AXISHK
asked on
ssl question
can we just enable ssl on a website without asking for user name and password
ASKER
I need to setup my website such that user should access it through https:.
ok so you need to bind it to the https protocol or port 443
1. Select your site
2. Under the action pane, under Edit Site select Bindings
3. Click Add
4. Under Type select https and port should be 443.
5. The ipaddress or host name should be the same and the http that is already there.
1. Select your site
2. Under the action pane, under Edit Site select Bindings
3. Click Add
4. Under Type select https and port should be 443.
5. The ipaddress or host name should be the same and the http that is already there.
In order to serve a website under SSL (HTTPS:) there are a number of steps, all of which are mandatory:
1) Firstly you will need to obtain an SSL Certificate, if your website will be used by the general public then this must be issued by a genuine issuing authority (GoDaddy, Comodo, VeriSign etc.) while if the website is only going to be accessed inside your company/organisation you could get away with a "self signed" certificate. For information on how to obtain an SSL Certificate search on Google for "SSL Certificates".
2) Once you have your certificate, you need to copy the Certificate, Private Key for that Certificate and any "chain certificates" on to your server, in a location that is accessible by Apache (you have said earlier you are running Apache).
3) With the certificates in place on your server, you must then edit and modify the HTTPD.CONF file for Apache, placing the required instructions for Apache to begin listening for SSL connections, log file formats, what type of cipher and SSL connections your server will accept, and where it can find the certificates for the given HOST. This particular topic is covered by a number of tutorials that you can find on the web - in Google search for "How to Set up and Enable SSL in Apache"
4) When you have correctly edited your HTTPD.CONF file you will be able to restart Apache and then access your website using HTTPS. However, if within the HTML of your website there are any literal calls to "HTTP", such as in images, JavaScript or Iframes, then these will need to be changed to accommodate HTTPS or else your website will not be rendered by most browsers in a secure mode.
As you can see from the above, there is more to enabling SSL under Apache than simply binding it to port 443 (which will not enable SSL or a secure connection).
Please feel free to come back with any additional questions you have.
1) Firstly you will need to obtain an SSL Certificate, if your website will be used by the general public then this must be issued by a genuine issuing authority (GoDaddy, Comodo, VeriSign etc.) while if the website is only going to be accessed inside your company/organisation you could get away with a "self signed" certificate. For information on how to obtain an SSL Certificate search on Google for "SSL Certificates".
2) Once you have your certificate, you need to copy the Certificate, Private Key for that Certificate and any "chain certificates" on to your server, in a location that is accessible by Apache (you have said earlier you are running Apache).
3) With the certificates in place on your server, you must then edit and modify the HTTPD.CONF file for Apache, placing the required instructions for Apache to begin listening for SSL connections, log file formats, what type of cipher and SSL connections your server will accept, and where it can find the certificates for the given HOST. This particular topic is covered by a number of tutorials that you can find on the web - in Google search for "How to Set up and Enable SSL in Apache"
4) When you have correctly edited your HTTPD.CONF file you will be able to restart Apache and then access your website using HTTPS. However, if within the HTML of your website there are any literal calls to "HTTP", such as in images, JavaScript or Iframes, then these will need to be changed to accommodate HTTPS or else your website will not be rendered by most browsers in a secure mode.
As you can see from the above, there is more to enabling SSL under Apache than simply binding it to port 443 (which will not enable SSL or a secure connection).
Please feel free to come back with any additional questions you have.
ASKER
After that, user only need to type https://mywebsite.com, no password will be prompted, correct ?
Tks
Tks
Absolutely correct, HTTPS (secure connections) are different from "HTTP with Basic Authentication".
In the first case HTTPS means that the data exchanged between the browser and website are encrypted and thus secure.
In the second case, a visitor is not able to view the website until they have entered a username and password, but the data is not encrypted and thus not "secure".
In the first case HTTPS means that the data exchanged between the browser and website are encrypted and thus secure.
In the second case, a visitor is not able to view the website until they have entered a username and password, but the data is not encrypted and thus not "secure".
ASKER
Do you mean when accessing https, the user will always be asked for the password ?
Is it possible to just encrypt the content by accessing https://xxxxx.com but no password is asked ?
Tks
Is it possible to just encrypt the content by accessing https://xxxxx.com but no password is asked ?
Tks
I think you are confusing HTTPS (a secure connection) and User Authentication (username & password controlled access).
Two entirely different things here.
Asking for a username and password before granting access to a website is a form of "access control" - no data is encrypted.
With HTTPS anyone can access the website - but the data (meaning the website content) is encrypted when delivered to, and collect from, the visitor.
So to answer your question, no username and no password will be required to access the website over HTTPS unless you also add access control to.
Two entirely different things here.
Asking for a username and password before granting access to a website is a form of "access control" - no data is encrypted.
With HTTPS anyone can access the website - but the data (meaning the website content) is encrypted when delivered to, and collect from, the visitor.
So to answer your question, no username and no password will be required to access the website over HTTPS unless you also add access control to.
ASKER
Can i say it is no point to use https if not user password is asked ? Under what sitituation should the whole website be encrypted without any user name and password ?
Tks
Tks
What are you trying to achieve?
Do you want to only allow specific people to access your website?
OR
Do you want to deliver your website using HTTPS - for instance because you want to take online payments?
Do you want to only allow specific people to access your website?
OR
Do you want to deliver your website using HTTPS - for instance because you want to take online payments?
ASKER
Just want to enable access with https as requested by boss. tks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tks
You can simply bind the website to the https port 443 and not require ssl and then you get both port 80 and 443