Trixology

General Category => General Computing/Macintosh => Topic started by: Blicj11 on February 28, 2017, 07:10:51 AM

Title: Migrating a website from http to https
Post by: Blicj11 on February 28, 2017, 07:10:51 AM
I have recently transitioned my website from http to https. I did this for a number of reasons, one of which is that the major browsers are warning visitors that a site contains unsecured data if it does not have a security certificate. Whilst that does not matter to most of us, because we are not taking credit card information or asking users to register with personal information, I do believe that such warnings will scare less-informed people away from looking at a site. All of the NWS and NOAA sites have moved or are in the process of moving to https. The Met Office is using https. Weathercloud is using https. WeatherUnderground has moved about half of its stuff to https.

Moving to https is not a trivial exercise! But it is doable; If I can do it, anyone can.

It's easy (and relatively inexpensive) to buy a security certificate and install it. The hard part comes after that. You have to chase down every http link in your site, internal and external, and change the references to https. This includes the scripts and other bits and bobs you might be running, including what's under the hood in the SteelSeries Gauges. I learned the hard way with SteelSeries that the gauges won't display until you go through each file and edit every http link.

When you are all done, you need to login to your Google Analytics account and change the setting from tracking http to track https. This allows you to start tracking https visits to your site without losing your history. Finally, you edit your .htaccess file to make a permanent redirect for requests on your site for http to https. There are some other things too, but I won't bore you.

Personally, I think this is something that Google (and others) forced on us, but since my site is the official site for our property owners association, I decided it would be easier to just make the move than to explain to everyone's grandmother that she won't lose her pension by checking the unsecured data on my weather page. I know you can tell people to just ignore the warnings or change your browser settings to turn off the warnings, but again, for me, in the long run it was just easier to convert the site to https.

Like most things I do, I was in over my head when I started, but I just Googled (using https sites only ;) ) how to migrate a site from http to https and by the time I was done, I had learned how to do it.

I still have three links left on my site that are http - all having to do with loading information from WunderGround or the National Weather Service, but I assume that those sites will sooner or later transition over. Mixed content (an https page that contains data loaded by http) by default is flagged as unsecured.

I am posting this just in case anyone else is trying to decide whether or not to make the jump. It seems quite daunting but really it just takes time to search through your site and edit every link. Fortunately, you don't have to change the way you FTP, as FTP is a separate protocol that works exactly the same with https. I also haven't had to make any changes to WeatherCat settings or preferences.

This is a weekend project that will take some time, but most of your sites will be much less complicated than mine because most of you are only loading weather data. If you've been thinking about it, I encourage you take the plunge. Your life will get better, your neighbors will be nicer to you, your dog will not bite you, Edouard will let you borrow his Buick, and you will like tracking the weather more than you do now. Or not.
Title: Re: Migrating a website from http to https
Post by: wurzelmac on February 28, 2017, 03:46:04 PM
I too am very interested to go from http to https, but my provider wants a monthly fee for this that is not cheap in my eyes. Maybe here in Europe all internet things are a bit more expensive than in US. So I will wait with this hoping it will become cheaper in some future time.

But however very interesting to read what your expieriences have been whilst doing the transition. Thanks for sharing, Blick!
Title: Re: Migrating a website from http to https
Post by: Blicj11 on February 28, 2017, 04:47:13 PM
I didn't think about the cost, when I posted, Reinhard. It is minimal here. I am paying $US 35 or almost ?33 (or a little more than ?28) per year for the certificate.
Title: Re: Migrating a website from http to https
Post by: xairbusdriver on February 28, 2017, 05:06:25 PM
Thanks for the update and info. It's always good to know who to run to for (FREE?!) help!!! [woohoo] (http://i1327.photobucket.com/albums/u666/xAirbusDriver/notworthy_zpsyi6ihgrv.gif) I must assume you have 24/7 telephone support, also? (http://i1327.photobucket.com/albums/u666/xAirbusDriver/tease_zpsrq5td6hw.gif)

Seriously, I may need to check my browser settings but I can't recall ever getting a warning about a site being insecure. I have seen ones that require a log-in and are not encrypting my info (and that may actually be coming from 1Password...). Perhaps I just lead a sheltered interweb life? (http://i1327.photobucket.com/albums/u666/xAirbusDriver/dont_know_zpsqsndnufj.gif)
Title: Re: Migrating a website from http to https
Post by: wurzelmac on February 28, 2017, 06:36:53 PM
Lucky you,
a suitable certificate (that includes subdomains) is available for me at about ? 180/year - that is much more than I pay for the whole providing costs ...
Title: Re: Migrating a website from http to https
Post by: mcrossley on February 28, 2017, 08:46:01 PM
Is Let's Encrypt (https://letsencrypt.org/) not an option?
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 01, 2017, 02:20:41 AM
Yes, Mark, that is a free option, and its a pretty good one. Thanks for posting the link. Most free SSL certificates are valid for only 30 days and are for trial purposes. This one is valid for 90 days and can be renewed. It's a good option for a tight budget.
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 01, 2017, 02:18:45 PM
Thanks Mark for posting this. Let's Encrypt is not supported directly by my provider (HostEurope), but I found a way to create a certificate: ZeroSSL (https://zerossl.com/) done it, it provides a user interface to create a certificate via API to Let's Encrypt (if I catched this correctly). This certificate is fully free but to renew every 90 days as John pointed out properly.

But I think this was the easy part of the game. The next thing is transisting from HTTP to HTTPS...  [woohoo]
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 01, 2017, 04:44:28 PM
That's great, Reinhard. I will email you some helpful links on how to proceed.
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 01, 2017, 04:59:12 PM
Quote from: Blicj11 on March 01, 2017, 04:44:28 PM
That's great, Reinhard. I will email you some helpful links on how to proceed.

Cool - much appreciated! In the meantime the certificate is uploaded to my provider, and one (very small) subdomain of mine is done: The tailoring (https://mone.unterwurzacher.at/) of my wife.  :)
Very interesting: Firefox and Safari on my older iMac (Early 2009, OS X El Capitan) won't display it but Chrome does. The younger machines Mac mini and Macbook Air (both on Sierra) do have no problem to open this https site with any of the three browsers. So does a Windows 10 machine.  :-\
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 01, 2017, 05:40:23 PM
I just looked at the Mone site. I even watched the Apollo 16 video. Safari tells me that the wesbite is secure!

Gut gemacht.
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 01, 2017, 05:42:44 PM
Quote from: wurzelmac on March 01, 2017, 04:59:12 PM
Very interesting: Firefox and Safari on my older iMac (Early 2009, OS X El Capitan) won't display it but Chrome does.

Are you saying that they won't display the website at all or that they do not show the https version?

Are you using an older version of Safari?
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 01, 2017, 06:30:51 PM
Quote from: Blicj11 on March 01, 2017, 05:42:44 PM
Are you saying that they won't display the website at all or that they do not show the https version?
They do not show the https version, at the meantime no http version available because I done the .htaccess file in the afternoon and all requests were redirected to https.

Quote from: Blicj11 on March 01, 2017, 05:42:44 PM
Are you using an older version of Safari?
Both browsers (Firefox & Safari) are up to date. Both browsers can show the https on other Macs (and Windows, of course).
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 01, 2017, 06:38:34 PM
Quote from: wurzelmac on March 01, 2017, 06:30:51 PM
They do not show the https version, at the meantime no http version available because I done the .htaccess file in the afternoon and all requests were redirected to https.

Edit your .htaccess file and take out the redirect until you figure it out. That way you can manually type in the site address and go back and forth between the two versions.

In the meantime, enter your site into this little site to see if it will reveal any missed links, etc.

https://www.whynopadlock.com/check.php
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 01, 2017, 07:04:04 PM
John,

the last resort was a restart of the whole machine (iMac) and believe it or not, Safari & Firefox are doing fine now. So it must have been a cache problem with the system, not the browsers (I emptied the cache in there).

Conclusion to this:
All is fine with Mone.  [cheers1]
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 01, 2017, 07:07:14 PM
Good news! Who would have thought that a restart could solve a problem?  ;)
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 02, 2017, 03:27:43 PM
How true!

Now additional my main website unterwurzacher.at is running on HTTPS but only if you call it directly via https://www.unterwurzacher.at - I cannot built in the .htaccess because then my Meteotemplate weather site is broken / will not show any more. So something to do in there (lots of links and scripts and stuff to look over). But I am happy so far with my progress.  [computer]
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 02, 2017, 03:54:28 PM
You are making great progress. I just took another tour of your website. It looks like you have that Meteo template dialed in nicely.

I am still finding a few links on my site that need to be fixed. Yesterday I found a link to a favicon than I had missed earlier.

Nice work, mate. Keep going.
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 02, 2017, 04:59:03 PM
Thanks!

Yes, Meteotemplate (weathersite) is https now. But by far not perfect. First thing I wanna do now is to bring SteelSeries back to live.  [goofy]

 :)
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 02, 2017, 06:55:38 PM
There aren't that many scripts in SteelSeries that reference http, but there are are a few. The Gauges won't display until you find them all.

I made changes for https in:
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 02, 2017, 07:03:49 PM
Uuuiii,
I don't know why but it was much easier here on my side: No single script redo needed, only the line highlighted in the attached screenshot needs to be done. Lucky me.

All of my weather site now is done except those plugins that do use a source only available as http (such as volcanoes, sat24.de and so on) - things that I have no influence on.
Thanks to you John for encouraging me to risk the jump.
 [rock]
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 02, 2017, 07:08:05 PM
Good for you, mate! Job well done, and it isn't even the weekend yet!

Perhaps the differences in SteelSeries are because we are using a different version. I'm using Mark's most recent release and you aren't. Are you using the SteelSeries option from the Meteo template or are you still using Mark's version that you made work with the template?
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 02, 2017, 07:09:52 PM
Quote from: wurzelmac on March 02, 2017, 07:03:49 PM
No single script redo needed, only the line highlighted in the attached screenshot needs to be done. Lucky me.
Maybe the reason for this is that the whole steelseries folder with all files in it is located in my root https. What I will say is that resources that are grabbed by scripts with relative paths located in a already https directory need not to be done any more. This sentence is speculative - but at least for me this was so.
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 02, 2017, 07:11:31 PM
You are correct. Relative paths do not require editing for https. One more reason to use them.
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 02, 2017, 07:11:38 PM
Still using Mark's Version 2.5.15
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 02, 2017, 07:13:46 PM
As I recall, in version 2.5.18 he made a few small changes that improve some accuracy in one of the gauges and display the gauges better on a smart phone.
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 02, 2017, 07:15:07 PM
But you've done enough for one night. You should relax  a bit before you go to bed!
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 02, 2017, 07:18:06 PM
As you posted in this thread (http://athena.trixology.com/index.php?topic=576.msg23457#msg23457), I will wait on Mark's upgrade to a new cloud base gauge.  [wink]

And before I forget, another big THANK YOU for your help, Blick.
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 02, 2017, 07:20:51 PM
Hey, you are welcome. It wasn't too long ago that you were helping me install the SteelSeries Gauges for the first time, so I am glad if I could help. Congratulations on transitioning to https. It's a good move.
Title: Re: Migrating a website from http to https
Post by: xairbusdriver on March 02, 2017, 07:50:56 PM
Not sure about the 'find and replace' functions in Text Wrangler (free), but it's big brother would make finding and changing things very easy and complete. It can do it all at once or individually, or just a 'show all' list before committing. ;)
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 02, 2017, 08:46:31 PM
Those of us who use TextWrangler are pleased to inform those of you who don't that its free Find and Replace options are superb.
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 03, 2017, 06:59:40 AM
As stated in some other thread I do my whole websites with TextWrangler - as long as the guys from BareBones make it available to us I will stay on it. I really love this tool, and there are no benefits in BBEdit that I need. But it seems like BareBones will make money - what I can fully understand.

Quote
We will be eventually retiring TextWrangler (http://www.barebones.com/products/textwrangler/) from our product line, and so we encourage anyone interested in TextWrangler to download and use BBEdit instead.
Title: Re: Migrating a website from http to https
Post by: xairbusdriver on March 04, 2017, 02:11:45 AM
Any software you find useful is worth paying for. The only decision is do you consider the price appropriate. ;) A useful program takes some real work. If the dev is trying to earn or supplement his living by doing such work, he deserves a fair price.  (http://i1327.photobucket.com/albums/u666/xAirbusDriver/Thinking_zps6auyy8fj.gif)
Title: Hmm, what does that mean for macOS? (Re: Migrating a website)
Post by: elagache on March 04, 2017, 10:06:15 PM
Dear X-Air and WeatherCat "Oh how I miss Steve Jobs!!" types,

Quote from: xairbusdriver on March 04, 2017, 02:11:45 AM
Any software you find useful is worth paying for.

 [wink] . . . . Hmm, so is the reason that now they give away OS X macOS for free is that it basically isn't useful anymore? . . . .  lol(1)

Cheers, Edouard  [cheers1]
Title: Re: Migrating a website from http to https
Post by: xairbusdriver on March 05, 2017, 12:58:03 AM
Nice try. ThU32:-) On the other hand, I keep hearing a member on another forum complain about Safari 5.something not displaying certain sites and his System Security controls don't have settings other suggest he make but that are not included in Snow Leopard. Many see no changes when they update their software, but there are changes and improvements that we may not be able to 'touch'. Not all the changes are "fluff" or 'eye-candy'.

You will also note there is still a payment required by *99.9% of macOS users; the hardware. We still pay a premium for what is basically a slightly more reliable PC. Some will suggest that most of that profit goes to developing that other OS Apple pushes for those much less capable computers that come with a telephone attached. [rolleyes2]



*I'm probably off by ? .0285% on that figure...
Title: Re: Migrating a website from http to https
Post by: xairbusdriver on March 13, 2017, 06:09:19 PM
Speaking of "security", it seems the list of who can be trusted is getting shorter.
The SSL Store Says CAs that Issue "PayPal" SSL Certificates Part of Phishing Problem (http://www.thewhir.com/web-hosting-news/cas-that-issue-paypal-ssl-certificates-part-of-phishing-problem-the-ssl-store-says)
Title: Re: Migrating a website from http to https
Post by: wurzelmac on March 13, 2017, 06:23:53 PM
Thanks for sharing...  :-\

I think if I order a certificate via Let's Encrypt the certificate is good for https for my site. On the other side if I am a criminal it would not be hard to fake a site and order a certificate for this faked site.

To speak in Edouards words: Oh, well...
Title: Re: Migrating a website from http to https
Post by: xairbusdriver on March 13, 2017, 09:50:26 PM
Apparently Let's Encrypt doesn't consider it their job to investigate the credibaility of the sites that get their free certificates. Proving that you can sometimes get more than what you pay for! [rolleyes2]
Title: Thanks for sharing (Re: Migrating a website from http to https)
Post by: elagache on March 13, 2017, 10:46:32 PM
Dear X-Air, Reinhard, and WeatherCat "let's be safe on the web" types,

Quote from: xairbusdriver on March 13, 2017, 06:09:19 PM
Speaking of "security", it seems the list of who can be trusted is getting shorter.

Thanks for sharing.  Unfortunately, we live in times when measures like this to thwart a thief simply makes the thief become up with something else that is still harder to prevent.

Such are da' conditions that prevail,. . . . . . .

Edouard
Title: Re: Migrating a website from http to https
Post by: xairbusdriver on March 28, 2017, 05:06:17 PM
Those of you considering increasing the security status of your web sites, will probably find Why Take Control Was Briefly Labeled "Not Secure" in the 23 Mar 2017 issue of TidBITS.
http://tidbits.com/article/17121 (http://tidbits.com/article/17121)
Title: Re: Migrating a website from http to https
Post by: Blicj11 on March 28, 2017, 05:23:48 PM
Trust but verify seems to be the watchword. Google is making noise about not trusting certificates issued by Symantec.
Title: Re: Migrating a website from http to https
Post by: xairbusdriver on March 28, 2017, 07:14:53 PM
Yep, that was mentioned in the article. Although I don't use these things, it bothers me that there are apparently many who can and have become shady. I noticed last week that GoDaddy has bought Sucuri(sp?) to 'beef up their security'. Something counterintuitive or maybe just ironic about that! How much real good does buying a brand do for the purchaser? Will it make an actual difference for their customers? "Who ya gonna call?" :) [rolleyes2]
Title: Re: Migrating a website from http to https
Post by: Blicj11 on April 20, 2017, 06:12:44 PM
Today I was finally able to clean up my site for https and for the first time in recorded history, I managed to pull up the site without a mixed use security warning. It is quite nice to finally see the padlock icon on the weather page.

The next bit of grief will come on April 24, when NOAA may, or may not, switch some, much, or none of their services over to https.
Title: Re: Migrating a website from http to https
Post by: wurzelmac on April 20, 2017, 08:49:22 PM
 [cheers1]
Title: Re: Migrating a website from http to https
Post by: saratogaWX on April 23, 2017, 09:23:54 PM
Quote from: Blicj11 on April 20, 2017, 06:12:44 PM
Today I was finally able to clean up my site for https and for the first time in recorded history, I managed to pull up the site without a mixed use security warning. It is quite nice to finally see the padlock icon on the weather page.

The next bit of grief will come on April 24, when NOAA may, or may not, switch some, much, or none of their services over to https.
Don't forget to update advforecast2.php to V5.00 -- the V4.02 script will stop working when they update the site.

It's fully https compatible :)
Title: Re: Migrating a website from http to https
Post by: Blicj11 on April 24, 2017, 02:10:47 PM
Thank you for the reminder Ken.
Title: Re: Migrating a website from http to https
Post by: jhoke on April 26, 2017, 11:50:00 PM
Quote from: mcrossley on February 28, 2017, 08:46:01 PM
Is Let's Encrypt (https://letsencrypt.org/) not an option?

LetsEncrypt is a great option... using it on my meteotemplate powered site https://nepaweather.com and had very few issues (mostly around stylesheets in the template)
Title: Re: Migrating a website from http to https
Post by: awilltx on April 28, 2017, 04:28:14 PM
One thing not mentioned about SSL certificates is that most shared hosting plans include a shared SSL cert already on the server. It is pretty easy to find out, just add https to the url for your site.


At least it was for my shared host at http://www.hostingmatters.com/ (http://www.hostingmatters.com/)


Alan
Title: Re: Migrating a website from http to https
Post by: xairbusdriver on April 28, 2017, 05:50:30 PM
Looks like Hostgator want 10 bucks if I get the certificate from someone else. $25 if I get it from them. If/when I do it, it will be from someone else. They are now part of Endurance International Group (http://www.linux-depot.com/non-endurance-international-group-eig-hosting/) which usually buys and then guts its purchases. [rolleyes2]
Title: Re: Migrating a website from http to https
Post by: xairbusdriver on August 13, 2017, 12:06:04 AM
Just finished a 3 hr course on setting up httpS. It used Lets Encrypt to create the Certificates. Unfortunately, they were assuming you would also use Digital Ocean (https://www.digitalocean.com/pricing/) to serve the web site. That made installing lots of shell scripts easy. Especially nice was being able to set up a cron job that ran a shell script once a month to renew certificates. While I can set up a cron job at Hostgator (already have two running there), I'm not able to install shell scripts there which is what the cron job would use to contact LE. [banghead]

I'm considering jumping out of the H 'boat' anyway, so I may need to investigate other places that might allow the use of shell scripts without having to pay for a dedicated server. May not be many around at reasonable prices. It is probably cheaper to just set a reminder to contact LE every 28 days and continue to hope for he best at HG. [rolleyes2]