Moving to HTTPS-only

All the web stuff at polarweasel.org should be encrypted-only now. In other words, when you visit a page on the blog, or on the main site, you should see the little lock-icon thingy — or whatever your browser uses — in the address bar.

For my own future reference, and maybe yours too, here’s what I did.

These sites are hosted on Dreamhost, which makes it really easy (two clicks) to get a Let’s Encrypt certificate. So I did that for the various sites.

Then, I forced the web server (Apache, in this case) to redirect all non-encrypted requests to the encrypted site instead. To do that, I added this sort of thing to each site’s .htaccess file:

# Force all connections to go over SSL
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://sitename.org/$1 [R,L]

(Writing it that way, with no conditions, should guarantee a 500 error if mod_rewrite is disabled for some reason.)

That’s all you need to do for a static site. For the WordPress sites, you need to do a couple more things: set the site URLs in the Settings – General menu to https instead of http, and add the following to the site’s wp-config.php file, right above the “stop editing here” line:

define('FORCE_SSL', true);
define('FORCE_SSL_ADMIN', true);

And that’s it. More or less.

Note: If any of your pages have hard-coded (http://something) links in them, including calls to CSS stylesheets or Javascript, instead of relative (/something) links, you’ll need to update those. Relative links are your friends; use them.