• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 639
  • Last Modified:

How do I upgrade a Web site to use HTTPS/SSL?

I have a Web site and hosting at FreeHostia.com and want to upgrade the site so that it uses HTTPS/SSL to protect transferred information. I have never set up a secure Web site and need a basic tutorial. FreeHostia offers paid upgrades such as IP addresses, but if many extras will be required an alternate hosting provider can be considered.
0
greatcomputing
Asked:
greatcomputing
  • 5
  • 3
  • 2
  • +2
2 Solutions
 
cyberstalkerCommented:
According to their beginners guide you can set it up from their control panel.
0
 
CorruptedLogicCommented:
Check here and then take a look in your account control panel...
http://forum.freehostia.com/viewtopic.php?t=3736&highlight=ssl


0
 
greatcomputingAuthor Commented:
Do I need to purchase a dedicated IP address to use SSL, or just to get a certificate?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
cyberstalkerCommented:
A dedicated IP address is not required. It will work just as well on shared hosting.
0
 
greatcomputingAuthor Commented:
When enabling SSL support in the control panel, the options are to either generate or upload a certificate. After selecting either one, it says "If you intend to use SSL certificates of your own, you will need a different IP address for each one of these SSL certificates." and reverts to the 'Do not use SSL' option.
0
 
greatcomputingAuthor Commented:
According to the control panel help files and other posts in the support forum, a dedicated IP address is required to use SSL. After upgrading to 1 dedicated IP address, I am given the option to enable it when creating a new subdomain, such as 'www'. Enabling it for a second subdomain returns the error saying that an additional IP address is required. Is a dedicated IP address required for each subdomain or is this a limitation of FreeHostia? Regardless, while I am able to view my site through 'http://' I cannot connect securely through 'https://'.
0
 
giltjrCommented:
--> Is a dedicated IP address required for each subdomain or is this a limitation of FreeHostia?

No, this is how SSL works.  SSL negotiation takes place before any data is really passed to the Web server, its done when the TCP connection is being setup between the client and the server.  At this point in time the server does not know which host name the client is attempting to connect to so it has to use the cert that is associated with the IP address the client is attempting to connect to.
0
 
Steve BinkCommented:
>>> Is a dedicated IP address required for each subdomain or is this a limitation of FreeHostia?

Well, yes and no, actually.  The restriction is actually that you can only have a single SSL certificate on any given IP, due to the same technical reasons explained by glitjr.  Since a certificate is normally assigned to a single common name, that means you need one IP per unique domain name.

There are work-arounds, though.  With shared hosting, you commonly share an IP with many other people.  The host will own the cert on the single IP, and dish out subdirectory entries to the clients.  For example, say you are hosting on server1.mywaycoolhost.com.  The certificate will use that as the common name, and any SSL-enabled directories you have will be available through a separate link like https://server1.mywaycoolhost.com/mydomain.  Another alternative is to use a wildcard SSL (*.mywaycoolhost.com), and the host provides for sub-domains like https://mydomain.mywaycoolhost.com.

All of that, however, assumes you're OK with having your customers go to your HOST'S domain to serve your secured content.  Since most laymen know nothing about SSL and are (hopefully) really paranoid about phishing and other scams, that could lead to a drop in business.  The better option, though more expensive, is to get a dedicated IP for your domain and purchase your own certificate.  Once installed, your SSL-enabled content is available through https://www.mydomain.com.  Costs vary by host for the dedicated IP, and a generic certificate will run from $100 to $150 depending on the vendor you use.  Some hosts are resellers for CAs, so talk to them to see if they have a better deal for you.

As far as the restriction of one cert/domain per IP, it is a restriction in the technology, not in reality.  You COULD put two domains on the same IP and use the same cert, but only the matching domain name will display content seamlessly.  The other domain will raise certificate errors on the client side, alerting them that your domain name does not match the certificate's common name.  This might not be an issue for you if the second domain is internal-only, and you just need the certificate for encryption purposes.  If it faces the public, however, you will want to use a second certificate.  For example, if I have domain1.com and domain2.com, and I purchase a certificate for the common name domain1.com, browsing to https://domain1.com will be fine.  Browsing to https://domain2.com (or https://www.domain1.com!!) will raise a certificate error.
0
 
greatcomputingAuthor Commented:
I ordered a trial certificate from Comodo and installed it; now the website is available through 'http://' and 'https://' with or without the 'www' subdomain and does not present any certificate errors. Finally, I need to ensure that access is only available through SSL. How do I disable or redirect traffic to accomplish this?
0
 
giltjrCommented:
There are few ways to do this and it depends on how much control you have over the site.  If this is a typical shared hosted site assuming mod_rewrite is installed, you can setup the following in a .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

If you have full control over everything though, you can put:

Redirect permanent / https://a.b.c/

in your httpd.conf file where a.b.c is your host name.  If you have full control over everything and this is a virtual host, put the above in the virtual host defintion.
0
 
greatcomputingAuthor Commented:
Can the RewriteEngine code be modified to include all subdirectories and files?
0
 
giltjrCommented:
With the example I gave anytime a request comes in that is NOT https (meaning it is http), the rule will rewrite the request to be https.

This should cover any and all requests no matter what the directory.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 5
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now