How to Enable TYPO3 HTTPS?

How to Enable TYPO3 HTTPS?

Are you looking for an all-in-one article about TYPO3 + HTTPS? Then, You are at the right place. What & Why HTTPS, How to configure HTTPs in TYPO3, How to TYPO3 force HTTPs, Apache or Nginx force HTTPs configuration, etc.

TYPO3 is the most secure OpenSource CMS. But still, you should take care of basic security stuff like implementing HTTPs SSL to your TYPO3 website. It will help TYPO3 to improve more security on hacking attempts. And one more benefit, It will improve your SEO rank too. So, let’s quickly explore how to configure HTTPs to your TYPO3 website.

What is HTTPS?

The official definition of HTTPS is:

“HyperText Transfer Protocol Secure (HTTPS) is a well-known HTTP+SSL, a client and a server communicate to each other, but with SSL Certificate, that encrypts and decrypts their requests and responses.”

What did Google say about HTTPS/SSL?

“HTTPS as a ranking signal.” - Google!

Google Starts Giving A Ranking Boost To Secure HTTPS/SSL Sites, Google's push for HTTPS adoption appears to be working.

Why should HTTPS be implemented at your TYPO3 website?

Source

  • Secure Transactions
  • Boost SEO
  • Protect your site from hackers and phishing
  • PCI Compliance
  • Safeguard Customer’s Data
  • HTTPS browser trust indicator
  • Green Address Bar

Step-by-Step Guide to Configure HTTPS/SSL into TYPO3

What is a pre-requirement to configure HTTPS into TYPO3?

Before we start, how to set up and configure HTTPS into TYPO3, Please make sure your domain must be secured with an SSL certificate.

You will need to install SSL certificates at your hosting server, You can contact your system administrator to install and configure SSL certificates to your TYPO3 website. 

If you are looking for free and reliable SSL certificates, then you can consider one of the popular Letsencrypt.

Once you install and configure your SSL certificate, Your site will green signal like this;

How can I configure HTTPS into a TYPO3 website?

In TYPO3 v9 & v10

Step 1. Login to your TYPO3 backend.

Step 2. Go to Site Management > Sites

Step 3. Edit your site by click on the “Edit” button.

Tips
If your TYPO3 website does not have such site-entry, then your TYPO3 developer may do configure your site using the old-way. In that case, You should follow another way mentioned below for TYPO3 <= v8.

Step 4. At “Entry point” field, Configure “https” eg., https://yourdomain.com/

By d way, If you have different “Variants for the Entry point”, then you should consider setting “https” for your production site.

Done, That’s it!

Now go to your Frontend site, Your site will have all URL with “https://” :)

In TYPO3 v8 and below

Step 1. Go to Web > Template > Choose root page

Step 2. Edit your Template by click on “Edit the whole template record”

Step 3. Adapt code or add the following TypoScript into the “Setup” field.

# TypoScript setup
# Default baseURL to access TYPO3 website via HTTP
config {
    baseURL = http://www.domain.de/
    absRefPrefix = http://www.domain.de/
}

# If your site has been accessed with HTTPS then let’s re-configure baseURL
[globalString = _SERVER|HTTPS=on]
config {
        baseURL = https://www.domain.de/
        absRefPrefix = https://www.domain.de/
}
[global]

How to configure SSL for your TYPO3 backend?

TYPO3 core provides settings to strictly run your TYPO3 backend on HTTPS.

Tip: For below TYPO3 v9, the Following setting will found from your TYPO3 Install tool > All configuration.

Step 1. Go to Admin Tools > Configuration Installation-Wide Options > Click on “Configure options”

Step 2. Search “lockSSL”, Configure the options and click on “Write configuration” button

Or Simply, You can write the following configuration at your TYPO3 instance code.

// typo3conf/LocalConfiguration.php
// or AdditionalConfiguration.php
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = ‘1’;

The utilization of SSL for the backend of TYPO3 CMS improves security. The "lock SSL" settings control if the backend must be worked from an SSL-encrypted connection (HTTPS). Potential values are 0, 1, 2, or 3 (number) with the accompanying importance:

0 = The backend isn't compelled to SSL locking by any strike settings (default esteem) 

1 = The backend requires a safe connection HTTPS. 

2 = Users attempting to get to unencrypted admin URLs will be diverted to encrypted SSL URLs. 

3 = Only the login is compelled to SSL. After that point, the client switches back to non-SSL-mode.

How to TYPO3 Force HTTPS?

Now, Let’s make sure to set force redirects to HTTPS for your website visitors. It means, If your site’s visitor tries to access the site with HTTP URL then we should redirect them to HTTPS URL.

For Apache Users, You configure either through. Htaccess or Virtual host, Here are the examples.

Option #1 Normal Force Redirect HTTP to HTTPS

// .Htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

Option #2 Force Redirect to HTTPS and Non-WWW

// .Htaccess
<IfModule mod_rewrite.c>
	RewriteCond %{HTTPS} off [OR]
	RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
	RewriteRule (.*) https://example.com/$1 [L,R=301]
</IfModule>

Option #3 Force Redirect to HTTPS and WWW

// .Htaccess
<IfModule mod_rewrite.c>
	RewriteCond %{HTTPS} off [OR]
	RewriteCond %{HTTP_HOST} !^www\. [NC]
	RewriteCond %{HTTP_HOST} ^(.*)$  [NC]
	RewriteRule (.*) https://www.%1/$1 [R=301,L]
</IfModule>

Option #4 Force Redirect to HTTPS at Virtual Host

// Httpd.conf Apache Configuration
<VirtualHost *:80>
   ServerName mysite.example.com
   Redirect permanent / https://mytypo3site.com/
  #etc
</VirtualHost>

<VirtualHost _default_:443>
   ServerName mytypo3site.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
   # etc...
</VirtualHost>

After making the above changes, Make sure to restart your apache server

sudo service apache2 restart

Oh, you don’t have Apache server, and use Nginx? No problem!

How to TYPO3 Force HTTPS in the Nginx server?

To authorize an HTTP to HTTPS divert, you have to alter the Nginx configuration file. 

As a rule, you can find the document in the /etc/nginx/sites-available registry. If not discovered, scan for it here: /etc/nginx/nginx.conf, /usr/local/nginx/conf, or /usr/local/etc/nginx.

When you have found the Nginx configuration file, open it in a text editor tool with CMD command:

Step 1. Open Nginx configuration file

sudo nano /etc/nginx/sites-available/server.conf

Step 2. Edit the configuration as below.

server {
    listen 80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

Step 3. Restart your Nginx server

sudo service nginx restart

What should we do after HTTPS into TYPO3?

Well, your job is still not done, You need to make sure all works well at TYPO3 website ;)

Most common issues, If your TYPO3 website did not develop with standards code, then there are chances your TYPO3 website still has some “HTTP request”.

// Example, Your TYPO3 site may be calling some request through “HTTP URL”
@import (http://fonts.googleapis.com/css?family=Open+Sans:300,600,400);

Are there any TYPO3 Extensions for Force Redirect HTTPS?

For such a simple configuration, I recommend to not use any TYPO3 extension. Although if you want to configure force redirect https with TYPO3 extensions, then here are some suggestions.

Page HTTPS Forcer

Adds a page record choice to uphold HTTP/HTTPS access dependent on server port and environment vars. Can deal with shared secured domains and SSL-proxy.  Compatible perfectly with the RealURL extension.

Simple SSL Extension for TYPO3

This TYPO3 extension permits clients to just initiate SSL for the complete domain. Security made basic. Having HTTPS-only sites serves helpful in building SEO rankings. We needed to make a fruitful and helpful tool for admins to deal with SSL for a full domain, and not only for a page (as TYPO3 ships default).

Bonus: Tips on HTTPs TYPO3

How to set up TYPO3 cookieSecure?

This configuration ought to be utilized in combination with "lockSSL", see underneath. It demonstrates that the cookie should just be transmitted over a secure HTTPS connection among customers and servers. Potential values are 0, 1, and 2 (number) with the accompanying importance:

0 = a cookie is mandatorily sent, autonomously from which convention is utilized as of now. This is the default setting. 

1 = The cookie might be set if a secure connection exists (HTTPS). Utilize this in combination with "lockSSL" since in any case the application will fail and toss an error. 

2 = The cookie will be set for each situation, however, it utilizes the secure flag if a safe (HTTPS) connection exists.

// typo3conf/LocalConfiguration.php AdditionalConfiguration.php
$GLOBALS[‘TYPO3_CONF_VARS’][‘SYS’][‘cookieSecure’] = ‘1’;

How to run TYPO3 with Reverse Proxy IP & SSL?

You can easily configure reverse proxy IP with SSL support using the TYPO3 core’s configuration as below.

// typo3conf/LocalConfiguration.php AdditionalConfiguration.php
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'] = 'THE IP OF YOUR PROXY SERVER';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue'] = 'last';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL'] = '*';

Important HTTPS Checklist (for SEO)

After migrating from HTTP to HTTPS at your TYPO3 site, It would be necessary to check the underneath SEO focus points. 

  1. Make sure not to miss the configuration of HTTPS at your CDN (Content Delivery Network) 
  2. Update URL/references/in Content 
  3. Update URL/references/in templates 
  4. Update pictures and different URL connections
  5. Update canonical labels 
  6. Update hreflang tag
  7. Update any modules/plugin/extensions 
  8. TYPO3 Force HTTPS with all diverts 
  9. Update old diverts to current set up 
  10. Update your robots.txt file
  11. Include your website again in WMT (Google Webmaster Tool) 
  12. Update sitemaps 
  13. Do some brisk testing to ensure everything worked out positively, eg., www.ssllabs.com/ssltest/ 
  14. Keep tracking everything during the relocation

Wrap-up!

Thanks for reading!

I hope this article finds you help to understand, install, configure HTTPs/SSL to your TYPO3 website. Are you facing any issues while configuring HTTPs into your TYPO3 website? Feel free to write down to the comment box, I’ll be happy to answer any questions.

Have a Secure TYPO3 Website!

Post Comment

Your email address will not be published. Required fields are marked *

×

Name is required!

Enter valid name

Valid email is required!

Enter valid email address

Comment is required!

Google Captcha Is Required!

Comments :

  • Katja Krause July 10, 2020 At 2:40 pm
    Hi Sanjay, thank you for providing a detailed blog on HTTPs. Post-reading this blog I can implement HTTPs on my website with ease
    • Sanjay July 10, 2020 At 2:57 pm
      Dear Katja Krause, thank you so much. I’m so glad you found it helpful

Everything About TYPO3 PWA (Progressive Web Application)

Are you thinking and planning to integrate Modern TYPO3 PWA to your TYPO3 website? If yes, then Congratulations! In this article,…

The Best Guide to TYPO3 Composer

The Best Guide to TYPO3 Composer

The TYPO3 community loves TYPO3 composer. Learn TYPO3 composer from beginner to advanced level for productive TYPO3 development &…

Learn TYPO3 Custom Elements with Core Ways

Learn TYPO3 Custom Elements with Core Ways

In your journey of TYPO3 development, you may get questions like, How should I develop TYPO3 custom elements? Which are available…

Stay up to date with our recent TYPO3 Blogs, news, & updates