HTTPS Cheat Sheet

Here’s a cheat sheet for working with HTTPS (Hypertext Transfer Protocol Secure), the secure version of HTTP:

Basics

  • Port Number:
    • HTTPS typically uses port 443.
  • URL Scheme:
    • URLs using HTTPS start with https:// instead of http://.

SSL/TLS Certificates

  • Obtaining a Certificate:
    • Purchase from a Certificate Authority (CA) or use a free certificate provider like Let’s Encrypt.
  • Generate a Self-Signed Certificate (for testing):
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

Here is a dedicated SSL Cheat Sheet.

Web Server Configuration

Nginx:

  • Update Nginx server block:
server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    # Other SSL/TLS configurations
}

Here is a dedicated NGINX Cheat Sheet.

Apache:

  • Update Apache VirtualHost:
<VirtualHost *:443>
    ServerName example.com

    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem

    # Other SSL/TLS configurations
</VirtualHost>

Certificate Chain

Concatenate Certificate Chain:

cat cert.pem ca.pem > fullchain.pem

Update Web Server Configuration to Use Full Chain.

HTTP to HTTPS Redirect

Nginx:

  • Add a separate server block for HTTP and redirect to HTTPS:
server {
    listen 80;
    server_name example.com;

    return 301 https://$host$request_uri;
}

Apache:

  • Use mod_rewrite to redirect:
<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

HSTS (HTTP Strict Transport Security)

Enable HSTS:

  • Add the following header to your HTTPS-enabled server:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Qualys SSL Labs

Check SSL/TLS Configuration:

  • Use Qualys SSL Labs to assess the security of your HTTPS implementation.

Renewing Let’s Encrypt Certificates

Automated Renewal:

  • Certificates obtained from Let’s Encrypt can be automatically renewed using certbot.

Manually Renew:

certbot renew

HTTPS in Development

Use Self-Signed Certificates:

  • For local development, you can use self-signed certificates.

Browsers and Self-Signed Certificates:

  • Browsers may show a warning for self-signed certificates.

This cheat sheet covers some basic HTTPS configurations. For more details and specific configurations, refer to the documentation of your web server software and certificate provider.