Magento – HTTPS everywhere – Magento 2

httpsmagento2ssl

If I would like to setup HTTPS on all pages (Frontend and Backend) which would be the best approach?

For now using Apache 2.4 on CentOS 7 I have setup the following in VirtualHost:

VirtualHost *:80
        ServerName www.magentotest.dev
        ServerAlias www.magentotest.dev
        DocumentRoot /var/www/magento/
        ErrorLog /var/log/magentotest/error.log
        CustomLog /var/log/magentotest/access.log combined

        Redirect / https://www.magentotest.dev/
/VirtualHost

VirtualHost *:443
        ServerName www.magentotest.dev
        SSLEngine on

        SSLCertificateFile /etc/ssl/certs/magentotest.crt
        SSLCertificateKeyFile /etc/ssl/certs/magentotest.key

        DocumentRoot /var/www/magento/
        ErrorLog /var/log/magentotest/ssl.log
        CustomLog /var/log/magentotest/ssl.log combined
/VirtualHost

After doing this I visited Magento frontend which was totally messy, after a quick inspection on the source code I have seen that the browser was correctly redirecting HTTP to HTTPS but all the URL of the website was pointing to HTTP.

So I login to the backend and set HTTPS for both SECURE and UNSECURE URL in store settings, flush the cache and tried again, everything now appear to be correct and working.

From this setup I have a few questions:

  1. Is this the correct way to setup HTTPS for every page (Frontend and Backend)?
  2. Setting the UnsecureBaseURL in the backend to HTTPS I expected a slow performance on Frontend, correct me if I'm wrong but with this setup Apache is pointing the user to HTTPS, while Magento take the request, process it with PHP which answer GO to HTTPS right? I mean there is a way to avoid using Magento Secure/UnsecureBASE and tell Magento to point just to HTTPS and forget everything else?

Thanks
Marcos

Best Answer

Your VirtualHost configuration is basically correct.

As you alluded to yourself, you will need to set the unsecurebaseurl (and securebaseurl) to be https. Magento uses the unsecure urls for basically everything it doesn't explicitly consider secure, however there is no reason why you can't have these pointing to https also.

EDIT: The only other thing to consider is the FPC. Magento is designed to allow you to use Varnish for this, however Varnish isn't capable of being an SSL Terminator, meaning you'd need either a Load Balancer or another reverse proxy such as nginx to sit in-front of it. Your stack can get quite a lot more complicated, quite quickly.

Related Topic