Are you looking for an all-in-one article about TYPO3 + HTTPS? Then, You are at the right place. What & Why HTTPS, How to configure HTTPs in TYPO3, How to TYPO3 force HTTPs, Apache or Nginx force HTTPs configuration, etc.
TYPO3 is the most secure OpenSource CMS. But still, you should take care of basic security stuff like implementing HTTPs SSL to your TYPO3 website. It will help TYPO3 to improve more security on hacking attempts. And one more benefit, It will improve your SEO rank too. So, let’s quickly explore how to configure HTTPs to your TYPO3 website.
What is HTTPS?
The official definition of HTTPS is:
“HyperText Transfer Protocol Secure (HTTPS) is a well-known HTTP+SSL, a client and a server communicate to each other, but with SSL Certificate, that encrypts and decrypts their requests and responses.”
What did Google say about HTTPS/SSL?
“HTTPS as a ranking signal.” - Google!
Google Starts Giving A Ranking Boost To Secure HTTPS/SSL Sites, Google's push for HTTPS adoption appears to be working.
Why should HTTPS be implemented at your TYPO3 website?
- Secure Transactions
- Boost SEO
- Protect your site from hackers and phishing
- PCI Compliance
- Safeguard Customer’s Data
- HTTPS browser trust indicator
- Green Address Bar
Step-by-Step Guide to Configure HTTPS/SSL into TYPO3
What is a pre-requirement to configure HTTPS into TYPO3?
Before we start, how to set up and configure HTTPS into TYPO3, Please make sure your domain must be secured with an SSL certificate.
You will need to install SSL certificates at your hosting server, You can contact your system administrator to install and configure SSL certificates to your TYPO3 website.
If you are looking for free and reliable SSL certificates, then you can consider one of the popular Letsencrypt.
Once you install and configure your SSL certificate, Your site will green signal like this;
How can I configure HTTPS into a TYPO3 website?
In TYPO3 v9 & v10
Step 1. Login to your TYPO3 backend.
Step 2. Go to Site Management > Sites
Step 3. Edit your site by click on the “Edit” button.
Tips
If your TYPO3 website does not have such site-entry, then your TYPO3 developer may do configure your site using the old-way. In that case, You should follow another way mentioned below for TYPO3 <= v8.
Step 4. At “Entry point” field, Configure “https” eg., https://yourdomain.com/
By d way, If you have different “Variants for the Entry point”, then you should consider setting “https” for your production site.
Done, That’s it!
Now go to your Frontend site, Your site will have all URL with “https://” :)
In TYPO3 v8 and below
Step 1. Go to Web > Template > Choose root page
Step 2. Edit your Template by click on “Edit the whole template record”
Step 3. Adapt code or add the following TypoScript into the “Setup” field.
# TypoScript setup
# Default baseURL to access TYPO3 website via HTTP
config {
baseURL = http://www.domain.de/
absRefPrefix = http://www.domain.de/
}
# If your site has been accessed with HTTPS then let’s re-configure baseURL
[globalString = _SERVER|HTTPS=on]
config {
baseURL = https://www.domain.de/
absRefPrefix = https://www.domain.de/
}
[global]
How to configure SSL for your TYPO3 backend?
TYPO3 core provides settings to strictly run your TYPO3 backend on HTTPS.
Tip: For below TYPO3 v9, the Following setting will found from your TYPO3 Install tool > All configuration.
Step 1. Go to Admin Tools > Configuration Installation-Wide Options > Click on “Configure options”
Step 2. Search “lockSSL”, Configure the options and click on “Write configuration” button
Or Simply, You can write the following configuration at your TYPO3 instance code.
// typo3conf/LocalConfiguration.php
// or AdditionalConfiguration.php
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = ‘1’;
The utilization of SSL for the backend of TYPO3 CMS improves security. The "lock SSL" settings control if the backend must be worked from an SSL-encrypted connection (HTTPS). Potential values are 0, 1, 2, or 3 (number) with the accompanying importance:
0 = The backend isn't compelled to SSL locking by any strike settings (default esteem)
1 = The backend requires a safe connection HTTPS.
2 = Users attempting to get to unencrypted admin URLs will be diverted to encrypted SSL URLs.
3 = Only the login is compelled to SSL. After that point, the client switches back to non-SSL-mode.
How to TYPO3 Force HTTPS?
Now, Let’s make sure to set force redirects to HTTPS for your website visitors. It means, If your site’s visitor tries to access the site with HTTP URL then we should redirect them to HTTPS URL.
For Apache Users, You configure either through. Htaccess or Virtual host, Here are the examples.
Option #1 Normal Force Redirect HTTP to HTTPS
// .Htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
Option #2 Force Redirect to HTTPS and Non-WWW
// .Htaccess
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule (.*) https://example.com/$1 [L,R=301]
</IfModule>
Option #3 Force Redirect to HTTPS and WWW
// .Htaccess
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(.*)$ [NC]
RewriteRule (.*) https://www.%1/$1 [R=301,L]
</IfModule>
Option #4 Force Redirect to HTTPS at Virtual Host
// Httpd.conf Apache Configuration
<VirtualHost *:80>
ServerName mysite.example.com
Redirect permanent / https://mytypo3site.com/
#etc
</VirtualHost>
<VirtualHost _default_:443>
ServerName mytypo3site.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine On
# etc...
</VirtualHost>
After making the above changes, Make sure to restart your apache server
sudo service apache2 restart
Oh, you don’t have Apache server, and use Nginx? No problem!
How to TYPO3 Force HTTPS in the Nginx server?
To authorize an HTTP to HTTPS divert, you have to alter the Nginx configuration file.
As a rule, you can find the document in the /etc/nginx/sites-available registry. If not discovered, scan for it here: /etc/nginx/nginx.conf, /usr/local/nginx/conf, or /usr/local/etc/nginx.
When you have found the Nginx configuration file, open it in a text editor tool with CMD command:
Step 1. Open Nginx configuration file
sudo nano /etc/nginx/sites-available/server.conf
Step 2. Edit the configuration as below.
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
Step 3. Restart your Nginx server
sudo service nginx restart
What should we do after HTTPS into TYPO3?
Well, your job is still not done, You need to make sure all works well at TYPO3 website ;)
Most common issues, If your TYPO3 website did not develop with standards code, then there are chances your TYPO3 website still has some “HTTP request”.
// Example, Your TYPO3 site may be calling some request through “HTTP URL”
@import (http://fonts.googleapis.com/css?family=Open+Sans:300,600,400);
For such a simple configuration, I recommend to not use any TYPO3 extension. Although if you want to configure force redirect https with TYPO3 extensions, then here are some suggestions.
Page HTTPS Forcer
Adds a page record choice to uphold HTTP/HTTPS access dependent on server port and environment vars. Can deal with shared secured domains and SSL-proxy. Compatible perfectly with the RealURL extension.
Simple SSL Extension for TYPO3
This TYPO3 extension permits clients to just initiate SSL for the complete domain. Security made basic. Having HTTPS-only sites serves helpful in building SEO rankings. We needed to make a fruitful and helpful tool for admins to deal with SSL for a full domain, and not only for a page (as TYPO3 ships default).
Bonus: Tips on HTTPs TYPO3
How to set up TYPO3 cookieSecure?
This configuration ought to be utilized in combination with "lockSSL", see underneath. It demonstrates that the cookie should just be transmitted over a secure HTTPS connection among customers and servers. Potential values are 0, 1, and 2 (number) with the accompanying importance:
0 = a cookie is mandatorily sent, autonomously from which convention is utilized as of now. This is the default setting.
1 = The cookie might be set if a secure connection exists (HTTPS). Utilize this in combination with "lockSSL" since in any case the application will fail and toss an error.
2 = The cookie will be set for each situation, however, it utilizes the secure flag if a safe (HTTPS) connection exists.
// typo3conf/LocalConfiguration.php AdditionalConfiguration.php
$GLOBALS[‘TYPO3_CONF_VARS’][‘SYS’][‘cookieSecure’] = ‘1’;
How to run TYPO3 with Reverse Proxy IP & SSL?
You can easily configure reverse proxy IP with SSL support using the TYPO3 core’s configuration as below.
// typo3conf/LocalConfiguration.php AdditionalConfiguration.php
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'] = 'THE IP OF YOUR PROXY SERVER';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue'] = 'last';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL'] = '*';
Important HTTPS Checklist (for SEO)
After migrating from HTTP to HTTPS at your TYPO3 site, It would be necessary to check the underneath SEO focus points.
- Make sure not to miss the configuration of HTTPS at your CDN (Content Delivery Network)
- Update URL/references/in Content
- Update URL/references/in templates
- Update pictures and different URL connections
- Update canonical labels
- Update hreflang tag
- Update any modules/plugin/extensions
- TYPO3 Force HTTPS with all diverts
- Update old diverts to current set up
- Update your robots.txt file
- Include your website again in WMT (Google Webmaster Tool)
- Update sitemaps
- Do some brisk testing to ensure everything worked out positively, eg., www.ssllabs.com/ssltest/
- Keep tracking everything during the relocation
Wrap-up!
Thanks for reading!
I hope this article finds you help to understand, install, configure HTTPs/SSL to your TYPO3 website. Are you facing any issues while configuring HTTPs into your TYPO3 website? Feel free to write down to the comment box, I’ll be happy to answer any questions.
Have a Secure TYPO3 Website!
Post a Comment
- Hi t3planet.com admin, You always provide great information and insights.
- Thanks a lot for the detailed Informations. They Arena vety helpful!
- Hi Sanjay, thank you for providing a detailed blog on HTTPs. Post-reading this blog I can implement HTTPs on my website with ease
- Dear Katja Krause, thank you so much. I’m so glad you found it helpful
Sanjay Chauhan
CTO - T3Planet & NITSANSanjay Chauhan, Mitbegründer von NITSAN (Preisgekrönte TYPO3 Agentur) und Pionier von T3Planet, dem ersten TYPO3 Shop weltweit.
Ein wahrer TYPO3-Fanatiker seit 2010.
Mit meinem umfangreichen technischen Wissen und…
More From Author
Sanjay Chauhan
CTO at T3Planet & NITSANSanjay Chauhan, Co-Founder of NITSAN (Award winning TYPO3 agency) and Pioneer of T3Planet (first-ever TYPO3 Shop).
A true TYPO3 fanatic since 2010. I bring strong TYPO3 experience in building customer-business…
More From Author