Force complete site secure https

(David Wallace) #1

Matrix Version:5.4.1.3

Hi. I’ve been getting notifications from google regarding their forcing all pages with form input to be marked not secure in chrome if using http

"Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
The following URLs on your site include text input fields (such as < input type=“text” > or < input type=“email” >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive. "

As our sites have a design that includes a search box in the header, this means effectively that all pages of our sites will be marked insecure by chrome users.

My first instinct is to just force the whole site to use https. My question is how can I do that? I notice that the force secure option on the settings page f an asset isn’t able to cascade down the whole site.

Does anyone have any ideas hw I can do this in Squiz? Other than a rewrite rule at server level to force all connections secure?

Thanks

Dave

#2

You can add “Force Secure” in site’s setting screen and also disable HTTP protocol in the site’s details screen.

From resource usage point of view, forcing HTTPS on server level is better though.

(David Wallace) #3

I’m not sure that applies the “Force secure” to all the site assets below it, I thought the “Force secure” was only on each individual asset?

I’d love to be corrected.

(Bart Banda) #4

The best practice is to remove the HTTP URL from your site entirely, and just have HTTPS on there. That way you don’t have to set any force protocol options on assets at all and matrix will automatically redirect users from HTTP urls to the HTTPS version.

(David Wallace) #5

Brilliant.

Thanks Bart

(David Higley) #6

Agree https:// is the way forward but implementing may not be straight forward for non-technical users. Is there any best practice guidance available including any or all of the following:

  • single cert vs wildcard SSL
  • recommended SSL suppliers e.g. Thawte vs. Let’s Encrypt
  • how to install certs on Apache / NGINX
  • checking sites for legacy embedded http content e.g. iframes, remote images

Asking for a friend :slight_smile:

David

(Bart Banda) #7

I think Google is your best friend for answering those questions :slight_smile:
https://www.google.co.uk/search?q=best+practice+and+guides+for+https

(David Higley) #8

Thanks, that’s very helpful :slight_smile:

What I’m really after is a summary of what we would need to consider before migrating a relatively popular live Matrix site from http to https so we minimise disruption to editors and site users and ensure inbound links and SERPS still work.

https://matrix.squiz.net/manuals/core-assets/chapters/site#URLs-Screen is a good start but seems to be centred on new rather than established sites and much of it requires System Adminstrator access (which we don’t have) so am unclear how big and disruptive a job migrating the site to SSL is (or isn’t) going to be.

Does that make sense?

David

(Douglas (@finnatic at @waikato)) #9

It makes sense to me. I’d love to see the Squiz community membership come together and document processes like this with examples from different setups.

I’d be happy to share some notes from our experience here if DNW (the original poster) doesn’t mind a thread-jack?

(Bart Banda) #10

Migrating to HTTPS is actually easier than what most people think. However, it does require Sys Admin help as you need to do things server side on the Matrix box as part of that, so it’s not purely a non-technical job.

Once the SSL certs are set up and you’ve got HTTPS successfully pointing to your Matrix site, the Matrix part is basically adding the HTTPS version to the relevant Site assets that need it, then test and make sure browsing the site under HTTPS works ok, can probably leave both URLs applied for a few days/weeks even while you do testing, then eventually you want to remove the HTTP version but probably make sure you turn off automatic remaps first as you don’t want a bunch of remaps from HTTP to HTTPS for every single page in your site.

In saying that, if you are a Squiz client, I recommend getting in touch with Squiz first and get them to help you with this process as there might be other things to consider that sit outside of the Matrix software itself.

(David Wallace) #11

Go for it Doug, Happy to learn more.

(Awilliams) #12

I am about to have a go at doing this, we are Squiz clients so I shall quote you Bart. I will feed back on any issues we experience from third party content etc. I’m not particularly experienced in doing this, so I anticipate unexpected problems and confusion (in my mind anyway)

(Awilliams) #13

All went well, the only issues we came across were with remaps, every one of them has to be changed.

We’re also having a problem with Easy edit not loading. We have a server level redirect from http to https now. If anyone knows the fix for Easy edit I would be eternally grateful.

Thanks

Amanda

(Tbaatar) #14

Hi,

I think you may need to contact Squiz to get the Easy Edit working. We had similar issue when we changed to HTTPS earlier in the year.

Thanks.

(Awilliams) #15

We worked it out between us, well Charlie did:
tick the HTTPS box in the list of urls in Web Services, and then also link the EasyEditConfig.js file to live under the domain so it picks up an HTTPS url so that browsers will include it.

(Tbaatar) #16

Ah cool.

I think ours was little more complicated.

(Douglas (@finnatic at @waikato)) #17

Some off the top of my head brain dump notes, after a quick completion of most of our HTTPS changeover (finishing off work done) following the Chrome and Firefox updates earlier this year:

== Prep ==

  • Get good certificates preferably with an older vendor - or be prepared with links on how to update out of date authority root certificates e.g. https://support.quovadisglobal.com/kb/a54/updating-the-microsoft-windows-root-store.aspx if you get contacted by people reporting they can’t access your site.

  • Know your sites and how they’re templated. You may only have one (congratulations) or you may have hundreds (in which case you have my sympathy and understanding).

We found we needed to test a variety of pages from each site to see what works and what didn’t. Mixed content warnings can be unobtrusive, and nicely telling the site visitor that the browser is helpfully not including images, CSS stylesheets or JS using an HTTP address, which may result in pages not showing as expected.

If you’re lucky you won’t have many hardcoded HTTP links. If you do, you might find it useful use server side tech to address the issues. With mod_subsitute on Apache, you can use substitution to rewrite http links to https as the page content is being served from the server, and we’re using that with earlier non Matrix sites. Nginx has ngx_http_sub_module which I’d hope operates similar. Not 100% sure how mod_sub

If you have any forms with hardcoded action links pointing at older HTTP addresses on your sites & systems, remember to update them.

  • Enable HTTPS as early as possible and test.

  • If you have proxy and caching setups separate from Matrix, figure out what you need to test to make sure everything works as expected. We use a reverse proxy setup using Apache ProxyPass and needed to make updates to point all the proxy configuration lines to the HTTPS addresses of the Matrix sites to ensure Matrix generated links with the HTTPS protocol.

  • Research the Strict-Transport-Security header, and whether / when you can consider enabling it. If you have any content / sites that will remain on HTTP due to any issues, my reading is that you have to leave it un-enabled.

== Changeover ==

A quick webpagetest.org of our https addresses shows that the testing system waiting ~826ms to get the verification for our certificates back from our certificate vendor.

  • If you’re using Apache as your HTTPD server, use a redirect on the HTTP instance to point any HTTP requests to the HTTPS addresses per https://wiki.apache.org/httpd/RedirectSSL. You can use a rewrite but it’s not recommended. We’re using one to allow access to some of our subsites via HTTP until we complete work to make them display via HTTPS without mixed content warnings.

I’m sure there will be ways to do that with Nginx, IIS etc as well.

NB: If you do what Bart suggests above:

what I’ve found on some browsers (especially older ones) is that if you enter a url and there’s nothing listening on HTTP, you may not see anything unless you’re running an HTTPS everwhere extension which pushes you to HTTPS by default.

There’s also a little gotcha that’s come out of the woodwork for us post HTTPS changeover - read https://wiki.mozilla.org/Security/Server_Side_TLS and try to develop an understanding. Depending on what SSL ciphers your system is configured to accept and how strongly encrypted you want your HTTPS to be, you may end up creating problems with access to older browsers running on older devices to your HTTPS site.

It may or may not matter to you, depending on who your clients are and what legislation you do or not not need to comply with. It has me looking for an alternative to the HTTP to HTTPS redirect from above that caters to browsers where we can identify that they can’t handle the mozilla intermediate or recommended configurations.

(Awilliams) #18

Update: We totally forgot about remaps. there were a lot of remaps and every one needed updating.