Depending on what browser you use, some of you may have noticed that ocabj.net is now displaying a green padlock next to the URL in the URL bar.
This is because ocabj.net is now being served out over SSL (HTTPS). I had long been pondering moving to a fully HTTPS website, but one thing has kept me from going that route and that is the use of Amazon Publisher Studio. It is basically an Amazon Associates tool that allowed easy product linking to Amazon for affiliate commissions. I casually use Amazon Associates affiliate links on my site to generate some income wherever possible just to break even on hosting and content generation.
Unfortunately, while the Amazon Publisher Studio feature is very handy, it didn’t work with HTTPS sites.
But recently, I was told by some visitors that my site was having some load issues. I’ve never experienced the problems described, but then I started doing some testing and discovered there were some anomalous problems including page freezing (pages wouldn’t scroll) and an instance of a page crashing Internet Explorer.
So I started doing some troubleshooting and found that the Amazon Publisher Studio links were causing issues, particularly on image heavy pages.
The APS linking feature is pretty important as far as the only revenue generation (how little it may be), but I ended up making the decision to remove the APS code from ocabj.net. Future forward, I will be doing manual affiliate links as applicable, which should eliminate the third-party (Amazon) Javascript code from impacting site performance.
Since I dropped APS from the site, I decided to forge ahead and deploy SSL on ocabj.net to get HTTPS online.
I had already tried in 2014 just to do a trial run and find the implications from transitioning the site to SSL, and and then rolled back. So I was able to reimplement the SSL Certificate with only a few quick fixes as I discovered issues.
The things I had to address when moving from HTTP to HTTPS were:
- Create a SSL configuration for Apache that mitigated the current known SSL and TLS exploits.
- Create a mod_rewrite rule to redirect any full http:// request to the respective full https:// link (e.g. http://www.ocabj.net/some/page/ to https://www.ocabj.net/some/page/, and not just to https://www.ocabj.net).
- Change all ocabj.net asset source references from http:// to https://.
I used the existing SSL certificate that I obtained via Namecheap, and which was active on ocabj.net since early 2014, but just not for any pages visible to the general public). The certificate I obtained through Namecheap (where I also registered all of my domains) is a Comodo PositiveSSL certificate, which comes out $9 a year or less. This is really inexpensive, and nets you a SSL Certificate that is going to be recognized by all major OSes and web browsers since Comodo is a recognized Certificate Authority.
Trying to come up with a SSLCipherSuite configuration can be a mystery. I ended up using information found via Google, in combination with testing using the Qualys SSL Labs web server tester, to come up with a satisfactory HTTP+SSL configuration.
The core configuration parameters I used to achieve an ‘A’ grade from SSL Labs are:
SSLProtocol all -SSLv3 -SSLv2 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
If you want an ‘A+’ grade, the following SSLProtocol value should get you there:
SSLProtocol all -SSLv3 -SSLv2 -TLSv1.1 -TLSv1
The problem with the above line is that you will break compatibility with a good number of client browsers because there are still people running browsers that still don’t support TLS 1.2, or do and default to a lower TLS version, whether it’s because they haven’t bothered to update their browser or just can’t (e.g. mobile device with no more update support).
As far as a mod_rewrite rule to redirect http:// requests to https://, this is important so the change is transparent for anyone who happens to click on an already pre-existing link to a http:// page of the site (whether it was posted in a forum, or a Google search result). This is quite important for me since ocabj.net has been around for several years, and many links have been disseminated all over the web, and I want those links to still get to the respective content.
This is a simple addition to the .htaccess file:
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
The above will ensure that the full request is forwarded correctly, so the asset requested is still retrieved, and is not just a generic redirect to the main page via HTTPS. The 301 redirect code is a formality to alert the client (important for crawlers) that the page has permanently moved to the location it landed on.
The last step of changing any asset references on the site was tackled in a couple areas. Obviously, every single web page (blog entry) had to be modified so things like image/photo sources where changed from http://www.ocabj.net/… to https://www.ocabj.net/…
This was easily remedied with a simple SQL update:
UPDATE wp_posts SET post_content = REPLACE (post_content, 'http://www.ocabj.net', 'https://www.ocabj.net');
The above simply did a full search and replace for any string with ‘http://www.ocabj.net’ to ‘https://www.ocabj.net’ in the SQL table of the WordPress database containing the WordPress content. Note that post_content is any ‘Post’ or ‘Page’ (ref. https://codex.wordpress.org/Class_Reference/WP_Post).
The rest of the internal asset reference http:// to https:// changes were taken care of in the WordPress administrator interface (including theme configuration).
That was pretty much it. It was actually a pretty simple affair considering my site is very small. But for anyone looking to go implement SSL Certificates for their own personal web site, this should provide a baseline reference of things you’ll need to address to make the transition as seamless as possible.
Comment on this post