How to quickly add SSL to your Drupal Site

How to quickly add SSL to your Drupal Site

  Posted on November 03, 2014 by Bob Kruse

Something that new Drupalers struggle with is getting their site secured with SSL, the little lock in the browser or https://. Their first reaction is, “There has to be a module for that” and there are a few modules for getting your site HTTPS friendly, but there is a much easier solution.

No modules, just update your .htaccess file

The simplest and easiest way to add HTTPS to your entire website is by editing you site’s .htaccess file. No modules, no overhead, just a few lines of code and you’re all set.

You can add the following below “RewriteEngine on”. I usually put it below the chunk that starts with “# To redirect all users to access the site WITH the 'www.' Prefix”. Note, if you have any prefix rules enabled already, you’ll want to comment those out first since the new code below with include a prefix.

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The code above adds HTTPS if it’s not already present and it will also add “www” as well if it’s not already there. 

Why full site HTTPS is the new way to go

As Google says, security is a top priority. Your site should probably adopt the same mantra. 21st century people are getting very sensitive to how their information is being shared and collected. Additionally with all the recent security breaches, people want to feel more secure.

The old argument for not using full site HTTPS was that it can slow down a site due to it having to constantly encrypt the information being passed between server and browser. But that was when servers were a lot slower and the normal internet connection was through a 56K dial-up modem. In today’s world, it’s difficult to detect any latency at all when comparing SSL and non-SSL versions of a site. If you are concerned about your site’s performance, have a look at is TLS fast yet? https://istlsfastyet.com/

Another benefit for full site SSL is SEO. According to Google (http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html ), it’s giving ranking boosts to sites using SSL/HTTPS websites. While this boost may only be minor, I’ll take any boost I can get.

HTTPS using Drupal Modules

It’s somewhat common in ecommerce or private sections of a website to switch between HTTP to HTTPS. Drupal offers a few modules for accomplishing that.

Secure Pages

In Drupal 6, Secure Pages was my go-to SSL module. It has over 26K reported installs. If offers a simple user interface for defining your secure and non-secure paths.

Drupal Secure Pages

In Drupal 7, it’s a bit of a work in progress and doesn’t work reliably without a few core patches. It is possible to get it working, just be prepared to spend some time testing to make sure it switches properly from HTTPS to HTTP and vise versa. Since it does require a Drupal core patch, you need to remember to reapply these patches every time update Drupal core.

Other Drupal SSL modules

There are some other SSL modules that I’ll quickly mention:

Custom SSL Redirect 
Has a bit of similarity with Secure Pages, but it only lets you define the secure and non-secure paths. Be careful when installing. If you don’t have SSL on your server yet, it will automatically try to redirect to an HTTPS version and continually error out - locked me out of my site so I had to disable is via drush.

Custom SSL Redirect

Ubercart SSL
The Ubercart SSL module is for securing all of Ubercart’s shopping cart paths

Secure Login
The Secure Login module enables HTTPS primarily for the user login form, but can be configured to securce any form within the site.

Problems with switching between HTTPS and HTTP

Some problems I’ve seen with Ubercart and Drupal Commerce is that switching between HTTPS and HTTP paths can potentially lose checkout sessions, meaning that the user’s shopping cart appears empty after the site switches to HTTPS. This can be very frustrating and usually due to a configuration issue somewhere, but it can be easily solved by using full site SSL.

Where to buy a cheap SSL Certificate

So, I’m assuming that you already have an SSL certificate installed already, either by you or your host. If you don’t have one, then you’ll need to buy and install one before the code above will even work.

In the past I’ve been accustomed to buying SSL Certificates for at least $80/yr and upwards of $300/yr. But now you can get really cheap SSL certificates for $5/yr! I now buy them through http://ssls.com – you have to buy 5 years worth to get them at $5/yr, but that’s only $25 which is crazy considering I used to spend $80/yr.

Now you can still buy the expensive SSLs which include an extra layer of validation, meaning that they go through a process of validating the company applying for the certificate. This can take a few days and is usually a hassle for everyone involved. They also offer higher warranty payouts –

"The warranty that you get when you purchase an SSL certificate ($10,000, $250,000, etc...) can be misleading. It is not a warranty to the purchaser but rather to the end users who use a site secured by an SSL certificate. Basically, if you, the purchaser, turn out to be fraudulent and a user of your web site loses money because the certificate authority didn't properly validate you, then the certificate authority will compensate the end user. This practically never happens! It is therefore not very important how big the warranty is when you buy an SSL certificate. Certain certificate authorities have slightly different policies on warranties that you may wish to look into.” – Source: https://www.sslshopper.com/ssl-certificate-features.html

And finally with the more expensive certificates you get a fancier looking Lock in the browser’s address bar and some color. See comparisons below:

SSL Comparison

Conclusion

Overall, achieving full site HTTPS using the code above is very easy and it appears to only add benefits to your site’s security, your users’ security, your site's speed (one less module installed) and your SEO. I would be interested to hear any arguments against not using it for your entire website. Leave your comments below.

Bonus POODLE Exploit information, Yea!

Recently (Oct 2014), there was a major security vulnerability know as POODLE which effects SSL version 3 usage. While, SSLv3 is an outdated protocol, some people still might be using it. Here is an SSL Test tool to check your site/server to see if you are vulnerable to the issue.  https://www.ssllabs.com/ssltest/index.html


About the Author

Bob Kruse is the founder of Drupal Aid and a Drupal fanatic since 2008. He is also the creator of Cart Craze, an ecommerce website design gallery and Sick Journal, an online tool for keeping track of your family's health, sicknesses, and medications.