How to Use .htaccess to Move Your Site to SSL
A few years ago, setting up an SSL certificate was a slow and costly painful process.
At one point, we were paying over $500 per year for a top-of-the-line SSL certificate on this site. Plus, many platforms had poor support for SSLs.
All that has changed. You can get free SSL certificates now, and web software almost always has great support for your SSLs.
The tricky part of using an SSL certificate is now making sure you aren’t loading images or files over http. This will cause your SSL certificate to show an error. Here’s the code we used in our .htaccess to push all our site’s assets to https.
Moving your whole site to SSL
This code should push all the URLs on your site to use https and www.
Here’s the code in our .htaccess file:
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Excluding some pages from SSL
After moving to SSL-only, we had some problems with our RSS feed.
MailChimp, Feedburner, Amazon, dlvr.it and other services didn’t seem like an RSS feed run over SSL. This turns out to be a common problem that the providers themselves don’t seem to have solved.
So, we needed to exclude at least one URL from the SSL. The full URL to our feed is:
http://www.ostraining.com/index.php?option=com_obrss&task=feed&id=1
Here’s the code we used to run that URL on http. We placed this code before the other SSL rules:
# Exceptions for HTTPS
RewriteCond %{HTTPS} off
RewriteCond %{QUERY_STRING} !^option=com_obrss&task=feed&id=1Notice that we had to remove index.php? from the URL to get this rule to work correctly.
Thanks for the article. What is the “rule of thumb” for using SSL? I mean, always for the whole site, or is there any good reason to use SSL for login and submission parts only?
Hi Maik
Right now, SSL Is required only for secure information such as logins or checkouts.
But I suspect it will become the norm for entire sites with time.
We went with all SSL because it was becoming increasingly difficult to maintain large parts of the site as non-SSL and also large parts as SSL.
Plus, the added privacy helps too.
Thanks for your very quick reply. What is the reason against a site-wide SSL? Any performance/requests issues?
Yes, that’s the main one. Adding an SSL is generally thought to make your site a little slower.
Great article, Steve, and quite correct indeed about SSL slowing down sites.
As a high level general rule, running a server with SSL (Apache or IIS) will incur a nominal 10x processing impact, as each of the SSL handshakes will be done at the server level, which is quite processor intensive. Servers processing SSL transactions will without question affect server response times.
Load balancers perform SSL offload, considering that they have dedicated Cavium chips for this functionality (with port 80 on the back-end server to avoid the SSL processing). Servers typically don’t include Cavium chips. Intel is working towards a model of integrating SSL offload into their chip-sets, so SSL will become the norm in the future.
Hope this helps,
Andy
Wonderful feedback, thanks Andy. I didn’t know that about Intel.
Yes, the tech side of SSL is still tricky. Hopefully we can get to a point soon where all sites run it as a default.
Apparently Google may reward SSL sites in the future:
[url=http://searchengineland.com/googles-matt-cutts-lobbying-reward-secure-sites-better-rankings-189056]http://searchengineland.com…[/url]
Quite welcome indeed, Steve. As a note my primary function (work-wise) is in supporting LB’ers for an industry leading company…thus the relative insight. Shameful plug – [url=http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html?posit=glnav]http://www.citrix.com/produ…[/url]
As a side note, we have developed a free plugin SSL Redirect which allows you to redirect to SSL (or back again) easily by configuring plugin parameters. I thought it was worth mentioning. [url=https://www.yireo.com/software/joomla-extensions/ssl-redirect]https://www.yireo.com/softw…[/url]
Note: SSLRedirect by @yireo offers a textarea to “Exclude components” allowing you to enter your own URLs (like “option_com_obrss&task=feed”) to deal with matters such as your RSS query string. I have come to realize that quality Joomla! extension developers bake in quality features…and if there’s a missing feature that can benefit the Joomla! Community, suggest a #JFeatureRequest 🙂