Fall into generosity with our Membership Drive! By joining our membership program, you’ll provide philanthropic support to the Drupal Association and ensure that the Drupal Project continues thriving and innovating.HTTPS is a protocol which encrypts HTTP requests and their responses. This ensures that if someone were able to compromise the network between your computer and the server you are requesting from, they would not be able to listen in or tamper with the communications.
When you visit a site via HTTPS, the URL looks like this: https://drupal.org/user/login. When you visit a site via plain (unencrypted) HTTP, it looks like this: http://drupal.org/user/login.
Why is it important to you (and when)
HTTPS is typically used in situations where a user would send sensitive information to a website and interception of that information would be a problem. Commonly, this information includes:
- Credit cards
- Sensitive cookies such as PHP session cookies
- Passwords and Usernames
- Identifiable information (Social Security number, State ID numbers, etc)
- Confidential content
Especially in situations where you, as the administrator, are sending your Drupal password or the FTP password for your server, you should use HTTPS whenever possible to reduce the risk of compromising your web site.
Moreover, HTTPS is now required for HTML5 Geolocation to work in nearly all modern browsers for privacy reasons! This is at the JavaScript implementation level, so the module used to supply this (e.g. GeoField [“Lat/Long” Widget] or IP Geolocation Views & Maps [“Set my location” Block] among others) cannot override it. If you attempt to use this over HTTP in any such browser (the only exceptions these days are dangerously outdated browsers such as on old Android devices and maybe some computers still running Windows XP or a PowerPC version of Mac OS X), it will not work and you will not get an error message explaining why (except perhaps in the browser’s Developer Tools Error Console) — the underlying JavaScript function calls simply won’t execute over HTTP. So if your web application needs to know where the visitor is without requiring typing in an address or manual Lat/Long coordinates, you must use HTTPS.
HTTPS can also prevent eavesdroppers from obtaining your authenticated session key, which is a cookie sent from your browser with each request to the site, and using it to impersonate you. For example, an attacker may gain administrative access to the site if you are a site administrator accessing the site via HTTP rather than HTTPS. This is known as session hijacking and can be accomplished with tools such as Firesheep.
Security is a balance. Serving HTTPS traffic costs more in resources than HTTP requests (both for the server and web browser) and because of this you may wish to use mixed HTTP/HTTPS where the site owner can decide which pages or users should use HTTPS. Though, with improved SSL/TLS efficiency and faster hardware, the overhead is less than it once was. Many security experts are now urging that all web-related traffic should go over HTTPS, and that the benefits far outweigh the cost (especially given the relatively new existence of Let’s Encrypt [see below]).
How to enable HTTPS support in Drupal
Web server configuration
- Get a certificate. Many hosting providers set these up for you — either automatically or for a fee. You can also use Let’s Encrypt which is free, automated, and open Certificate Authority. If you want to secure a test site, you could instead generate a self-signed certificate.
- Configure your web server. A few helpful links:
Chances are, your webhost can do this for you if you are using shared or managed hosting.
Note: Clean URLs If you're using Apache for HTTP and HTTPS:
You will probably have two different VirtualHost buckets.
- A bucket for port :80 http
- A bucket for port :443 https
Each of these VirtualHost containers or buckets require that a specific Apache directive be added within them if you're using Clean URLs. This is because Drupal makes extensive use of .htaccess and mod_rewrite to provide friendly URLs.
Ensure you have the following within the directive, which is a child under the VirtualHost container: See Apache Documentation for AllowOverride
<Directory "/path/to/yoursite">
AllowOverride All
</Directory>This means that your .htaccess takes precedence and that the Apache configuration will allow it to run as you would expect for Drupal.
Troubleshooting:
If you enabled HTTPS and it only works on the homepage and your sub links are broken, it's because the VirtualHost:443 bucket needs AllowOverride All enabled so URLs can be rewritten while in HTTPS mode.
Drupal configuration
-
On Drupal 7, if you want to support mixed-mode HTTPS and HTTP sessions, open up sites/default/settings.php and add
$conf['https'] = TRUE;. This enables you use the same session over both HTTP and HTTPS -- but with two cookies where the HTTPS cookie is sent over HTTPS only. You will need to use contributed modules like securepages to do anything useful with this mode, like submitting forms over HTTPS. While your HTTP cookie is still vulnerable to all usual attacks. A hijacked insecure session cookie can only be used to gain authenticated access to the HTTP site, and it will not be valid on the HTTPS site. Whether this is a problem or not depends on the needs of your site and the various module configurations. For example, if all forms are set to go through HTTPS and your visitors can see the same information as logged in users, this is not a problem.Note that in Drupal 8 and later, mixed-mode support was removed #2342593: Remove mixed SSL support from core.
-
For even better security, send all authenticated traffic through HTTPS and use HTTP for anonymous sessions. On Drupal 8 and 9, install Secure Login module which resolves mixed-content warnings. On Drupal 7, leave
$conf['https']at the default value (FALSE) and install Secure Login. Drupal 7, 8 and 9 automatically enable thesession.cookie_securePHP configuration on HTTPS sites, which causes SSL-only secure session cookies to be issued to the browser. On Drupal 6, see contributed modules 443 Session and Secure Login. -
For best possible security, set up your site to only use HTTPS, and respond to all HTTP requests with a redirect to your HTTPS site. Drupal 7's
$conf['https']can be left at its default value (FALSE) on pure-HTTPS sites. Even then, HTTPS is vulnerable to man-in-the-middle attacks if the connection starts out as a HTTP connection before being redirected to HTTPS. Use Security Kit module to enable HSTS, or manually set the Strict-Transport-Security header in your webserver, and add your domain to the browser HSTS preload list, to help prevent users from accessing the site without HTTPS.You may want to redirect all traffic from http://example.com and http://www.example.com to https://example.com. You can do this by adding the code below to your server configuration file, i.e., the VirtualHost definitions:
<VirtualHost *:80> ServerName www.example.com Redirect "/" "https://www.example.com/" </VirtualHost> <VirtualHost *:443> ServerName www.example.com # ... SSL configuration goes here </VirtualHost>The use of RewriteRule would be appropriate if you don't have access to the main server configuration file, and are obliged to perform this task in a .htaccess file instead:
RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} ^www\.example\.com* RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]There are existing comments in .htaccess that explain how to redirect http://example.com to http://www.example.com (and vice versa), but this code here redirects both of those to https://example.com.
Recipes
Redirect all requests to https://www.url.de
I was adding https to a drupal multisite installation. https should be forced on all urls and http is not possible no more. You get this with:
# uncomment the following:
#1
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# 2 Redirect to HTTPS
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#1 is a modified version of the standard htaccess directive and #2 is taken from drupal 8 htaccess
This redirects al old http urls with a 301 to https://www.url.de
Remember that http access is not possible correctly no more with this because i removed {ENV:protossl}
Most of the time Drupal Developers face this problem while installing new modules and themes, They encountered with problem like "ERROR : You are not using an encrypted connection, so your password will be sent in plain text." . So I recommend all of them first give permission to your drupal_directory and sites and themes,Run few command that may help you before going through the whole technical part..
In linux
sudo chown www-data:www-data -R /var/www/html/drupal_directory/sites
In mac
sudo chown -R www:www /Library/WebServer/Documents/drupal_directory/sites
Redirect to HTTPS with settings.php
You can also force SSL and redirect to a domain with or without www in settings.php, the benefit is that it won't get overwritten after updating Drupal. Insert this at the top of settings.php, right after <?php, like this:
<?php
// Force HTTPS
// PHP_SAPI command line (cli) check prevents drush commands from giving a
// "Drush command terminated abnormally due to an unrecoverable error"
if ( (!array_key_exists('HTTPS', $_SERVER)) && (PHP_SAPI !== 'cli') ) {
header('HTTP/1.1 301 Moved Permanently');
header('Location: https://example.org'. $_SERVER['REQUEST_URI']);
exit();
}
// Remove www
if ($_SERVER['HTTP_HOST'] == 'www.example.org') {
header('HTTP/1.0 301 Moved Permanently');
header('Location: https://example.org'. $_SERVER['REQUEST_URI']);
exit();
}
For generic domain you can use:
<?php
if ( (!array_key_exists('HTTPS', $_SERVER)) && (PHP_SAPI !== 'cli') ) {
if (substr($_SERVER['HTTP_HOST'], 0, 4) <> 'www.') {
$new_url = 'www.' . $_SERVER['HTTP_HOST'];
} else {
$new_url = $_SERVER['HTTP_HOST'];
}
$new_url .= $_SERVER['REQUEST_URI'];
header('HTTP/1.1 301 Moved Permanently');
header('Location: https://'. $new_url);
exit();
}
Comments
Acquia Cloud users, please
Acquia Cloud users, please note the use of {HTTP:X-Forwarded-Proto} in your .htaccess to achieve redirects. Took me an age to find this info, so reposting from acquia to here:
The joys of Drupal, CleanURL's, HTTPS and iFrames with http
As the subject says.... the Joys.
A client of mine has numerous customers with Drupal 7 sites. We are moving all of them behind CloudFlare (www.cloudflare.com) we they offer FREE SSL Certs, web caching, and ddos protection/mitigation. We then firewall the servers to only accept connections from the CF Caches and make sure that the actual HTTP Server is not listed in DNS (client/browsers should connect to the CF Servers which will then fetch pages from the actual server). The Drupal Server (apache 2.4 on centos) also use SSL to encrypt the connection between CF and the server (might as well keep everything out of plain text )
While the above looks and feels like a great solution to insuring all connections are encrypted we encountered a problem with some pages that have IFRAMES that load encrypted content. (web browsers throw an error when this occurs and often refuse to load the content without user intervention).
Options included 1) setting up a proxy and encrypting the insecure content. While technically possible it gives the user the impression the session is secure while some of the content is in plain text (though not to/from the client). 2) drop the content until it's available via a secure connection (client/customer did not like this option) 3) force pages that contain this content to be unencrypted (http) connections while the rest of the site is encrypted.
We chose option 3.
The sites had been previously configured to redirect connections to https using a rewrite rule in the .htaccess file (will probably move these into the vhost config files for performance reasons but only if we can agree on disabling the .htaccess files) As such every http connection becomes an https connection.
Normally a rewriterule could be created in the form:
to catch connections to the page with the insecure iframe. (rewrite matching to http and non-matching to https)
try this with clean url's enabled and you never get the unencrypted page because every page request submitted to drupal does a final pass through the rewrite engine on /index.php.
I'm unsure of the exact reason but secure_pages were not considered a viable option.
The end result solution is a series of 13 rewriterule/rewritecond lines that can effectively replace the secure_pages module for forcing all but a select few (1 or more) pages to https connections.
/Streaming-Page and the root page of the site are HTTP the rest of the site is HTTPS. Additional pages can be excluded from HTTPS by adding additional likes under the /Streaming-Page line following it's format.
The only known side affect of this code is that editing unencrypted pages is more complicated as the admin_menu drops on the unencrypted pages. Version 1.1 will include a method of disabling the http side from a clients browser (resulting in the browser errors that developers will deal with as needed while editing the pages) I'll also look an more detailed instructions on putting this into .htaccess files and removing unwanted/unneeded code for things like www. stripping (or pre-pending) etc
Best way I found
The best way I found to do this is (to put after rewrite engine on) :
What works for me in D7 is
What works for me in D7 is this, this forces both https and www, I use the typical method of forcing www or non www in htaccess, but before that I add
I usually place this right after
RewriteEngine onThe method in this tutorial always redirects to a /404.shtml page when I try to go to a non-www
Depending On Host, Your Mileage May Vary
It's often a good idea to check with your Web host if specific settings are recommended. I had to modify things a bit, but this is working for me:
.htaccess after RewriteEngine on:
Then, in the settings.php:
$base_url = 'https://www.yourdomainhere.com';In addition, if you are pulling in external resources, such as Web fonts, it is advisable to change the URLs referencing them from http to https, if possible.
My site was operating in
My site was operating in mixed HTTP/HTTPS mode using secure_pages. After recently converting my site to HTTPS, and disabling the secure_pages module, I overlooked a config variable in settings.php, which kept the site operating in mixed HTTP/HTTPS mode. This resulted in two rows on the sessions table with the same SSID, but different SID. After the two rows existed there was a 50% chance that subsequent reads from sessions would pull back the wrong session data, based alphabetically on the SID.
To fix and verify:
Redirection from http to https for all pages.
I implemented the below code for redirection from http to https for my server on bluehost and it worked
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
https for dummies
I cannot follow the https instructions or comments. When I force HTTPS and do nothing else my site does not work. It looks like I have to modify the .htaccess file in some way. I have access to the server but have no idea where to find the VirtualHost definitions. Can someone explain in layman's terms what exactly I need to modify or add to get my site working again?
Thank you!!
htaccess for https
First save a backup of your htaccess file.
Open htaccess file in text editor, do a search for
<IfModule mod_rewrite.c>Right below that, Under
RewriteEngine on
Add the following lines
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Save the file
This page isn't working... redirected you too many times.
Hi, I have tried to implement this code on the .htaccess file on shared hosting (as well as several varying ways from the comments and across the web). Every time though, I get the same message (on chrome but others browsers are similar):
This page isn't working
*** redirected you too many times
Try clearing your cookies
ERR_TOO_MANY_REDIRECTS
The logs on the hosting have been unhelpful, just showing the browser accessing the site multiple times. Drupal's log shows nothing.
I have tried uncommenting base_url and made sure to include https in settings.php. That didn't help (and actually disabled the css on firefox! after putting .htaccess file back.)
I have replaced the .htaccess with the file from the latest drupal .tar.gz download, so it is vanilla - no extra code that I forgot I changed.
The host is 123reg, which have a cpanel like interface.
I'm not a complete noob, but I am not really a programmer or systems engineer. Any ideas on what to do next would be most appreciated...
htaccess
Everytime I've seen that error I was trying to redirect the domain from the domain redirect section of CPanel.
Make sure your domain isn't being redirected from there. If it is try deleting that redirect.
Otherwise just make sure you've edited the htaccess file correctly.
.htaccess 15
On my XAMMP localhost. Tried and tested.
STOP: Apache server
OPEN: C:\xampp\apache\conf\extra\httpd-vhosts.conf
ADD: VHOST Configuration for both *:80 and *:443, like so,
SECURE
START: Apache server
If you don't have SSL Cert. this link is to an excellent article posted by David on Shellcreeper.
https://shellcreeper.com/how-to-create-valid-ssl-in-localhost-for-xampp/
OPEN Website's .htaccess file
Line 72 - 77
And then I have this directly after on Line 79 - 82
What about iis and web.config?
Hi,
I don't have server access but need to know if it's possible to redirect all versions to https://domain.com without it? Web.config or something like that? I've been searching the web for ages now.
Microsoft iis ?
I have never run Drupal 8 on MS IIS. I don't even know if this is possible. If you are on Windows, Your best server comes bundled with WAMP or ZAMMP. Modern PHP has a server, but I find it inadequate for my needs.
It is possible :)
It is possible :)
https://mariendalit.dk
Is this solved your issue
I have done the changes in the same way, but still my issue is not resolved.
BY the way My server is Linux Centios.
Could you please suggest.
Typo Centos
Check out how to install a cert to Linux Centos
https://www.ssldragon.com/blog/how-to-install-an-ssl-certificate-on-centos/
redirect
I think the only way is to edit the htaccess file.
Do you have FTP access at least?
WOuld have been no problem if
WOuld have been no problem if it was an apache server to edit htaccess. This is a microsoft server.
trying to force https via settings.php
Hi, when I add this code to the settings.php file as directed above I am no longer able to access my website.
I am using Drupal 8.
Code I added :
This is the one line of text that appeared after i added the code to settings.php:
"The website encountered an unexpected error. Please try again later."
When i removed the code the site went back to normal.
I think there is an incorrect character (single quote)
Hi nmidler,
in your code there is an incorrect single quote (it's the last one):
if ($_SERVER['HTTP_HOST'] == 'www.mysitename.com’) {replace it with
if ($_SERVER['HTTP_HOST'] == 'www.mysitename.com') {trying to force https via settings.php
Hi, when I add this code to the settings.php file as directed above I am no longer able to access my website.
I am using Drupal 8.
Code I added :
This is the one line of text that appeared after i added the code to settings.php:
"The website encountered an unexpected error. Please try again later."
When i removed the code the site went back to normal.
_-_
Did you remember to keep the
<?phpat the very top?Hi ressa,
Hi ressa,
yes, I inserted the code just below the
<?phpat the top.’ is not '
Try correcting 'www.mysitename.com’ to 'www.mysitename.com'.
changed .htaccess instead
hi ressa,
i double checked my website address too, and that didn't help.
i tried to make the change in the .htaccess file, and that actually works fine. so i think i'll just stick with that.
thanks though!
Here is the soution that works
I have just found this, superb solution with all the steps described
http://www.seoandwebdesign.com/easy-https-redirect-solution-drupal-7-8
Server config changes made?
This might be happening for:
1. www.mysitename.com is defined in the server configuration file but not mysitename.com.
2. Server might not be configured for https. Some extra settings have to be added and also SSL certificate has to be installed to ensure it runs smoothly.
Help!
I used the mixed-mode solution (using $conf['https'] = TRUE;) and everything, on my web site side worked just fine.
Now, I have an App create on Apache Cordova, where I can logging on my Drupal site to consume some information. The App was coded with everything on HTTP and everything (but the loggin) is working fine. When I tried to log in, it says that something was wrong and that should try one more time.
Any ideas? Thank you!
Thank you for the clear
Thank you for the clear solution
Actually , I am very much new to apache and drupal.
We have done the manual installation of drupal 8 on linux centios server.
(DNS name was not created by the time we installed drupal, after completing our setup , DNS name created)
Now we are setting up SSL for the same.
Done the required changes to /etc/httpd/conf/httpd.conf file,
And added below in .htaccess file
Below is already present in .htaccess file, I did not do any changes in these lines
But still My application is not working properly.
Only home page is coming, if I click on any link, Page not found error is coming.
Could anybody help me please, I have tried in many ways based on the info from various sites.
Regards
prasanna
Linux CentOS
Hi Prasanna,
I have not worked on CentOS, but I would assume that Apache 2+ has a homogeneous file directory structure across all OS platforms.
1. Roll back all changes done to /etc/httpd/conf/httpd.conf
2. Create the following changes to /etc/httpd/conf/extra/httpd-vhosts.conf
3. Create the SSL Certs for mysite.org and make crt folder like so, /var/www/crt/mysite.org/server.crt and /var/www/crt/mysite.org/server.key.
4. Follow the .htaccess file like I showed you.
again, I don't know if this actually works on CentOS. Give it a try.
-Frank
Thank you .... but No Luck...
Thank you for trying to help me out..
I have followed the same as suggested by you..
But no luck, ... still the same problem...
Some thing is still breaking...
I guess .. some issue with the redirection..
Because .. if I change the document root to /var/www/html and try to access the URL, then the default apache page is coming with out any issue.
But if I change the document root to /var/www/html/drupal then the drupal site is not loading properly.
(Above is just a trail to conclude that no issue with the certificates)
Regards
prasanna
CentOS Recipe
Hi this is my settings and htaccess recipe that is working on CentOS D7. You will need to get your reverse proxy address. Also, I'm not sure this has made it into core https://www.drupal.org/project/drupal/issues/2970929
@HTACCESS
@SETTINGS
CentOS
Again I don't know CentOS. This is just a suggestion.
Try moving your drupal folder to /var/www/drupal and make same changes to the /etc/httpd/conf/extra/httpd-vhosts.conf
Then you should make changes to the Linux Host file also. it's located at /etc/hosts
add 127.0.0.1 drupal to the host file.
Solved Issue
I have a LAMP on my local ubuntu 18.04
What I did to solve it is run:
sudo chown www-data:www-data -R /var/www/html/drupal-8.4.3/sitessource: https://medium.com/@jangid.hitesh2112/error-you-are-not-using-an-encrypt...
Solution
This is the most common issue for novice programmers.
I found the below solution for all of them who are struggling with HTTPS redirections :)
It redirected all HTTP requests on my domain with 301 permanent redirection to HTTPS.
Enable Force HTTPS
Put The Code at the top
The code provided in the link do not work perfectly.
It will redirect http://eample.com/abc to https://eample.com/index.php
EDIT:
The code should be placed at the top of .htaccess file. This makes it work :)
I work at Drupar.com
Redirect http to https
Use this code to redirect your http traffic to https
Redirect All Web Traffic
RewriteEngine On RewriteCond %{HTTPS} !on RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$ RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
"Header always set Content-Security-Policy" in .htaccess solves
After enabling https, "mixed content" warning in the adress bar (padlock wit exclamation mark) of the browser can easily be solved by adding this line into .htaccess.
Header always set Content-Security-Policy "upgrade-insecure-requests;"source: https://www.drupal.org/project/securelogin/issues/1670822#comment-13000601
Wish there was an upvote
Wish there was an upvote button. Thanks for posting this!
redirect http://www to https://
I just found this and tested works https://htaccessbook.com/htaccess-redirect-https-www/
in my case just inserted in .htaccess straight under
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule (.*) https://example.com/$1 [L,R=301]
I found the same one and
I found the same one and tested works for me https://htaccessbook.com/htaccess-redirect-https-www/
force https via settings.php when using proxy
The suggestions above for changing htaccess didn't work for a proxy server. URLs appeared as https on browser but appeared as http when source code was viewed.
I added the following at the bottom of settings.php to force https
Redirect to www. + SSL in one step
Most examples only show how to redirect to www. + SSL in two steps. This may be wanted, if only one subdomain has an SSL certificate. If you instead wish to prevent more than one 301 redirect to be needed, this snippet may help:
I created an issue to discuss that: https://www.drupal.org/project/drupal/issues/3256945
http://www.DROWL.de || Professionelle Drupal Lösungen aus Ostwestfalen-Lippe (OWL)
http://www.webks.de || webks: websolutions kept simple - Webbasierte Lösungen die einfach überzeugen!
http://www.drupal-theming.com || Individuelle Responsive Themes
Main site secure while subsite insecure
I have just a drupal subsite, not a subdomain, I mean
https://www.maindrupal.net
and
https://www.maindrupal.net/subdrupal
I have https activated but only the maindrupal is shown as secure, while the subsite is not...
Both correctly redirect to https though!
How can I accomplish total security for both sites?
thanks!
@ch
Main site secure while subsite insecure
I could solve it, I had a bloc loading an image from an external site which was causing the issue.....
@ch