I recently upgraded my blog to HTTPS: www.rrfed.com. Why?
To take a simple example, when I open this page: in the bottom right corner of the page is an AD:
But this site is American:
Why are Chinese ads hitting the US? And more than one website has this problem, their own blog website in my home open often will have this problem, often play some ads, this is why?
Because the site was hijacked by the carrier, it injected a snippet of advertising HTML into your HTML, as shown below:
I’ve already covered this in “What Happens in the First few milliseconds of an HTTPS Connection,” but what’s different is that the middleman is on top of the normal connection because it’s a carrier. You could also say that it’s not a normal connection because the carrier is secretly hijacking it.
However, this hijacking, also known as HTTP hijacking, only happens over HTTP connections, whereas HTTPS connections do not. Basically, pages that are open over HTTPS will not be injected with ads. Because the transmitted data was encrypted, the middleman received a string of text that could not be decrypted and it had no idea how to tamper with it.
But if it’s HTTP and your data is transmitted in clear text across the network, including your passwords and other sensitive information, the routes that you pass between you and the server can sniff your data, you can modify it, you can embed an AD, you can sabotage it, Or simply grab information such as email content, account passwords, etc. So using HTTPS is essential, as Firefox will tell you that the password for non-HTTPS pages is not secure:
Browsers like Chrome/ Firefox will tell you that the current HTTP site is not secure in an obvious place, just click the I button on the left side of the address bar to pop up:
And HTTPS sites can improve SEO.
Using HTTPS over a public wifi connection can reduce the risk of account information theft, but it’s not 100% secure, as it can use other methods such as planting Trojan horses on your device to gain access to and control your account.
In any case, it’s important to have an HTTPS, at least not to give the impression that the AD is from your own site. So how do you build an HTTPS website? As I explained briefly in what Happens in the First Few milliseconds of an HTTPS Connection, you need to purchase an SSL certificate, and there are some free certificates available online. You can see the types and prices of certificates at a certificate buying agency:
Certificates are divided into three types: DV (domain name), OV (enterprise type) and EV (enhanced type). Dv is the simplest one, as long as there is an accessible domain name, you can apply for it, while OV is for enterprises, which requires the relevant materials of enterprises to be provided. Ev can display the company name on the address bar, such as Sitepoint.com. For our small blog site to do a DV type can be.
There is a free DV certificate authority called LETsENCRYPT, which provides three months of free use, and then you renew it, so it’s free. And the installation and application is very simple, using Certbot installation. The following is a brief introduction to the installation process:
First open the certbot website and select your operating system, if I use centos + nginx:
It will then prompt you to install it. First download a compiled executable file:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-autoCopy the codeThen execute the installation command:
sudo ./path/to/certbot-auto --nginxCopy the codeIt will install some Python packages, then ask you to enter your email address, then automatically go to your nginx configuration file, find the server domain name listed in it, and ask you to choose which one to install HTTPS certificate:
Which names would you like to activate HTTPS for? — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 1: www.rrfed.com ——————————————————————————- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter ‘c’ to cancel):
If a connection timeout error is reported:
– The following errors were reported by the server:
Domain: trumporate.com
Type: connection
Detail: Timeout
Firewall iptables port 443 is not open, just open it like port 80.
After successful authentication, it will download the SSL certificate and add SSL configuration to nginx:
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.rrfed.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/fed.renren.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by CertbotCopy the codeIt will also prompt you to redirect HTTP to HTTPS, and if so, it will add the following nginx configuration:
if ($scheme! ="https") {
return 301 https://$host$request_uri;
} # managed by CertbotCopy the code301 indicates permanent resource transfer. After receiving a 301 response, the browser automatically redirects resources.
Because the address of many pictures on the website is HTTP and has been solidified into the database, it is necessary to load HTTP pictures in HTTPS web pages, so that even if the certificate is configured, the browser will prompt unsafe, and the small lock in the browser address sample bar is also gone:
If changing the database manually is cumbersome, an easier way is to use a meta tag that updates HTTP:
<meta http-equiv="Content-Security-Policy"
content="upgrade-insecure-requests">Copy the codeAll HTTP requests on the page are forced to become HTTPS requests. Some requests will hang if the server doesn’t support HTTPS, but I don’t have this problem.
This will happily upgrade the site to HTTPS for free:
View certificates in a browser:
The problem with HTTPS upgrades is that encryption and decryption require more CPU and the encrypted data becomes larger, but I observed that with gzip compression, HTTPS transfers are almost the same size as HTTP. In addition to the normal TCP connection, but also to establish SSL connection, this time is about 0.3s to 0.5s, this is to pay a price, but because the browser will prompt the user “establishing a secure connection”, there is a buffer process, so in fact, ok.