Chapter 1

Welcome to Book 2

HTTP vs HTTPS and what Workshop Co. needs for production.

In this book

Trace an HTTP request from browser click to server response
Understand TLS, certificates, and the chain of trust
Obtain and renew Let’s Encrypt certificates with ACME
Configure Nginx server blocks, virtual hosts, and PHP-FPM
Diagnose mixed content, expiry, and certificate mismatch errors
Deploy a complete HTTPS setup for Workshop Co.

Book 1 → Book 2

In Book 1 you learned how DNS turns workshopco.ca into an IP address. Book 2 picks up at the server: what happens when the browser connects, why HTTPS matters, and how to configure a production web server that serves Workshop Co.’s site safely.

Tip

You do not need a live server to follow along. Read each chapter, sketch configs on paper, and use the collapsible answers to check your work. When you have SSH access to a test VPS, revisit the capstone and apply it for real.

Workshop Co. in Book 2

Workshop Co. is ready to go live. Their marketing site and booking pages run on a Swift Host VPS. Staging lives on a separate IP for testing before changes hit production.

Workshop Co. — web stack

Production: https://www.workshopco.ca → VPS at 203.0.113.10
Staging: https://staging.workshopco.ca → 203.0.113.99
Web server: Nginx on Ubuntu 24.04 LTS
Application: PHP 8.3 via PHP-FPM (custom booking pages)
Certificates: Let’s Encrypt (auto-renew via Certbot)

HTTP vs HTTPS — why this book exists

Plain HTTP sends page content in cleartext. Anyone on the same Wi‑Fi, ISP path, or compromised router can read form submissions — including class booking details and email addresses. HTTPS wraps HTTP inside TLS (Transport Layer Security), which encrypts traffic and proves the server identity with a certificate.

Modern browsers mark HTTP sites as “Not Secure.” Search engines favour HTTPS. Payment processors and booking tools often require it. For Workshop Co., HTTPS is not optional — it is baseline hygiene for a Canadian business collecting customer information.

What you need

Book 1 concepts (especially A records and subdomains)
Optional: SSH access to a Linux VPS for hands-on Nginx practice
A text editor for config snippets

Try it yourself — inspect a site you use

Open a site you trust (bank, email provider, or workshopco.ca when live). Click the padlock icon in the address bar and note:

Is the connection secure?
Who issued the certificate?
When does it expire?

Discussion notes

You should see “Connection is secure” and a certificate issued by a public CA (often Let’s Encrypt, DigiCert, or Google Trust Services). Expiry is typically 90 days for Let’s Encrypt or up to ~13 months for commercial CAs. This book explains exactly what those fields mean.

Key terms introduced

HTTP: Hypertext Transfer Protocol — how browsers request web pages.
HTTPS: HTTP over TLS — encrypted and authenticated web traffic.
TLS: Transport Layer Security — the encryption protocol behind HTTPS.
Web server: Software (e.g. Nginx) that accepts HTTP requests and returns responses.