fonts, styles, libs, js, ...) should all be called and accessible with https://. => Eg. each & every http://cdn.something.tld/some.js becomes https://cdn.something.tld/some.js
  • Sounds obvious but browse your website to check on your browser is not detecting any glitch.

For example with Firefox:

It Works ! https:// version is up & running
https:// is up but some ressources are still called with http://

Google Chrome’s consol also provides with mixed http / https content errors

Step 4 - Set up .htaccess file to force HTTPS

Once HTTPS is set up, we force redirect all HTTP requests toward their equivalent HTTPS URLs, by adding the foillowing custom setting to the .htaccess file:

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Known issue

If your server is mis-configured and/or doesn’t provide any $_SERVER['HTTPS'] variable, then you may experience some troubles with mixed content issues.

To bypass that, add the following lines to your config/mes_options.php :

$_SERVER['HTTPS'] = 'on';
$_SERVER['SERVER_PORT'] = '443';


No discussion

Add a comment

Avant de faire part d’un problème sur un plugin X, merci de lire ce qui suit :

  • Désactiver tous les plugins que vous ne voulez pas tester afin de vous assurer que le bug vient bien du plugin X. Cela vous évitera d’écrire sur le forum d’une contribution qui n’est finalement pas en cause.
  • Cherchez et notez les numéros de version de tout ce qui est en place au moment du test :
    • version de SPIP, en bas de la partie privée
    • version du plugin testé et des éventuels plugins nécessités
    • version de PHP (exec=info en partie privée)
    • version de MySQL / SQLite / PostgreSQL
  • Si votre problème concerne la partie publique de votre site, donnez une URL où le bug est visible, pour que les gens puissent voir par eux-mêmes.
  • En cas de page blanche, merci d’activer l’affichage des erreurs, et d’indiquer ensuite l’erreur qui apparait.

Merci d’avance pour les personnes qui vous aideront !

Par ailleurs, n’oubliez pas que les contributeurs et contributrices ont une vie en dehors de SPIP.

Who are you?
[Log in]

To show your avatar with your message, register it first on (free et painless) and don’t forget to indicate your Email addresse here.

Enter your comment here

This form accepts SPIP shortcuts {{bold}} {italic} -*list [text->url] <quote> <code> and HTML code <q> <del> <ins>. To create paragraphs, just leave empty lines.

Add a document

Follow the comments: RSS 2.0 | Atom