Google Starts Giving A Ranking Boost To Secure HTTPS/SSL Sites, It's long be misunderstood that the performance of a website is slow using HTTPS. That’s not true!
I would like to to provide Step-by-Step guide for converting your TYPO3 website from HTTP to HTTPS. In this article, I'm trying to provide smooth migration from HTTP to HTTPS, Advantages/Workflow of HTTPS, TYPO3 Configurations, Google checklist to take care about SEO etc.,
Checkout complete blog article at http://www.nitsan.in/blog/post/the-unconventional-guide-converting-your-typo3-site-from-http-to-https-ssl/
#TYPO3 #TYPO3Security
[T3BLOG DAY] The Unconventional Guide: Converting Your TYPO3 Site From HTTP to HTTPS/SSL
1. The Unconventional Guide: Converting Your TYPO3 Site From HTTP
to HTTPS/SSL
It's long be misunderstood that the performance of a website is slow using HTTPS. That’s not true! You can
checkout this testing tool https://www.httpvshttps.com/ which shows HTTPS loads faster than HTTP. In
addition to that, HTTPS is now more important for SEO ranks. Here, I would like to describe - How a TYPO3
based website can easily setup the HTTPS protocol. For privacy reason, Encryption of the website is mandatory
in Germany - See here.
What is HTTPS?
HTTPS (HyperText Transfer Protocol Secure) is well-known HTTP+SSL, a client and a server communicate to
each other, but with SSL Certificate, that encrypts and decrypts their requests and responses. That means all
communications between your browser and the website are encrypted. HTTPS is often used to protect highly
confidential online transactions like online banking and online shopping order forms.
2. Unfortunately, Only <0.1% website uses HTTPS at Entire Internet.
(source: https://trends.builtwith.com/ssl/SSL-by-Default)
What Google Said About HTTPS/SSL?
“HTTPS as a ranking signal.”
Google Starts Giving A Ranking Boost To Secure HTTPS/SSL Sites, Google's push for HTTPS adoption appears
to be working.
3. (source
https://www.quicksprout.com/2016/03/25/should-you-switch-your-site-to-https-heres-why-you-should-or-shoul
dnt/)
From January 2017, Google Chrome (version 56 and onwards) will begin marking HTTP sites that transmit
passwords or request credit card details as “not secure.” The move comes as part of a longer term strategy to
eventually label all non-HTTPS sites as insecure within Google’s browser, helping users to browse the web
more safely.
References:
https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
https://www.youtube.com/watch?v=cBhZ6S0PFCY (Campaign by Google)
HTTP VS HTTPS
5. How HTTPS Works?
(source: http://www.privatesslcertificate.com/how-ssl-works-tutorial-with-https-example/)
Advantages of HTTPS:
1. Security: The 'S' at the end of HTTPS stands for 'Secure.'
2. Identity Verification: Visitors can verify you are a registered business and that you own the domain.
3. Data Integrity: Customer information, like credit card numbers, is encrypted and cannot be intercepted.
4. SEO: More referrer data, HTTPS as a rankings Boost.
5. Trust: Customers are more likely to trust and complete purchases from sites that use HTTPS.
Step-by-Step guide for integration of HTTPS at your TYPO3 website.
1. Get a security certificate and install on the server:
HTTPS, in particular, is a well-established technology now and with initiatives like Let's Encrypt
(https://letsencrypt.org/) it's never been easier or cheaper to get a HTTPS certificate for your website.
There are three different types of certificates you can get:
6. (source: https://moz.com/blog/seo-tips-https-ssl)
1. Domain validation: the cheapest and most basic; it only covers encryption (from the three things we went
over earlier).
2. Organization Validation: the middle choice regarding price, which also includes authentication. If you’re
collecting personal information, you probably want at least this option.
3. Extended validation: the top of the line option, which provides the best security you can get with HTTPS. It's
This is for big e-commerce sites and sites that collect critical private information.
Here’s a nice little summary:
(source:
https://www.quicksprout.com/2016/03/25/should-you-switch-your-site-to-https-heres-why-you-should-or-shoul
dnt/)
2. Enable & Configure HTTPS at TYPO3 Frontend Website:
2.1. Use HTTPS Protocol at Page:
7. At TYPO3 backend, Page Properties > Behaviour > Use Protocol > Select “https://”
2.2. Configure TypoScript baseURL:
With the configuration of TYPO3’s config.baseURL property, It will automatically convert all the URLs (like
menus, links) to HTTPS. You can setup below smart TypoScript which will check, If HTTPS is on your website
then it will automatically generate HTTPS URLs.
# TypoScript constants:
# Define constantan for baseURL & Absolute URI prefix
domain {
#cat = site_default/website/domain/01; type=string; label=Domain name for Base URL: (excluding
slashes and protocol like http://)
baseURL =
#cat = site_default/website/domain/02; type=string; label=Absolute URI prefix:
absRefPrefix =
}
# TypoScript setup:
# Set baseURL setting for http or https
config.baseURL = http://{$site_default.website.domain.baseURL}/
[globalString = _SERVER|HTTPS=on]
config.baseURL = https://{$site_default.website.domain.baseURL}/
[global]
2.3. HTTPS set as Default Protocol.
Edit the root page of website > Resources > Page TSConfig: Setup below TypoScript code.
TCAdefaults.pages.url_scheme = 2
8. 2.4. Apply HTTPS to all existing pages:
You might have hundreds of already created pages, so It will be difficult to manually assign HTTPS to all the
pages by edit each page’s properties. You could just only allow SQL code at phpMyAdmin.
# SQL Query Statement
UPDATE pages SET url_scheme = 2
Note: This SQL statement you put all the pages of the TYPO3 system at https. If you have multiple sites with a
back care (MultiSite), but not all at https to run, do not run this command!
2.5. Additional Domains:
Make sure all the other domains (including those without ‘www’) should point to HTTPS.
2.6. All the request should be HTTPS:
Checkout HTML source code of whole page & search for http:// There will be lots tag eg., <link>, <img>, <script>
etc., which should call their URL using http:// You’ll be required to make those changes at their calling code like
TypoScript, Fluid templates, TYPO3 extension etc.,
2.7. Force redirects to HTTPS:
Fortunately, there is real quick & tricky technique to forcefully redirects all HTTP to HTTPS through .Htaccess. It
will also be help for old URLs to set 301 redirects for SEO.
# .Htaccess Code
9. # 1. Frontend Site: Redirect to HTTPS
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/?typo3
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# 2. TYPO3 Backend: Redirect to HTTPS
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/?typo3
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
2.8. Useful TYPO3 Extensions for HTTPS:
There are also some TYPO3 extensions available while help you to manage HTTPS as below:
https://typo3.org/extensions/repository/view/https_macmade
https://typo3.org/extensions/repository/view/lvssl
https://typo3.org/extensions/repository/view/https_enforcer
2.9. Running TYPO3 CMS behind HTTPS proxy
You can configure it from TYPO3 Install tool with below settings:
# TYPO3 Install Tool Configurations
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'] = 'THE IP OF YOUR PROXY SERVER';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue'] = 'last';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL'] = '*';
Checkout more details at https://moc.net/om-moc/aktuelt/blogs/tech/running-typo3-cms-behind-https-proxy
3. Configure HTTPS at TYPO3 Backend:
Of course, TYPO3 Backend should be run with https:// Fortunately, You can easily configure it from Install tool
with below settings.
# TYPO3 Install Tool Configuration
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = ‘2’;
10. HTTPS Checklist for SEO Matters:
After migration from HTTP to HTTPS at development, It would be good to take care about below SEO
consideration points.
1. Don’t missed to configure HTTPS at your CDN (Content Delivery Network)
2. Update links/references/ in Content
3. Update links/references/ in templates
4. Update images and other links
5. Update canonical tags
6. Update hreflang tags
7. Update any plugins/modules/addons
8. Force HTTPS with redirects
9. Update old redirects currently in place
10. Update your robots.txt file
11. Add your site again in WMT (Google Webmaster Tool)
12. Update sitemaps
11. 13. Do some quick testing to make sure everything went well, eg., https://www.ssllabs.com/ssltest/
14. Monitor everything during the migration
Common problems during HTTPS/SSL migrations
During the migration from HTTP to HTTPS, there might be few things wrong as below:
1. Preventing Google from crawling the HTTP version of the site, or stopping site crawls in general (usually,
happens because of failure to update the test server to allow bots);
2. Content duplication issues, with both HTTPS and HTTP versions of the pages showing; and
different versions of the page showing on HTTP and HTTPS.
3. Most of the common problems with HTTPS migrations are the result of improperly implemented redirects.
(I’ve also had fun times cleaning up websites that changed their entire structure/design while making the
switch to HTTPS.)
Closing thoughts on HTTPS
Simply put, HTTPS is not going away. HTTP/2, Google AMP and Google’s QUIC protocol (which is likely to be
standardized soon) all require secure connections for browsers to use them. The fact remains that HTTPS is
being pushed hard by the powers that be, and it’s time to make the switch.