# Enabling SSL as default for website



## dpalme (Mar 24, 2015)

Is there anything special that I need to do, in order to enable SSL as the default for a website?


----------



## Oko (Mar 24, 2015)

Yes! 

https://www.digicert.com/ssl-certificate-installation-nginx.htm

BTW Self signed certificates are useless as they fail to provide authentication (they are only good for encryption part) so you will have to pay some money for the real one.


----------



## obsigna (Mar 24, 2015)

dpalme said:


> Is there anything special that I need to do, in order to enable SSL as the default for a website?



If the question is, how a website would default (force) to https, and if your web server is Apache then enable the rewrite module and apply the following rewrite directives for the website:

```
RewriteEngine      on
RewriteCond        %{HTTPS} off
RewriteRule        ^(.*)$  https://%{HTTP_HOST}%{REQUEST_URI}
```


----------



## SirDice (Mar 24, 2015)

Without using mod_rewrite this also works:

```
<VirtualHost *:80>
  ServerName www.example.com
  Redirect / https://www.example.com
</VirtualHost>

<VirtualHost *:443>
  ServerName www.example.com
  ...
  ...
</VirtualHost>
```


----------



## dpalme (Mar 24, 2015)

Sorry I didn't get back until now - the dog ate my homework  Seriously that was my daughters' excuse this morning....

So I purchased an SSL certificate from THAWTE last evening - the 123SSL.  I created a CSR and sent it to them along with the pertinent information and they responded with what looks like a "combined" file - the top says "web Server CERTIFICATE" followed by an "intermediate CA".

I'm just not sure how to install this now.

I uncommented the following line in http.conf:

```
Include etc/apache22/extra/httpd-ssl.conf
```
I added a VirtualHost section to the httpd-ssl.conf.

Apache loads OK but when I try to access a secure page, using Firefox I get an untrusted connection message, and on IE from another machine I get some page "It Works", which I'm assuming is the default install and its not hitting my file at all.

Suggestions on where to back up to and start over at?


----------



## dpalme (Mar 24, 2015)

Ok I believe I got it working.  I split the intermediate and the web key into two separate files and reconfigured the <VirtualHost> section of the ssl.conf file.... and it comes up, no errors and the padlock is locked.


----------



## dpalme (Mar 24, 2015)

Is there any SEO impact with Google or Bing with using the redirect versus mod-rewrite?


----------



## SirDice (Mar 24, 2015)

dpalme said:


> I uncommented the following line in http.conf
> 
> ```
> Include etc/apache22/extra/httpd-ssl.conf
> ...


To each his own I guess, but I simply add files in /usr/local/etc/apache2[24]/Includes/. If you number them, like 000-default.conf and 001-example.com.conf, you can control which gets loaded first. I do enable and edit extras/httpd-default.conf but that's about it.

I would suggest defining a default site. You have to realize virtual hosts only work on the "Host:" header. It's this feature of HTTP version 1.1 that allows you to host multiple, independent, websites on a single IP address. The default website is what's being called if a client sends a "Host:" header that's not defined. Or if the client uses a HTTP version 1.0 request. So it's a good idea to have it point somewhere safe. The default Apache installation should be relatively safe to keep.


----------



## drhowarddrfine (Mar 25, 2015)

dpalme said:


> Ok I believe I got it working.  I split the intermediate and the web key into two separate files and reconfigured the <VirtualHost> section of the ssl.conf file.... and it comes up, no errors and the padlock is locked.


I'm a little concerned about this though it sounds like you got it working. I haven't used Apache in quite a while but I have to combine the intermediate and root certs from some authorities while others do that for you and I think yours did. The key should not be tied into those as I guess you found out.


dpalme said:


> Is there any SEO impact with Google or Bing with using the redirect versus mod-rewrite?


Since you are doing the whole site in ssl, you want to do a redirect cause rewriting will still accept incoming traffic to non-ssl pages. This splits up traffic count between the two while redirecting combines them all into one. You can also notify Google of this in Webmaster Tools. 

Screw Bing. No one cares.


----------



## dpalme (Mar 26, 2015)

Thanks for the replies everyone, SirDice - thanks for the "Thanks" it is appreciated.  I don't always get it right the first time, but I do eventually learn 

I set it to do a redirect and that took care of the SSL issue.

SirDice, I'll set a default with the httpd-default.conf to cover for those issues you stated.

Again, thanks to everyone for your help.


----------

