That took a lot longer than I intended.
But I’ve finally made all of Hyperborea.org run over HTTPS.
It’s been possible to view the whole site over HTTPS ever since I turned it on for the admin area of this blog years ago, but I left HTTP as the canonical URL and didn’t redirect anything until I updated the Les Mis section, and later this blog. Now, any page you visit on this entire site should load over an encrypted connection.
(Well, any page except for the old Dillo RPMs page, since that minimalist web browser still only has experimental HTTPS support.)
The problem is when you have decades of hand-crafted web pages to go through, it can take a while to make sure everything embeds only secure or same-origin content. Every image, every script, every video. I had to update lots of absolute links, remove some widgets and ads, update other widgets, embedded videos and metadata…and just a bit at a time in my spare time.
Finally I switched on the redirects this morning. Even that took longer than expected, because I’d forgotten that mod_rewrite rules in a directory override any parent directory’s rules, so I had to copy the HTTP-to-HTTPS rewrite rule to each folder that had its own rewrite rules. Then I had to fix the interaction between mod_rewrite and ErrorDocument that was causing custom errors to redirect to the error template instead of loading it behind the scenes.