Easy vs secure: what are the implications?


#1

During setup you are asked to choose. What are the implications of each choice? Can I use service worker only if I pick secure?


#2

Can you provide a little more information please ?

What client are you using ? what is your operating system ? where is is asking that question … ?


#3

If you’re referring to the message in Certbot, then it refers to whether users will be redirected to the HTTPS site automatically if they try to go to the HTTP URL.

For example, if you have www.example.com, then with “Easy”, visitors to http://www.example.com/ stay on http://www.example.com/. With “Secure”, visitors to http://www.example.com/ get sent to https://www.example.com/ instead.


#4

Thanks Schoen, that must be what I was using.

Is it possible to change it to secure after making the initial decision of easy?


#5

@oliver-w,you may be able to do so by reinstalling the existing cert in Certbot, but you can also do so by editing web server configuration files. For example in Apache, Certbot uses a RewriteRule from mod_rewrite.

You can find documentation online for how to write such redirection rules, or people on this forum can help you do it.


#6

After some googling I tried adding

RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.wearenaughtypixel.co.uk/$1 [R=301,L]

to my .htaccess file. I restarted Apache afterwards.
I did empty cache and hard reload on google chrome but it is still showing me the http unsecure version.


#7

What Certbot currently does inside your Apache <VirtualHost> (the original one for *:80, not the one for the HTTPS VirtualHost, which is something-le-ssl.conf) is

RewriteEngine on
RewriteCond %{SERVER_NAME} =example.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

where example.org is your domain name. So I believe if you had done it for www.wearenaughtypixel.co.uk it would look like

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.wearenaughtypixel.co.uk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

If you have multiple domain names, apparently all except the last get their own RewriteCond lines but ending in [OR], like

RewriteEngine on
RewriteCond %{SERVER_NAME} =wearenaughtypixel.co.uk [OR]
RewriteCond %{SERVER_NAME} =www.wearenaughtypixel.co.uk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

if you wanted to apply to an HTTP vhost that includes coverage for both wearenaughtypixel.co.uk and www.wearenaughtypixel.co.uk.

Alternatively, you can delete the rewrite block and reinstall the certificate by running something like

certbot run -d example.org -d www.example.org

where the -d list must include every name in your existing cert, not just some of them, and then answer yes when asked if you want to reinstall the cert. You should then be able to say “Secure” and have Certbot add the enhancement of the redirect block.


#8

Thank you for that thorough answer and sorry for asking so many questions but I still haven’t managed to get this to work. My .htaccess file is in my /var/www/html directory. Is this the correct location? At the moment my site is working for http but is showing a list of directory’s when I enter the same address prepended with https in a browser.


#9

Hi @oliver-w, I’m afraid that’s probably an Apache question, which might be better directed to a different forum unless someone here happens to know the answer. But the place that Certbot would have put the redirect rules, and the place where most of the relevant configuration happens, is not in a .htaccess but in some files within /etc/apache2/sites-available.


#10

It’s a bit irrelevant to this topic, but why won’t add to certbot HSTS and HPKP headers?


#11

We’re interested in doing so but both of those can produce pretty bad consequences for sites that enable them without understanding what they do (in terms of preventing users from visiting a site at all). A lot of people who use Certbot don’t know very much about web application security standards or what the consequences of enabling HSTS or HPKP would be. So we would want to find a way to make sure that people don’t end up in a situation they’ll regret.

But we would definitely like to be able to give people a way to enable those security features.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.