1and1 UK hosting provides you with a free GeoTrust SSL certificate for your website.
But not wanting to break my existing site(s) I want to know beforehand what happens when you set it up.
Currently I have setup my webspace like this:
/www <-- www.foo.com
+-- /images
+-- /css
/test <-- test.foo.com
+-- /images
+-- /css
I only want the SSL cert for the www.foo.com website.
The documentation tells you how to setup the certificate - but not what happens when you do.
Is it as easy as it creates a new top level dir called /www-ssl ? If so I could just copy the site into there and work with that.
Thanks.
Funnily enough the original question is actually something I've
actually just finished rolling out over the last two days.
If you are just using 1and1's webspace/domains (not server) it's pretty straight forwards (it doesn't change files, it doesn't automatically make the site SSL). It will continue to run as a HTTP server until you start editing your .htaccess files to redirect to HTTPS.
You should be aware: If you intend to use 1&1's CDN and want SSL, the free one they gave you won't work with it. (I'm guessing it's
down to how the automated process for creating CNAME's in the zone
record conflicts with each other. It's also incidentally why you need
to make sure you are using 1and1's NS's so they have control over the
zone record to do alterations for setting up the CDN or Geotrusts SSL
Cert)
you will either have to buy the CDN package with SSL cert (which is more expensive) or you can do what I've done:
Set up the Free Geotrust SSL Cert for your server
turn OFF/Remove the 1and1 CDN (if you've set it up)
Visit https://www.cloudflare.com and sign up for a free account, Only set this up once you have the Geotrust Cert running on your server as it will require changing your domains NS's to cloudflares one in your 1and1 adminpanel which would cause problems with any automatic subdomain creation used by 1and1).
The difference between using 1and1 CDN & SSL and SSL & Cloudflare is the latter version is cheaper (it uses whats free and what you already have, as well as having more CDN options available to you.) and the only thing you lose from it is Mirage caching (image optimisation for mobiles, which is in beta) You can of course pay cloudflare to get that option (and other extras) but to be honest it's a small loss.
There is a difference between the Geotrust SSL and the SSL Starter certs.
The Geotrust SSL Cert will handle both foo.com, www.foo.com.
The starter SSL will only handle one of them, not both.
If that checks out Setup your GeoTrust SSL certificate to handle both www.foo.com and foo.com
Once you've got your cert just add the below to a .htaccess file (It assumes that foo.com traffic is also www.foo.com traffic)
<If "%{REQUEST_SCHEME} =='http' && (-f %{REQUEST_FILENAME} || -d %{REQUEST_FILENAME})">
Redirect permanent "/" "Https://foo.com/"
</If>
<ElseIf "(%{HTTP_HOST} == 'foo.com') && (-f %{REQUEST_FILENAME} || -d %{REQUEST_FILENAME})">
Redirect permanent "/" "Https://www.foo.com/"
</ElseIf>
This can be used instead of mod_rewrite in apache >=2.4
REQUEST_SCHEME is used since the server isn't using a FULL(Strict) method where the server itself is set to run in HTTPS. Certain mod_rewrite rules will actually cause infinite* redirect loops. (*until the server timeouts from recursion)
While it is possible to reduce this so you have less redirects, if you intend to further tighten your SSL if you use cloudflare, you'll likely end up using HTTP Strict Transport Security (HSTS) and it's strict in how HTTP is escalated to HTTPS. The Pseudocode below shows the elevation it requires (having to do it this way due to limited links being allowed here):
http(domain) >301> https(domain) >301> https(sub+domain)
I'm not entire sure how the HSTS protocol would handle how I initially intended the failure of a File/Directory not being found creating a 404 message that breaks it's strict redirects.
(If you use this method, sanitise how the 404 message is handled since it can be outside of HTTPS.).
As for test.foo.com test folder. You can just treat that as you
have already, it's outside of the SSL Cert and not handled by the
.htaccess of the www folder.
If/When you get to looking at setting up HSTS, you will want to add headers to your If/ElseIf statements.
<If "%{REQUEST_SCHEME} =='http' && (-f %{REQUEST_FILENAME} || -d %{REQUEST_FILENAME})">
Redirect permanent "/" "Https://foo.com/"
Header set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload" env=HTTPS
</If>
<ElseIf "(%{HTTP_HOST} == 'foo.com') && (-f %{REQUEST_FILENAME} || -d %{REQUEST_FILENAME})">
Redirect permanent "/" "Https://www.foo.com/"
Header set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload" env=HTTPS
</ElseIf>
I hope that helps,
Edit
To clarify, the question seems to be more about how TLS works rather than how to get around it.
A TLS certificate is an agreement between a website and a browser to use a common shared secret to send and receive encrypted communications between each other. This is NOT anything that changes the website content or the website data. It is simply a more secure transport system.
Imagine, you're trying to send out magazines to customers in the real world, and you post these magazines in thin, skimpy plastic wrappers with the address in the corner, that's ok, that works, but the postman, the whole postal working staff and anyone whose popping into the post office at the time will be able to see what you're posting, and what magazine your friend is receiving.
So, you update and instead post your magazines out in thick dark paper bags, with duct tape wrapping, this means no one in-transit can view the magazine and no one knows what magazine is contained within the paper bag. This is a very rough equviliant of what TLS does for the website, it doesn't change the website contents (the magazine) but it does ensure that this contents is much, much harder to sniff and read.
By saying you want to encrypt some websites but you don't want to encrypt others, this seems somewhat odd, as surely all customers (in the scenario painted above) would like their magazines delivered in thick paper bags rather than thin transparant plastic wrappers. As there is no cost involved, there is little gain if any in only encrypting some of your sites or data.
Historic Original Answer:
A TLS certificate can be enabled for any site but is not required unless you tell the site to require it. What you can do is set the certificate for your account (and this will cover all domains on the account including subdomains, unless there's a specific setup option to avoid subdomains) and then use htaccess to tell the server to clarify your actions, so you can tell the server that:
RewriteEngine On
rewriteCond %{HTTP_HOST} ^www.(.*)$
rewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,R=301]
So this will tell your server that if the www.site.whatever is accessed then to use HTTPS... And you can, if you really want, use a similar inverted rule to prevent the non-www subdomain using the secured TLS port, but really, why wouldn't you want to use TLS encryption for all your web data?
Related
I originally had 4 subdomains, and when each was created, they were assigned a subdirectory off my public_html
So
subdomain1 points at public_html/subdirectory1
subdomain2 points at public_html/subdirectory2
subdomain3 points at public_html/subdirectory3
Each had a Wordpress site installed in the appropriate subdirectory
I then purchased a global (wildcard) SSL certifcate, and installed it... so it was for *.mydomain
And then all I had to do is in each Wordpress install, change the site url and home url, in General settings, to be https: subdomain.mydomain instead of http:subdomain.mydomain
Everything worked fine, I had no other changes to make.
Since then, I have added new subdomians, subdomain 4 and subdomain5
Again, each was assigned a subdirectory off public_html
subdomain4 points at public_html/subdirectory4
subdomain5 points at public_html/subdirectory5
Wordpress installed on each.
Each worked OK when the site and home urls were http:
Changing to https: site becomes unobtainable! White screen all the time, no error messages.
I contacted the tech support of my hosting providers, and what we established was that an http: request was targetting the public_html/subdirectory4 (or 5) directory, but that an https: request was targetting public_html ! They said that I had to amend my public_html/.htaccess file to redirect the https requests, on a subdomain by subdomain basis, to the relevant subdirectory.
Apart from this having knock on effects in the code of my sites, some of which is common across all 5, I do not understand why this is necessary. It was not necessary for the original sites that were present when I installed the SSL certificate. There are no entries in either the .htaccess file in public_html or in the .htaccess files of each subdirectory that pertain to http or https access.
There must be something else somewhere that makes the original subdomains work, but not the new ones created SINCE the SSL certificate was installed.
And it is nothing at all to do with Wordpress because I created a new subdomain and subdirectory with nothing but an index.php file echoing "Hello world", and it works if requested through http, not if requested through https:
I need to know anything else that can be making the original subdomains work WITHOUT any alteration to the .htaccess files, and why the new subdomains, created after the SSL certificate was installed, behave differently. And then obviously how to make them behave as the original subdomains do.
Don't know why the Tech Support for my hosting company couldn't tell me this, it was so simple once I looked in the right place.
Logged into WHM, and there's an SSL/TLS tab. Looking under "Manage SSL Hosts", I could see the subdomains that were working correctly had an entry in the table there. Backing out, and going to "Install an SSL Certificate on a Domain", I was able to install the certificate to the new subdomains, and lo and behold, when I returned to "Manage SSL Hosts", the new subdomains were there too.
So, undid all the changes made to the new WP installs, and now working perfectly, in the same manner as the all the other subdomains.
Hope this saves somebody else half the time I wasted!
I've changed a site to https and have set up a redirect in .htaccess. But I've also set Strict Transport Security. Are both necessary or useful?
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=16070400"
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
Cheers
A redirect tells people who enter http://www.example.com to go to https://www.example.com. Since the default is http, if you leave off the protocol and just type www.example.com then you will go to http://www.example.com so yes you need this redirect.
There's a few problems with this though.
First up http is insecure and can be read, and altered by other people on the network. That's the very reason you should use https. However, as http is insecure, that means they could intercept your redirect and keep you on http version and continue to intercept your traffic. Or alternatively redirect you to https://www.evilexample.com instead.
HTTP Strict Transport Security (or HSTS) is a security mechanism which attempts to address this issue. Your server tells the browser to ALWAYS use https for that site. Even if the don't type the protocol (when http would normally be used) and even if you DO type the protocol as http.
Once a browser has loaded HSTS for a site it will not even send a http request at all and will automatically change these to https instead. This has several advantages:
It's more secure as it cannot be intercepted.
It's quicker as doesn't waste time sending a request to http://www.example.com just to be told to go to https://www.example.com.
It can be used to address mixed content errors as http resources (for that site only but not loaded from other sites) will automatically be changed if you accidentally include a http source. Content Security Policy's upgrade-insecure-requests is probably a better solution for that but HSTS still provides a basic version.
Also as the other answer stated another separate benefit is that this setting also means browsers will not allow visitors to click through certificate errors for this site which adds extra security against attacks.
The main downsides of HSTS are that:
Your site needs to be https only - which may seem obvious but easy to miss part of the site on http only. Or a subdomain on http if using includeSubdomain option.
The visitor needs to visit the site first to pick up the HSTS policy though you can preload this into browsers but that's not a decision to be taken likely.
Browser support is not universal yet. And even if it was crawlers used by search engines and the like probably wouldn't use it.
So hopefully that explains why HSTS is a good thing and is something you should keep. On top of the redirect.
Yes! You should keep both of them. From OWASP docs, there're many benifits to use HSTS. E.g:
automatically redirects HTTP requests to HTTPS.
prevent user from overridding invalid certificate message.
I think you should have a look on this documentation https://varvy.com/pagespeed/hsts.html which says:
It is basically like a 301 redirect, but at the browser level, rather than the webpage level. It is superior to a 301 redirect as it can be implemented to always only use https, whereas 301 redirects are actually unsecure when first seen by a browser.
After reading the documentation, you can decide about it.
I have ordered an SSL certificate which covers my root domain only and it can be successfully accessed through https://domain.com.
I have created a redirection from all requests from https://www.domain.com to the root domain.
However, when trying to access https://www.domain.com which was supposed to get redirected to https://domain.com the browser returns the following warning mentioning about a security risk of proceeding with the navigation:
This is probably not the site your are looking for!
You attempted to reach www.domain.com, but instead you actually reached a server identifying itself as domain.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.domain.com.
You should not proceed, especially if you have never seen this warning before for this site.
Is it somehow possible to redirect from www to the root domain using HTTPS without having to order another SSL certificate for www only for redirections?
PS: domain.com is just a placeholder to help illustrating the question.
Unfortunately SSL certificate negotiation happens before mod_rewrite rules come into effect. THerefore even before your 301 rule can redirect URIs to non-www domain, browser has already received certs for non-www while still on www domain. That is the point it shows that dreaded warning to visitor that cert is invalid.
You have 2 options:
(Recommended) Most of the certs these days allow you to use www with TLD, check with your provided if this is the option.
Go for wildcard certs (more expensive).
I have a Debian server which is running a number of client sites. Most of these are not running SSL so accessing by HTTP is fine.
I have one customer with an SSL certificate and accessing their site via HTTPS is fine too.
The problem comes if you try to access one of the other sites with HTTPS you get directed to the other site that has the SSL certificate.
For instance, lets say we have the following sites on the server:
alpha.net
bravo.net
charlie.net (SSL)
delta.net
So as you can see, charlie is the only one with SSL, and irrespective of if you go to http charlie.net or https charlie.net, it works fine.
http to all the other sites is fine, but if you were to go to https alpha.net, it will initially come up with an Invalid Certificate error and let you continue but whilst it has alpha.net in the address bar, its actually showing the charlie.net site in the browser.
I have researched SNI and how if any other sites have SSL I'll need to put them all on specific IP addresses (something else I need to try to work out how to do as I have no idea) but I am not sure why this is happening or how I resolve it.
Has anyone else encountered this before and how did you get around it?
Many thanks,
Rob
This does not have anything to do with SNI, as you currently only have one HTTPS server. What happens, as you've stated in your comment, is that the alpha.net domain resolves to your server's IP. Your Apache server is set up to listen for requests on port 443 on this IP, and to serve the contents of charlie.net to these requests. (And the certificate error means that the browser noticed the discrepancy between the certificate's alleged domain name and the domain name used for the request.)
Redirecting from HTTPS to HTTP is probably more trouble that it's worth, since you would need valid certificates for each domain, lest you present your users with another security warning. This would entail creating virtual hosts for alpha.net:443 and so on, on an SNI capable server (i.e., later versions of Apache 2.2+ with openssl), and adding a redirection like so:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
Probably the easiest course for your problem is to use a different IP for charlie.net. With this setup, there would be no way for alpha.net (and so on) to display the contents of another site.
If you have multiple IPs on your server, use a unique one for the SSL site, all non-SSL sites share another IP.
Since SSL doesn't care what is the domain you are visiting, it only cares if the current domain is approved from the list of domains(Common Name) it gets from the Ip address.
I have an apache server with multiple named hosts all working fine for port 80 http traffic.
(A VPS with one unique IP address)
I have one domain that has a SSL certificate and that domain is configured to handle both http and https traffic.
However if someone accidentally adds https to the beginning of a none SSL configured URL I get a typical certificate warning error (expected) and then if the user accepts the error (depending on the browser) it displays the SSL site I have configured instead of the original non-ssl domain.
I've read up a bit about SNI, but I don't have certificates for each of the other domains and would rather the server either not respond to the SSL request on anything else but one specific domain or redirect to the http version of the site.
Suggestions please as to how I approach this.
Kind regards, Spencer
For security reasons, what you're trying to achieve cannot work.
The browser (which implements the mechanisms to check the certificate) cannot know whether the user typed https:// instead of http:// accidentally or intentionally. Since it's ultimately up to the users to check that https:// is used when they think it's required, browsers should simply perform the actions requested by the users.
A redirection from https:// to http:// should always start with a valid https:// connection. SNI won't help you much there if you can't have valid certificates for the initial connection.
Otherwise, it would be fair for browsers to assume there may be a MITM attack in progress. Typing in https:// explicitly (or using HSTS) is the only reliably mechanism against MITM tools like SSLstrip, which would otherwise be capable of downgrading (or preventing an upgrade from http:// to https://).