Anthony McLin

Moving a Drupal site to HTTPS

As part of improving the performance of my site, and bringing it up to date with modern best practices, one step is to switch over to HTTPS instead of HTTP to secure the site. This is a required condition for a Progressive Web App, but it's a good practice in the modern age.

  1. Protects against Man In The Middle attacks
  2. Required for performance-enhancing features of Progressive Web Apps
  3. Required for the performance-enhancing features of HTTP2

One argument I hear from people who have been developing on the web as long as I have is: "my site isn't doing anything important, like banking or the like, and I don't require users to login, so why should I encrypt with HTTPS?". What they forget to understand is that Man In The Middle (MITM) attacks are very common these days. A user may be connected to a compromised wifi router, and the router can intercept the traffic to your site and serve up injected malicious content to the visitor instead. Having HTTPS enabled on your site prevents this. HTTPS doesn't solve for all security situations, but it does ensure that when the visitor connects to your site, they are actually getting your site. It doesn't 100% protect against a MITM attack, but it makes it much more obvious to the visitor when their browsing session is being compromised. The second big reason is that there is a lot of analytics tracking done by governments (ill-willed and benign) as well as corporations on the traffic patterns to monitor the browsing patterns of the population. By using HTTPS everywhere, and not purely on logins/banking/secure sites, it makes it much harder for those entities to identify the contents of the traffic. Imagine if all your mail was on postcards, and then one day you want to send something private, so you use an envelope. That envelope is suspicious and stands out because it's unlike all your previous mail. It deserves attention. Instead, if all your mail was always in envelopes, then one envelope doesn't stand out against the rest.

Long explanations aside, what does it take to get a Drupal site running over HTTPS instead of HTTP? Turns out it's a pretty straightforward process.

First of all, you need a SSL certificate. You'll need to check with your hosting provider on how this is handled. My provider, MediaTemple, charges $75/year for an SSL certificate which is quite pricey. I'm not ready to commit to that cost, so intead I'm going to get a free certificate from Lets Encrypt. It's only valid for 3 months, at which point I have to renew it. Many hosting providers have integrations in place so you can autorenew a Let's Encrypt certificate automatically, and if you're running your own servers or dedicated VMs, you can set it up to autorenew yourself.

Even though they normally charge for SSL certificates, MediaTemple is nice enough to provide instructions on how to use the Let's Encrypt service to setup your own certificate on their Grid Service. After following those steps, I next need to make changes so that Drupal will be served over HTTPS.

First you need to decide how you want to manage the traffic between HTTP and HTTPS. You most likely don't want to serve both simultaneously, as search engines may see that as duplicate sites resulting in SEO penalties. You most likely want to redirect all HTTP traffic to HTTPS. You also need to determine if you are serving your site with the www. prefix or not ( vs. In my case, I am already redirecting all traffic to the domain without the www. prefix. Once you've decided on which pattern you're going to use, open up your .htaccess file in your editor.

If you are redirecting all traffic to your site with "www." then you should already have these lines uncommented:

# RewriteCond %{HTTP_HOST} .
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

However, if you're like me and currently redirecting all your traffic to your site without the "www." prefix, then you would have these lines uncommented:

# RewriteCond %{HTTP_HOST} .
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http%{ENV:protossl}://%1%{REQUEST_URI} [L,R=301]

Whichever you are using, take note and then comment out those lines so they match what was originally in Drupal's .htaccess file. Now, just underneath these, add your new redirect:

# Rewrite all traffic to HTTPS without www
  RewriteCond %{HTTPS} off [OR]
  RewriteCond %{HTTP_HOST} ^www\.anthonymclin\.com*
  RewriteRule ^(.*)$$1 [L,R=301]

The first line checks for HTTPS traffic. The second line checks for traffic to my domain with the www. prefix. The last line rewrites all traffic to my domain as HTTPS and without the www. prefix. If you wish to use the www prefix, then you'd change the 3rd line to have the full domain with www., and change the regex pattern on the 2nd line to find traffic that does not match www.

# Rewrite all traffic to HTTPS without www
  RewriteCond %{HTTPS} off [OR]
  RewriteCond %{HTTP_HOST} (?!^www\.example\.com*)
  RewriteRule ^(.*)$$1 [L,R=301]

And that's about it. Everything else Drupal already handles internally to manage http vs. https. You probably have to flush your site caches to ensure Drupal is generating HTTPS urls, and don't forget to scan your contents for any hardcoded HTTP links. But otherwise, there's nothing to it. Enjoy the preformance improvements!


Add new comment