Serving Your Sites under SSL
Difficulty: 4 (rated by author; 1=easy <--> 5=difficult)
Views: 122
Type: Security
Whether or not you have concerns about security for content on your domain, there are very good reasons for understanding to make sure your content is served over SSL (Secure Sockets Layer), and how the http:// in front of web site addresses is different from ones that start with https:// (known as URL protocols).
Sites with web addresses that are reached via https:// send content that is certified to be secure. It’s based on a set of certificates issued to a site from an authority that can communicate their authenticity to your web browser. For a visitor this means the site is authentic, the information sent between them and the site has not been altered in anyway, and is secure (learn more about SSL and secure web browsing). Learn more about SSL:
You are likely not transmitting super secure information from your domain nor dealing with information that needs high protection, but when we do log into sites with passwords (like many of the applications such as WordPress), it’s worth setting up your sites to use SSL.
But more than that, modern web browsers will soon start inserting the word INSECURE before web content not using SSL, and Google will eventually be changing their search results to favor sites using SSL.
Another reason for creating content that can be served under SSL may come into play later is that there are ways you can bring your domain content into an Learning Management System / Virtual Learning Environment, using iframe tags – for this to work, the content must be served over SSL.
the https thing was tricky for those of us at OU because our old fac/student web hosting did not offer https, so switching to @ReclaimHosting & Domains was huge for us: to work with embedded content of any kind, https is the key. now that we have https, options are unlimited! 🙂
— Laura Gibbs (@OnlineCrsLady) July 17, 2018
While this may seem “cryptic” and highly technical, the tools in your cpanel make it easy to set up your content to work under both protocols, and also, to default to https. It’s well worth it to have an understanding and appreciation for what that one extra “s” in a web address means for sites your domain.
About SSL Certificates in cPanel
For domains hosted by Reclaim Hosting including ones on StateU.org the good news is that getting an SSL certificate is not only free, it is set up for your domains (and subdomains) automatically. Using them comes into play typically when you install a new app, so when you find the place where the Installatron installer (like you might see first in the Domain Kit for installing WordPress) asks for a location to where to install the application. If you see options for both http:// and https:// addresses, use the latter:
Always choose the https:// option for installing a new app.
SSL For Directory Based Web Sites
For some things in your web site you may be creating content directly, e.g. by uploading via the File Manager as we did with the Adding a Self Contained Site with File Manager kit. In this case. as well as where we might be testing different sites in subdirectory of a sandbox subdomain, by default we can use either say http://sandbox.gadgets.stateu.org/eduhack-demo/ or https://sandbox.gadgets.stateu.org/eduhack-demo/ to access the site. The certificate for the subdomain applies to any site within it
But if we may want to make sure we only use https for sites in our sandbox, we can make that happen. Go to your cPanel, and inside the Domains group, click the Domains icon.
This provides an overview of all domains and subdomains in your account, including the document root (where in your account to find the content in file manager), if the domain/subdomain has been set up to be a redirect (as we do in the Creating Subdomains for Different Sites kit), and for what we want now, a switch to Force HTTPS Redirect:
If we want all requests to sites in our sandbox.gadgets.stateu.org subdomain to be handled by https. we turn this on. Thus any request in that subdomain for an address like http://sandbox.gadgets.stateu.org/eduhack-demo/ will be automatically sent to https://sandbox.gadgets.stateu.org/eduhack-demo/ thus ensuring our content is served as SSL.
What If a Domain or Subdomain Does Not Have An Option for HTTPS?
This is likely not something you will see unless you have had a domain for a while, but it may mean that an SSL certificate was never installed. You can have one created by going to cPanel, and under Security, use the icon for Lets Encrypt SSL to add a certificate to your domain.
What if a WordPress Site was Installed under HTTP, Do I Have to Start Over?
This might again be a specialized case that applies to older domains where WordPress is installed before all of these options for certificates were available. In this case you can install the Really Simple SSL WordPress plugin to make a site created originally for http work fully under https. See below for a link to a tutorial on how to do this.
This Kit is Confusing!
This is an attempt to explain a lot in a little box. This is where knowing that you have access to a Newbies Community to ask questions in a place where others are interested in helping you out.
Example for "Serving Your Sites under SSL":
http://domains.eduhack.eu/wp-content/uploads/sites/58/2020/07/sandbox-ssl.jpg
