How to configure HTTPS (SSL) for Magento + bonus
Google treats users security quite seriously so it wasn’t surprisingly that in August 2014 Google announced HTTPs as a ranking factor. But still buzz was heard from here and there in the SEO community. Some people immediately switched to HTTPs, some preferred to take time and think over such a serious step. Anyway, there were people who claimed that HTTPs made their sites rank higher; those who saw drops in rankings after switch to HTTPs; and finally those who didn’t notice any changes with HTTPs.


First of all, I am turning the floor over to Andrey, Amasty system administrator. He’s going to share some technical details on transitioning to HTTPS for Magento.

Points to consider

SSL speed

Andrey, Amasty System AdministatorSSL protocol provides encryption of information transferred between a client’s browser and your web server. If you decided to set up SSL for your Magento store, it’s important to know that encryption takes server and browser resources, also slowing down server connection setup.

We compared page load speed for HTTP (without SSL) and HTTPS (using SSL) protocols. In this test Apache Benchmark requesting a static HTML page from Nginx web server.

Now let’s test HTTP protocol speed:

ab -c 5 -n 1000 http://example.local/static.html

This is ApacheBench, Version 2.3 <$Revision: 655654 $>Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/

Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking example.local (be patient)

Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests

Server Software:       nginx/1.2.1
Server Hostname:       example.local
Server Port:           80
Document Path:        /static.html
Document Length:       51926 bytes
Concurrency Level:     5
Time taken for tests:   0.609 seconds
Complete requests:     1000
Failed requests:       0
Write errors:           0
Total transferred:     52138000 bytes
HTML transferred:      51926000 bytes
Requests per second:   1641.01 [#/sec] (mean)

Time per request:       3.047 [ms] (mean)

Time per request:       0.609 [ms] (mean, across all concurrent requests)

Transfer rate:         83553.80 [Kbytes/sec] received

Connection Times (ms)

min mean[+/-sd] median   max

Connect:       0   0   0.1     0       2

Processing:     2   3   0.2     3       4

Waiting:       0   1   0.1     1       2

Total:         2   3   0.3     3       5

Percentage of the requests served within a certain time (ms)
50%     3
66%     3
75%     3
80%     3
90%     3
95%     3
98%     4
99%     4
100%     5 (longest request)

Now let’s test HTTPS protocol speed:

ab -c 5 -n 1000 https://example.local/static.html
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/Benchmarking example.local (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requestsServer Software: nginx/1.2.1
Server Hostname: example.local
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,ECDHE-RSA-AES256-GCM-SHA384,2048,256Document Path: /static.html
Document Length: 51926 bytesConcurrency Level: 5
Time taken for tests: 4.396 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Total transferred: 52138000 bytes
HTML transferred: 51926000 bytes
Requests per second: 227.46 [#/sec] (mean)
Time per request: 21.982 [ms] (mean)
Time per request: 4.396 [ms] (mean, across all concurrent requests)
Transfer rate: 11581.24 [Kbytes/sec] receivedConnection Times (ms)
min mean[+/-sd] median max
Connect: 6 12 3.9 11 29
Processing: 1 10 3.9 10 23
Waiting: 1 4 2.9 5 17
Total: 8 22 5.3 21 48Percentage of the requests served within a certain time (ms)
50% 21
66% 23
75% 25
80% 26
90% 29
95% 31
98% 35
99% 38
100% 48 (longest request)

The difference between HTTP and HTTPS looks rather significant: 18 and 43 ms accordingly. This difference is the time spent for establishing SSL connection. We met websites with complicated layouts, where some pages need around 150 server requests to be loaded. If your server does not support Keep-Alive connections, it is needed to establish SSL connection every time the server request is executed, and in this case SSL connection may take up to 6.5 seconds, which is pretty much a big deal in e-commerce world.
Thus, we want SSL for our Magento store, but we also want it to be faster.
Now, let’s have a look at HTTPS connection speed with Keep-Alive:

ab -c 5 -n 1000 -k https://example.local/static.html
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/Benchmarking example.local (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requestsServer Software: nginx/1.2.1
Server Hostname: example.local
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,ECDHE-RSA-AES256-GCM-SHA384,2048,256Document Path: /static.html
Document Length: 51926 bytesConcurrency Level: 5
Time taken for tests: 0.507 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Keep-Alive requests: 990
Total transferred: 52142950 bytes
HTML transferred: 51926000 bytes
Requests per second: 1971.07 [#/sec] (mean)
Time per request: 2.537 [ms] (mean)
Time per request: 0.507 [ms] (mean, across all concurrent requests)
Transfer rate: 100368.49 [Kbytes/sec] receivedConnection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 2.2 0 29
Processing: 1 2 0.7 2 18
Waiting: 0 1 0.5 1 10
Total: 1 2 2.5 2 32Percentage of the requests served within a certain time (ms)
50% 2
66% 2
75% 2
80% 2
90% 2
95% 3
98% 3
99% 18
100% 32 (longest request)

To make sure the comparison is valid, let’s check HTTP connection speed with Keep-Alive support as well:

ab -c 5 -n 1000 -k http://example.local/static.html
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/Benchmarking example.local (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requestsServer Software: nginx/1.2.1
Server Hostname: example.local
Server Port: 80Document Path: /static.html
Document Length: 51926 bytesConcurrency Level: 5
Time taken for tests: 0.446 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Keep-Alive requests: 993
Total transferred: 52142965 bytes
HTML transferred: 51926000 bytes
Requests per second: 2240.79 [#/sec] (mean)
Time per request: 2.231 [ms] (mean)
Time per request: 0.446 [ms] (mean, across all concurrent requests)
Transfer rate: 114102.75 [Kbytes/sec] receivedConnection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.1 0 1
Processing: 1 2 0.3 2 5
Waiting: 0 1 0.2 1 1
Total: 1 2 0.3 2 5Percentage of the requests served within a certain time (ms)
50% 2
66% 2
75% 2
80% 2
90% 3
95% 3
98% 3
99% 3
100% 5 (longest request)

And the results are:
Speed tests with Keep-Alive connections
Chart - speed of Keep-Alive connections
Takeaway: we recommend using Keep-Alive connections if you decided to fully switch your Magento shop to secure connection.

Magento Enterprise

If you use Magento Enterprise Edition and Full Page Cache, please know that Full Page Cache will stop working if you turn HTTPS on for the whole website.

CDN

If you use HTTPS with CDN, be ready to face a higher price asked by your CDN provider. Using custom HTTPS certificate through CDN is more expensive than regular HTTPS.

Enabling HTTPS for your Magento store

Getting the certificate

If you don’t use Self-Signed certificates, you’ll probably purchase your certificate from any CA (Certificate Authority) like Verisign, Geotrust, Godaddy, etc.

To purchase such a certificate, you need to generate a private key and a certificate request first.

Use openssl for that. If you don’t have it now, install it using these commands:

Debian/Ubuntu

apt-get update
apt-get install openssl

RHEL/CentOS

yum install openssl

Now, let’s generate the private key for example.local domain. Execute these commands as root user or use sudo:

openssl genrsa -out /etc/ssl/private/example.local.key 2048
chown root:root /etc/ssl/private/example.local.key
chmod 0400 /etc/ssl/private/example.local.key

Next let’s generate certificate request. We marked out the places where you need to enter your own data:

openssl req -new -out /etc/ssl/certs/example.local.csr -key /etc/ssl/private/example.local.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Michigan
Locality Name (eg, city) []:Detroit
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example, Inc.
Organizational Unit Name (eg, section) []:Website
Common Name (e.g. server FQDN or YOUR name) []:example.local
Email Address []:webmaster@example.local
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

At this step you have a certificate request (example.local.csr) which should be sent to your Certificate Authority (CA). In reply you will receive a certificate file (for example, example.local.crt) and possibly a CA intermediate certificate (say, ca-bundle.crt), which connects your CA with root CAs. Root CAs have their certificates in all browsers (Root CA Certificate Storage).

Enabling SSL on Apache

Here’s the simplest SSL Apache configuration for example.local host. 1.2.3.4:443 are an IP address and a port where the web server waits for SSL connection:

ServerName example.local
ServerAdmin webmaster@example.local
DocumentRoot /var/vhosts/example.local
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.local.crt
SSLCertificateKeyFile /etc/ssl/private/example.local.key
#SSLCACertificateFile /etc/ssl/certs/ca-bundle.crt

Enabling SSL on Nginx

Here’s the simplest SSL Nginx configuration for example.local host. 1.2.3.4:443 are an IP address and a port where the web server waits for SSL connection:

server {
	listen 443 ssl;
	server_name example.local;
	ssl on;
	ssl_certificate /etc/ssl/certs/example.local.crt;
	ssl_certificate_key /etc/ssl/private/example.local.key;
	root /var/vhosts/example.local;
}

If you have ca-bundle.crt , add it to example.local.crt:

cat example.local.crt ca-bundle.crt > /etc/ssl/certs/example.local.crt

Enabling SSL in Magento

Before enabling SSL in Magento, make sure your web server is configured properly. To check this, open any static file through HTTP, for example, https://example.local/robots.txt will do. If the file is shown successfully in the browser and there are no certificate warnings, you can proceed to SSL setup for Magento.

Go to Magento backend, then follow System / Configuration / Web. Find Secure section and enter your URL with HTTPS into Base URL field. In our case it should be https://example.local/, which is also should be added to the Unsecure section as well.

Set Use Secure URLs in Frontend and Use Secure URLs in Admin settings to Yes and save.

After than you need to clear all Magento cache; go to System / Cache Management and click Flush Cache Storage button.

As you’re all set with SSL in Magento, it’s time to set a permanent redirect from HTTP to HTTPS. As a matter of fact, Magento does this redirect all by itself, but using server redirect reduces its load as it doesn’t delegate control to Magento.

Here’s how to do it:

Apache

<VirtualHost *:80>
	ServerName example.local
	ServerAdmin webmaster@example.local
	<IfModule mod_rewrite.c>
		RewriteEngine on
		RewriteCond %{HTTPS} off
		RewriteRule ^(.*)$ https://example.local/$1 [R=301,L]
	</IfModule>
</VirtualHost>

Nginx

server {
	listen 80;
	server_name example.local;
	location / {
		return 301 https://example.local$request_uri;
	}
}

After you reconfigured your server it needs to be rebooted so the changes apply.

Possible issues

When we were switching to HTTPS for the whole Amasty site, browsers showed a notification for partially encoded content, which could be very embarrassing for your visitors. This issue arises because some js/css/fonts/pics are loaded using HTTP. To avoid that, check all the URLs using HTTP by looking through the source code of the page that gets the notification; you need to change them manually or find other ways to get rid of HTTP.

SEO and HTTPS on Magento

Thanks to Andrey for his wonderful and detailed description! Now let’s move on to the impact switching to secure connection might have on your website. Let’s hear what Kristina, Amasty Marketing Manager, tells us on this subject.
Kristina, Amasty Marketing ManagerAs for Amasty, we were not among the pioneers to transfer Amasty.com to the secure version; we did it a few months later – in November. And here are some important tips we would like to share with you.

301 redirects from non-HTTPs to HTTPs version

You should understand that http://site.com/ and https://site.com/ are treated by Google as different sites (exactly like non-www and www versions). So if you transfer your Magento store to HTTPs, you should 301 redirect all the site pages on the URL by URL basis, i.e. https://amasty.com/magento-extensions.html should redirect users to https://amasty.com/magento-extensions.html but not to the homepage.

Internal linking

Once you set up HTTPs and 301 redirects, make sure all your internal links point to the secure URLs. Check your navigation (top links, footer links, cross & up sells, etc.) and links in the body text. Your site is under your control, this is the first place to show Google that you have secure URLs.

If you run a blog (you really do, right?), take some time to review the articles and change the protocol in the URLs coming to your main site. It is really hard and time consuming to make such changes manually in all the articles. So study your Google Analytics reports to find out which of your posts are more popular and change the links to your store only in them. Note: this is applicable only if you have a blog on a separate subdomain (e.g. blog.store.com).

Canonical tags

Check all your canonical tags. They should canonicalize the secure URLs. This is one more important signal for Google. Additionally, check your rel=prev, rel=next navigation tags (if you have them set up).

XML sitemap

As you know, an XML sitemap contains a list of all the URLs in your store. So after the switch to HTTPs, don’t forget to review your Google sitemap and re-submit it.

Google Webmaster Tools

Soon after the switch, you’ll see a similar picture in your Google Webmaster account:
Index drop https
This means that after the switch to the secure URLs Google Webmaster will soon stop giving you info on your non-secure site. And that is a good sign: it means you’ve configured your 301 redirect properly.

To get all the info from Google again, you should add your HTTPs site as a new site to the GWT. Once it’s added, you’ll begin to receive the stats:
Index increase https

External links

After switching your Magento store to HTTPs, build all the links to your site with HTTPs in the URLs. If you can change some existing incoming links, do it. Remember that a 301 redirect might transfer not all the link juice, so it’s always better to link to a page A directly rather than to link to a page B that redirects to the page A.

robots.txt

Look through robots.txt and add links to your new XML sitemap.

GA code

In most cases GA code catches the changes from HTTPS transition, but if you have an older piece of tracking code, it might need an update.

RSS

Check if your RSS provider supports HTTPS. For example, FeedBurner is not supported by Google any more, thus, it cannot work with HTTPS.

Check crawling

Utilize the Fetch and Render tool in GWT to check if Google is able to properly crawl your site.

Some challenges you will face after switching your Magento store to HTTPs

Social signals

Unfortunately, after the switch you’ll lose all the share counts. The good news is that some social shares will be transferred via API over time. But some won’t. From our experience, Google Plus shares count transfers mostly without any loss but Facebook likes count never returns.

So be ready to face this challenge. There’s also one reasonable solution that will help you to display on a new page share statistics of the old page. The drawback is that this count will be static as new shares won’t be seen.

Marketing & SEO tools

Though more and more sites are switching to HTTPs, not all the tools are ready for that. Some of them don’t show redirects or Alexa rank, others won’t generate an XML sitemap. Just take it as it is. I believe that all these inconveniences will soon disappear.

Check everything twice or even three, four, five times

The period after switching to HTTPs is like going through the dark forest. You never know what to expect. So check everything many times, make sure all your goals in Google Analytics are tracked properly, your AdWords traffic is not lost, etc. There are may be some problems but you can find and solve them quickly.

So what about the rankings?

This is a tricky question. When it comes to Google, it’s hard to predict the outcomes of your actions, especially if you make such serious changes as switching to HTTPs. Ok, according to Google, this is a ranking factor so we assume that after the switch, we can see a boost in rankings.

In reality, the things are much more complicated. It’s more likely that right after the switch, your rankings will drop for some time. For Amasty, this period lasted for a few days and then we saw an increase and the site began to rank higher than it used to without HTTPs.

You should understand that rankings depend on a variety of factors and it’s hard to predict how any change will influence them. As for HTTPs, you’ll have to transfer your site to them, sooner or later. Just take into account all the tips listed in the post and the switch to HTTPs will go smooth.

Free checklist

If you’re going to switch your Magento store to HTTPS, download this free checklist of all necessary actions – it will help you to run through all the points.