Last updated November 5, 2012. Created by JacobSingh on November 11, 2009.
Edited by Ralt, cdnsteve, JimSmith, Ostasevich. Log in to edit this page.
HTTPS is a protocol which encrypts HTTP requests and their responses. This ensures that if someone were able to compromise the network between your computer and the server you are requesting from, they would not be able to listen in or tamper with the communications.
When you visit a site via HTTPS the URL looks like this: https://drupal.org/user/login. When you visit a site via plain (unencrypted) HTTP, it looks like this: http://drupal.org/user/login.
Why is it important to you (and when)
HTTPS is typically used in situations where a user would send sensitive information to a website and interception of that information would be a problem. Commonly this means:
- Credit cards
- Sensitive cookies such as PHP session cookies
- Passwords and Usernames
- Identifiable information (Social Security number, State ID numbers, etc)
- Confidential content
Especially in situations where you as the administrator are sending your Drupal password, or the FTP password for your server, you should use HTTPS whenever possible to reduce the risk of compromising your web site.
HTTPS can also prevent eavesdroppers from obtaining your authenticated session key, which is a cookie sent from your browser with each request to the site, and using it to impersonate you. For example, an attacker may gain administrative access to the site if you are a site administrator accessing the site via HTTP rather than HTTPS. This is known as session hijacking and can be accomplished with tools such as Firesheep.
Security is a balance. Serving HTTPS traffic costs more in resources than HTTP requests (both for the server and web browser) and because of this you may wish to use mixed HTTP/HTTPS where the site owner can decide which pages or users should use HTTPS.
How to enable HTTPS support in Drupal
Web server configuration
- Get a certificate. many hosting providers set these up for you - either automatically or for a fee. Simply ask your hosting provider. If you want to secure a test site, you could instead generate a self-signed certificate.
- Configure your web server. A few helpful links:
- Apache instructions.
- Ubuntu instruction
- MAMP instructions
- WAMP instructions
- EngineX (Nginx) instructions
- Barracuda/Octopus/Aegir instructions
Chances are, your webhost can do this for you if you are using shared or managed hosting.
Note: Clean URL's If you're using Apache for HTTP and HTTPS:
You will probably have two different VirtualHost buckets.
- A bucket for port :80 http
- A bucket for port :443 https
Each of these VirtualHost containers or buckets, require that a specific Apache directive be added within them if you're using Clean URL's. The reason for this is that Drupal makes extensive use of .htaccess and mod_rewrite to provide friendly URL's.
Ensure you have the following within the directive, which is a child under the VirtualHost container: See Apache Documentation for AllowOverride
<Directory "/path/to/yoursite">
AllowOverride All
</Directory>This means that your .htaccess takes precedence and that the Apache configuration will allow it to run as you would expect for Drupal.
Troubleshooting:
If you enabled HTTPS and it only works on the homepage and your sub links are broken, it's because the VirtualHost:443 bucket needs AllowOverride All enabled so URL's can be rewritten while in HTTPS mode.
Drupal configuration
-
If you want to support mixed-mode HTTPS and HTTP sessions open up sites/default/settings.php and add
$conf['https'] = TRUE;. This enables you use the same session over HTTP and HTTPS both -- but with two cookies where the HTTPS cookie is sent over HTTPS only. You will need to use contributed modules like securepages to do anything useful with this mode, like submitting forms over HTTPS and so on. While your HTTP cookie is still vulnerable to all usual attacks, a hijacked insecure session cookie can only be used to gain authenticated access to the HTTP site. It will not be valid on the HTTPS site. Whether this is a problem or not depends on the needs of your site and the various module configurations. For example, if all forms are set to go through HTTPS and your visitors can see the same information as logged in users then this is not a problem. -
For even better security, leave
$conf['https']at the default value (FALSE) and send all authenticated traffic through HTTPS and use HTTP for anonymous sessions. Once again contributed modules like 443 Session or Secure Login can help you here. Drupal 7 automatically enables thesession.cookie_securePHP configuration on HTTPS sites, which causes SSL-only secure session cookies to be issued to the browser. - For best-possible security, setup your site to only use HTTPS, not even responding to HTTP with a redirect. HTTPS is vulnerable to man-in-the-middle attacks if the connection starts out as a HTTP connection before being redirected to HTTPS.
$conf['https']can be left at its default value (FALSE) on pure-HTTPS sites. You can run the HTTP site from a different server and simply deliver a plain text message telling your users to use HTTPS.
Comments
Setting up website to only use HTTPS
This article recommends to "setup your site to only use HTTPS, not even responding to HTTP with a redirect." How would this be done?
Depends what webserver you're
Depends what webserver you're using. For example, if you use Apache httpd, you'd have just one apache VirtualHost for your drupal site with SSLEngine on.
But what is the user experience?
If you only use the 443 Virtual Host, what happens when the user types in http:// instead of https:// ? Will apache correctly server the site as ssl or will it not be found? This is obviously a user education issue, but most companies can't afford to risk losing the $$ if visitors can't find their sites.
Maybe we should just make the whole web ssl end to end.... :P
Does this mean that Drupal 6 cannot do mixed mode HTTPS?
Does this mean that Drupal 6 cannot do mixed mode HTTPS?
If D7 supports mixed mode which 99% of secure connections are I would presume.
Such as logging in/out using SSL and normal unsecured for everything else.
Anyone know the answer here?
Edit: I found the answer here: http://drupal.org/project/securepages
Thanks
Can also use mod_rewrite
We don't use the secure pages module because we have higher security requirements. We wanted our logins forced to ssl in an area that very few people have access to and would not be able to turn off by accident easily.
Because only admin users are logging in right now, we used a mod_rewrite rule to look for /user, /admin type paths and force to SSL. This isn't a perfect solution though, sometimes it causes errors with views because (there's an issue for it on d.o.) sometimes ahah calls are made and the path isn't /user or /admin so it borks the ssl? (Sorry, been a while since we looked at this...memory is somewhat faulty).
Though honestly, with Firesheep and the like, switching back and forth from http to https and back again with real user logins is a recipe for disaster. A better method would be to require the entire site to use ssl.
As @crimsondryad points out,
As @crimsondryad points out, using mod_rewrite is much more difficult than it originally appears. The _only_ two ways to have a site safe from session hijacking in D6 is to use 443 Session module or have your site use only HTTPS and ignore HTTP.
________________________
dave hansen-lange
Technical Lead
Advomatic.com
Great White North office
Canada
You can run the HTTP site
You can run the HTTP site from a different server and simply deliver a plain text message telling your users to use HTTPS.
________________________
dave hansen-lange
Technical Lead
Advomatic.com
Great White North office
Canada
You can run the HTTP site
I think to you
----------------
Khuyen mai
[url:http://chondeal.com]Khuyen mai[/url]
Suggested Change to bootstrap.inc regarding HTTPS
Currently the global variable $is_https is set from the runtime settings based on the local apache settings. However there are configurations where the SSL is handled by an upstream machine which only communicates un-encrypted to the server on which Drupal is running. In this scenario, the $is_http is always false, but needs to be true (for proper redirects, etc.). If there were a hook which sets the $is_https variable, then we could override this hook and implement the code that we need to set this variable correctly (based on header information injected by the upstream machine). As is we have to modify boostrap.inc - which of course is taboo.
I'm not sure if there is a better avenue to provide suggestions. If so please educate me.
THANKS!
Thank you so much for your comment, I was going nuts with my nginx server because Drupal always delivered everything via HTTP and didn't realize that I'm using HTTPS. I just altered the Bootstrap.inc file and set $is_https = 'on'; so I always have a HTTPS connection.
i have the same perspective
i have the same perspective too
Game Avatar | Avatar HD
I am at the point of making
I am at the point of making one of my sites (in a multisite install) be https. Based on what I’ve read at eff.org (HTTPS Everywhere, How to Deploy HTTPS Correctly, HTTPS Everywhere FAQ) and elsewhere the past few years, I’m ready to make at least one of my sites HTTPS-only. I’ve tried a number of methods and am having trouble.
In the site’s settings.php files I uncommented and changed the line:
$base_url = 'https://example.com'; // NO trailing slash!
But that didn’t force pages to load https.
I figured maybe I could isolate this one site out of my multisite setup and adjust the .htaccess file somehow, but that hasn’t worked either. As is pointed out in the comments above, it seems like it should be so simple. On DRUPAL AND SSL - MULTIPLE RECIPES TO POSSIBLE SOLUTIONS FOR HTTPS, at the end is what seems to be the best advice, and what I want to do, “Just Make All Drupal Pages SSL” but adding that chunk to my .htaccess file just gives me an Internal Server Error.
I don’t have access to the Apache conf file.
I’d prefer not to install a handful of modules. But until I can find out how, is that the only way?
Also, it’s not entirely clear how or why a redirect is insecure. If the redirect is in the .htaccess (or conf) shouldn’t that mean it’s done before Drupal assigns a cookie?
Update - Further testing of
Update - I was very glad to find out the 443 Session module has the option to force all traffic over https. Unfortunately I was not able to determine this from the project page, only after I installed it.
However, I’m still foggy on this redirection thing.
Then there is the issue of looking at the cookie in the browser and it saying the cookie is not secure. Hm, so many details. :-)
Reading this: http://en.wikipedia.org/wiki/HTTP_cookie#Terminologies it says
I can understand the cookie is transmitted securely since it’s https, but apparently that is apart from the cookie being encrypted? My needs are modest so perhaps I am sweating the small stuff?
443 Session for Me
Since someone wrote me and said s/he was having the same issue as me, I will describe what I did.
I installed 443 Session. It was that simple. :-) In the admin page is the option to force all traffic over https (upon initial reading of the page it was not clear this option existed, that’s why I hunted around and posted here).
It’s still not entirely clear exactly how the man-in-the-middle attack could work on this method (I didn’t dig around in the module to try to figure it out then Google for answers), and perhaps DNSSEC could play a role, but …
I hope that helps.
Further Reading
Just noticed this in my news reader:
How secure is HTTPS today? How often is it attacked?
https://www.eff.org/deeplinks/2011/10/how-secure-https-today
443 Session module will still leave you vulnerable to man-in-the
The man in the middle attack is caused when someone intercepts the http traffic and routes it through another server before sending to https. This is where an attacker would intercept a http cookie before it's transitioned over to https (or vice versa, though enforcing separate cookies for http and https is supposed to mitigate this). So this module makes configuring paths better and it is an improvement in some ways over modifying via .htaccess or apache vhost, but it isn't a bulletproof option ( which is basically to turn off the http Virtual host entirely in apache and ONLY answer on the port 443 virtual host ). As discussed before though, turning off http entirely comes with a rather glaring flaw.
We live in an imperfect world. :P
443 Session module does use
443 Session module does use separate session cookies for HTTP/HTTPS which reduces the methods of exploitation to things like hijacking a router near a CA authority, or hacking into a CA authority. If someone is willing to go to that much effort, they would probably have much more success breaking into your website via some simple social hacking.
________________________
dave hansen-lange
Technical Lead
Advomatic.com
Great White North office
Canada
Forcing HTTPS encryption
Here are some suggestions including Apache configuration to force SSL encryption on Drupal pages:
http://groups.drupal.org/node/135824
----------------
IT consultant, web designer, writer and researcher
http://www.sheldonrampton.com/portfolio
all links broken after https
Is there a simple fix for all links beyond the front page not working after enabling https? The paths seem to be wrong, but I don't know how to fix this.
More info needed. Like a link
More info needed. Like a link to your site. Off-hand the only thing I can think of is there are hard coded absolute paths that are failing.
(Note that per good Drupal style, support questions should be in the forums.)
Check your mod_rewrite rules
If you're using an apache vhost, note that your redirects have to be set up in the port 80 vhost AND the port 443 vhost. Usually the easiest way to do that is to copy the redirects to an external file ( like domain.com.redirects ) and include that in both vhost mod_rewrite sections.
Full time HTTPS while behind a proxy/load balancer
All,
I struggled a long time to get my configuration working and thought it best to post a simple summary of what I needed to do so others would not need to reinvent the wheel.
I have a website hosted on drupal that is being run on Apache. This Apache webserver is sitting behing a load balancing device that among other things terminates TLS traffic and converts it to plain-text http over port 4430. Thus my apache server receives 2 traffic flows, one over port 80 and one over port 4430, both of which are plain-text http. On the virtual host listening to port 80 I have a simple redirect that looks like this
#redirect all traffic to httpsRedirectMatch permanent ^(.*)$ https://www.example.com$1
On the virtual server listening to port 4430 I have the traffic flowing to Drupal. The problem was Drupal did not know it was dealing with https so it was sending back "http://" links which caused the dreaded mixed or insecure content errors. I found putting the following in the setttings.php simply and easily induced Drupal to treat all it's traffic as being "https://".
$_SERVER['HTTPS'] = 'on';Those were the only changes I needed to do.
For best-possible security,
This is confusing. It appears you say to make site secure, add
$conf['https'] TRUEbut then you say if you really want it secure just leave it at false and run your whole site as secure.OK, so do we still add it? It's not already in the settings files. And it simply "leaving" it the way it is makes me think I dont need to add it. Well, that means nothing would change, right? Therefore site still would not be secure.
So, I added it and it works, now https pages are working (After I also changed my base url).
now, unless I am missing a step, my site can still be accessed via http. How do we make the whole site only be able to use https? And how to you do a server side redirect automatically from http to https? I tried changing my refirect in .htaccess but that didn't work.
Thanks
I was able to achieve the
I was able to achieve the redirect by adding these two lines to my .htaccess file
RewriteCond %{HTTPS} offRewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Redirect loop
I am getting a redirect loop when I put that in my .htaccess file.
But the 443 Session module worked out of the box, redirecting the desired pages from HTTP to HTTPS, either all of them or for example just pages under the
cart/*path. I was getting a yellow warning triangle on pages with a "Like on facebook" link, but changing HTTP to HTTPS in the Facebook iFrame link fixed it.EDIT: To make it work, I had to remove
HTTP:from the link like this:src="//www.facebook.com/plugins/like.php?href=example.com&layout=button_count&show_faces=false&width=170&action=like&colorscheme=light&height=21"I've updated the docs to
I've updated the docs to include specific configuration notes for Apache using Clean URL's with HTTP and HTTPs. I hope this is helpful for others.
Thanks,
Steve
Several Clues
If you do not know how to set your server to serve only HTTPS then contact the host.
There is also a place to have drupal create HTTPS and HTTP in the same directory so this should fix any broken links.
The next issue is to make sure if your theme calls up external CSS that you change that to https too.
as an example
If you do this an have a verified cert you will get the green bar and no errors.
You also have to be careful about serving some images from unsecrure locations. I am having an issue with a mod doing that but will not call out until I know more about it. Chrome inspect element was very helpful in finding it and it seems to be an insecure FB profile Icon. The page at https://www.example.com/node displayed insecure content from
http://profile.ak.fbcdn.net/static-ak/rsrc.php/v1/y6/r/ksUwmHUElCY.jpg.
You do not have to change the sites/default/settings.php
www.hancockglen.com
Are there any issues to consider with
APC, Memcache/Varnish, and just drupal cache in general?
Are these effected by forcing https on all URLs?
I know the users browser may not cache as well but just wondering about these cache layers?
Thanks
Alfred Nutile
http://twitter.com/alnutile