Improve Your Website Security with HTTPS
Improve Your Website Security with HTTPS
Improve Your Website Security with HTTPS
Introduction to HTTPS
HTTPS (Hyper Text Transfer Protocol Over Secure Socket Layer) is an HTTP channel designed for security. Simply put, when a website is accessed through the HTTP protocol, all information transmitted during login and data exchange is unencrypted, making it easy for hackers to obtain everything a user sends to or receives from the website. HTTPS, on the other hand, uses the SSL/TLS protocol for encryption to improve network security. Even if transmitted data is intercepted, it is generally very difficult to decipher its contents.
When a website is accessed through traditional HTTP, the user communicates with the server directly through a browser (or another client), and the server returns the requested information. With HTTPS communication, authentication mechanisms are used to ensure that encrypted data is transmitted to the correct server and client. The authentication server and encryption certificate required by HTTPS can be self-issued, but except for local networks and testing purposes, self-signed certificates usually lack authority. Therefore, to implement HTTPS in practice, you generally need to apply for a certificate from a trusted certificate authority (CA) and deploy it on your website.
Most CA certificates are paid and can be expensive, but there are also organizations that provide free certificates with the same level of trust. The best-known free CA issuer is Let's Encrypt. Alibaba Cloud also provides a free DV certificate for individuals and small businesses. Alibaba Cloud's DV certificate is issued by Symantec. As a former antivirus giant, Symantec's certificates were also widely trusted.
Certificate Application and Generation
Here, I will use the Alibaba Cloud CA certificate application process as an example. After purchasing a CA certificate, you can apply for it from the SSL certificate management page on Alibaba Cloud. Once issued, the certificate is bound to the corresponding domain name and used together with it.
In addition to the domain name, the application process also requires contact information such as a phone number and email address, and you must choose a DNS verification method and a certificate generation method. If your domain name was also purchased through Alibaba Cloud, you can complete verification automatically through DNS. Otherwise, you may need to manually add the required DNS record for your domain, or upload a file with specified content to your website directory according to the instructions.
When choosing the CSR generation method, it is usually safer to let the Alibaba Cloud system generate it automatically to reduce errors. In addition to the free DV certificate, applying for other types of certificates may require business licenses and other materials requested by the Alibaba Cloud platform.
SSL Certificate Deployment
Alibaba Cloud's certificate deployment documentation provides detailed instructions for installation and deployment on different operating systems and web servers. When using Apache2 on Ubuntu, you should select the corresponding operating system and software type on the certificate download page, then download the matching certificate files.
For Apache2, the downloaded files are usually split into three parts: the domain.key private key file, the domain_public.crt public certificate file, and the domain_chain.crt certificate chain file. (For Nginx, there is usually no separate chain file.)
If the certificate files are downloaded to your local computer but your server is managed remotely through SSH, you may need to copy the files to the server first. You can use the following scp command to copy them to a remote directory, then create the required directories and move the files into place according to the official documentation:
scp -P portnumber domain_public.crt admin@domain.com:~/ # copy to remote host
sudo mkdir /etc/apache2/cert # create directory
sudo mv ~/domain_public.crt /etc/apache2/cert/domain_public.crt # move file
sudo a2enmod ssl # enable Apache2 SSL module
sudo ls /etc/apache2/sites-available/ # check whether default-ssl.conf exists
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf
# You can also edit the file in sites-available and then create a symbolic link to sites-enabled
sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf
Edit the default-ssl.conf file:
ServerName # change this to the domain name bound to the certificate, e.g. www.YourDomainName.com
SSLCertificateFile /etc/apache2/cert/www.YourDomainName_public.crt
SSLCertificateKeyFile /etc/apache2/cert/www.YourDomainName.com.key
SSLCertificateChainFile /etc/apache2/cert/www.YourDomainName.com_chain.crt
Then reload the Apache2 configuration and restart the service:
sudo /etc/init.d/apache2 force-reload
sudo /etc/init.d/apache2 restart
After restarting the service, you can enter https://www.domainname.com in your browser to verify the certificate installation. If the browser shows a green padlock in the address bar, the certificate was installed successfully. Taking a WordPress blog as an example, you can then update the website settings and enable forced SSL redirection to further improve security.
Set a Secure WordPress Domain and Force Redirection to HTTPS
Before changing the WordPress domain settings, make sure your website can be accessed through both HTTP and HTTPS. This helps avoid making the site inaccessible after modifying the settings.
Once the site is accessible, go to the Settings section in the WordPress dashboard and change the original http URL to https. After the change, WordPress will automatically update the relevant configuration so that the site can be accessed over HTTPS.
To deal with insecure HTTP access, you can force all traffic to redirect to HTTPS.
In sites-enabled/000-default.conf (or the corresponding configuration file if your site uses a different one), add the following three lines in the appropriate virtual host section to force redirection to HTTPS, then restart Apache2:
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
Firewall and SSL Certificate Expiration
The HTTPS protocol uses port 443 by default. If the firewall is enabled on Ubuntu, you need to allow this port. On Ubuntu, network access is often managed through the ufw firewall tool.
sudo apt-get install ufw # install firewall
sudo ufw status # check firewall status
sudo ufw allow 22 # allow port 22, no protocol restriction
sudo ufw allow 80 /tcp # allow port 80 over TCP
sudo ufw enable # enable firewall; if the server is managed remotely through SSH,
# be sure to allow the SSH management port such as 22 before enabling the firewall,
# otherwise remote SSH login may fail
sudo ufw disable # disable firewall
Alibaba Cloud's free DV certificates and Let's Encrypt certificates both have a default validity period of one year, so before the certificate expires, you need to reapply for and redeploy the certificate to ensure that your website remains accessible.
