How to Redirect HTTP to HTTPS

What is HTTP?

HTTP stands for Hypertext Transfer Protocol. It is the underlying application layer protocol used primarily on the World Wide Web (www). It enables the users of the World Wide Web to communicate and exchange information found on web pages such as images, videos, and text, etc.

Having HTTP in front of a website (e.g., http://www.anotherwebsite.ga) tells the internet browser to communicate over HTTP protocol, which means data exchanged/transferred over HTTP is not encrypted and considered unsecured; therefore, web browsers generate warning of unsecured connection as well.

For instance, this website is requested over HTTP, and the Google Chrome browser shows a “Not secure” warning.

What is HTTPS?

HTTPS refers to Hypertext Transfer Protocol Secure. It is a more secure version of the HTTP protocol as it involves the use of Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL); thus, the communication and data exchange between a web browser and website is more secure and encrypted.

Having HTTPS in front of a website (e.g., https://www.anotherwebsite.ga) tells the internet browser to communicate over HTTPS protocol, which means data exchanged/transferred over HTTPS is safe and encrypted; therefore, web browsers generate padlock to show secureness.

For instance, this website is requested over HTTPS, and the Google Chrome browser shows a padlock.

Why Migrate to HTTPS?

HTTPS is currently a widely used application layer protocol over the World Wide Web, and here are several reasons why you should migrate to HTTPS.

• Hacking a website running on the HTTP protocol is as easy as installing a browser plugin. If your site is hacked, then an intruder can steal your login credentials and much sensitive information. The intruder can also inject malicious code and Trojan Horse viruses, which can destroy your website visitor’s experience and can also damage the trust of a user in your business.

• HTTPS is more secure, and it is highly recommended to have an SSL certificate and to run your websites and eCommerce stores on HTTPS as they are processing sensitive information so any flaw in this system can cause calamity. Moreover, many browsers generate warnings if the connection between a browser and website is unsecured, which can lead to users not being confident in doing business on your website.

• The ranking boost may sound a good increment for your business when your website is running on HTTPS, as Google gives preference to secured websites running on HTTPS than unsecured websites running on HTTP.

• Google Analytics is one of the world’s great analytics services. Still, it can show wrong referral statistics if any user is coming on your HTTP website from the HTTPS website because that traffic is treated as the “Direct Traffic.” But, if someone goes from the HTTPS website to the HTTPS website, then only the correct referral statistics can be obtained, and you can easily keep track of referral statistics.

Redirecting HTTP to HTTPS is essential for ensuring secure communication between your server and clients. Here's a detailed guide on how to achieve this using Nginx:

Prerequisites

• A valid SSL certificate installed on your server.

• Nginx installed and running.

Steps to Redirect HTTP to HTTPS

Install Nginx (if not already installed)

• sudo apt update

• sudo apt install nginx

Obtain and Install SSL Certificate You can obtain a free SSL certificate from Let's Encrypt. Install Certbot to manage SSL certificates:

• sudo apt install certbot python3-certbot-nginx

• Generate and install the certificate: sudo certbot certonly --standalone

Configure Nginx for HTTP to HTTPS Redirection Edit your Nginx configuration file. This is usually located at /etc/nginx/sites-enabled/your_domain.conf or /etc/nginx/sites-available/default.

sudo nano /etc/nginx/sites-enabled/your_domain.conf

Add the following configuration to redirect HTTP traffic to HTTPS:

server {

listen 80;

server_name your_domain www.your_domain;

location / {

return 301 https://$host$request_uri;

}

}

server {

listen 443 ssl;

server_name your_domain www.your_domain;

ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;

include /etc/letsencrypt/options-ssl-nginx.conf;

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

location / {

# Your site configuration

}

}

1. Replace your_domain with your actual domain name.

Test Nginx Configuration Before restarting Nginx, test the configuration to ensure there are no syntax errors:

• sudo nginx -t

If the test is successful, reload Nginx to apply the changes:

• sudo systemctl restart nginx

Explanation of the Configuration

A. First Server Block (HTTP):

• Listens on port 80 for HTTP requests.

• Uses a 301 redirect to forward all HTTP traffic to the HTTPS version of the requested URL.

B. Second Server Block (HTTPS):

• Listens on port 443 for HTTPS requests.

• Specifies the domain names that this block should respond to.

• Configures the SSL certificate and key locations.

• Includes additional SSL configurations for security (generated by Certbot).

• Define the location block for your site configuration.

Additional Configuration

Force Redirect Non-WWW to WWW (or vice versa): To force redirect from non-www to www (or the opposite), add another server block before the main HTTPS server block:

server {

listen 443 ssl;

server_name your_domain;

ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;

include /etc/letsencrypt/options-ssl-nginx.conf;

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

return 301 https://www.your_domain$request_uri;

}

This ensures all traffic is redirected to the preferred domain format.

Conclusion

Redirecting HTTP to HTTPS is a crucial step in securing your website, ensuring that all data transmitted between your server and users is encrypted and protected. By implementing this redirection in Nginx, you provide a seamless and secure browsing experience for your users. Here are the key takeaways from the process:

1. Installation and Preparation:

• Ensure Nginx is installed and running on your server.

• Obtain and install a valid SSL certificate, preferably using a trusted authority like Let's Encrypt, which provides free SSL certificates.

1. Configuration:

• Update your Nginx configuration to include a server block that listens on port 80 (HTTP) and redirects all traffic to the HTTPS version of the requested URL.

• Define another server block that listens on port 443 (HTTPS), specifying the domain names and the locations of your SSL certificate and key.

• Include additional SSL configurations for enhanced security, such as strong Diffie-Hellman parameters and recommended security options.

1. Testing and Restarting:

• Before applying the new configuration, test it to ensure there are no syntax errors using sudo nginx -t.

• Reload Nginx to apply the changes, making the redirection effective immediately.

1. Optional Enhancements:

• If necessary, add a server block to force redirect non-WWW to WWW (or vice versa) to maintain a consistent URL structure and improve SEO.

By following these detailed steps, you create a robust and secure environment for your website, protecting your users' data and fostering trust. Redirecting HTTP to HTTPS not only complies with modern security standards but also boosts your site's credibility and ranking in search engines. This proactive measure demonstrates your commitment to security, offering peace of mind to your users and enhancing the overall user experience.

Implementing HTTP to HTTPS redirection in Nginx is straightforward and highly beneficial. This guide equips you with the knowledge and steps required to achieve a secure and reliable web presence, ensuring that your site is well-protected against potential threats and vulnerabilities.