Https

Saturday 25 February 2017This is over seven years old. Be careful.

Someone posted a link to my latest blog post on /r/Python, but somehow got an https link for it. That’s odd: my site doesn’t even properly serve content over https. People were confused by the broken link.

I should say, my site didn’t even serve content over https, because now it does. I’d been meaning to enable https, and force its use, for a long time. This broken link pushed it to the top of the list.

Let’s Encrypt is the certificate authority of choice these days, because they are free and automatable. And people say they make it easy, but I have to say, I would not have classified this as easy. I’m sure it’s easier than it used to be, but it’s still a confusing maze of choices, with decision points you are expected to navigate.

Actually getting everything installed requires sudo, or without sudo, using third-party tools, with instructions from obscure blog posts. There’s clearly still room for improvement.

Once you have the certificate in place, you need to redirect your http site to https. Then you have to fix the http references in your site. Protocol-relative (or schema-less) URLs are handy here.

It’s all done now, the entire site should always be https. I’m glad I finally got the kick in the pants to do it. If you find something wrong, let me know.

Comments

[gravatar]
David Baumgold 11:09 PM on 25 Feb 2017
I'm just gonna put out a shameless plug here: I wrote a tutorial for how to make a static website hosted on Amazon S3, and that tutorial includes setting up HTTPS support. It's not very difficult to do that on Amazon Web Services, because Amazon Certificate Manager is free and integrated with the rest of AWS. The tutorial even includes setting up email at your own domain, so you can get your own fancy email address at your-website.com! The tutorial is here, if anyone wants to check it out: https://www.davidbaumgold.com/tutorials/host-static-site-aws-s3-cloudfront/
[gravatar]
Chris Warrick 6:04 PM on 26 Feb 2017
Nowadays, protocol-relative URLs should not be used — just do https if that’s available.
[gravatar]
Ned Batchelder 11:59 PM on 26 Feb 2017
@Chris, thanks for the link, it's helpful to read what the latest thinking is. I was using protocol-relative URLs only for links within my site, and I'm going to keep doing so. The way I generate my site, I sometimes make a local copy to serve on my own laptop for testing. Using protocol-relative means that my real site will be all https, but a local testing copy will still work without certificates.
[gravatar]
Aron Griffis 5:08 PM on 12 Mar 2017
Ned, would root-relative links work for that purpose, in place of protocol-relative?
[gravatar]
Ned Batchelder 5:28 PM on 12 Mar 2017
@Aron, yes, and that is likely what I actually have here...

Add a comment:

Ignore this:
Leave this empty:
Name is required. Either email or web are required. Email won't be displayed and I won't spam you. Your web site won't be indexed by search engines.
Don't put anything here:
Leave this empty:
Comment text is Markdown.