Lets talk about HTTPS

That's right this post is all about HTTPS. This is the first of a number of posts I have planned on HTTPS but it covers the basics and will help as a reference in later posts as I get into the real detail of it all.

What is HTTPS

First thing first why do we need HTTPS, there are 3 reasons we need HTTPS: Privacy, integrity, and identification.

HTTPS provides a private connection between you the user and an endpoint. That doesn't mean the endpoint is secure it just means that no one between you and the endpoint is going to know what's going on.

With HTTPS the connection between you and the end point is secure the content hasn't been changed along the way you know your talking to the right website.

HTTPS attaches a digital signature attached to a message can identify the sender and that means when you are browse the web, the site that you are visiting is indeed the one you think it is.

The Network engineering bit

I'm going to assume you have deployed a website on a server before in some way so I won't cover it in too much detail.

But when we deploy a website we typically upload our files to our server and then update our DNS A or CNAME record to point to the server and the website.

Origin Server

This is where your web app or website is actually running from. The server you have uploaded your files to. This is called the Origin.

Proxy Server

A Proxy server is an endpoint that routes the traffic to the right place. You don't always have to use a proxy. Many of us do and we use them for load balancing and routing different domains in an easy to manage way.

Edge Server

This is alot like a proxy. The user will reach the edge server and then be passed along to the next part. The most common way for this to work is with Cloudflare / Netfly.

HTTPS needs SSL

What makes HTTP turn into HTTPS it's called an SSL cert, this is the bit I talked above about the identity. The Cert is what tells your browser that this site is who it is supposed to be.

SSL Certs

There are a few ways to do this but for me I like the combination of Cloudflare and Letsencrypt.

Cloudflare SSL

When you use Cloudflare for your SSL. You are create a secure connection between the user and the edge.

Cloudflare by default won't communicate with your server by SSL it will send traffic to your server over http. But between the user and cloudflares network will be secured.

Letsencrypt

Letsencrypt is awesome they provide free SSL certs on almost all platforms. They give you the tooling for renewing to make it even easier.

You can add an SSL cert to your server and then have Cloudflare communicate with your server over SSL instead of HTTP that way the traffic is protected the whole way onto your network.

Redirecting http to https

Careful now. Really be careful redirects are a big gotcha set them wrong and your site won't work as users will be bounced from one to another.

Cloudflare allows you to create a redirect for http traffic to https. This means that when the user reaches the edge server with http it will change it to https.

If you are using a cert on your server you can create a 301 redirect on the server to send anything with http to https.