13

I need some secure pages on my site. I've purchased (and my host has installed) a secure certificate for the domain in question.

What does one do at that point? How do I make certain pages secure, do I have to put them in a specific directory? Or use some headers or something? I have no idea how this works.

Hopefully someone can point me in the right direction.

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
Edward Williams
  • 307
  • 1
  • 7
  • 18

2 Answers2

10

Maybe it's much easier than you think. If your provider has installed the certificate, then just call the page with the correct protocoll, that means https://www.example.com/page.html instead of http://www.example.com/page.html .

The difficult part is to make sure, that the page can only be called with the HTTPS protocoll and is not accessible with HTTP. Relative links will use the same protocoll as the originating page.

The easiest way is surely, to make your whole site HTTPS only (you can use relative links then). Some providers offer this option in their control panel. If there is no such option, you can write a .htaccess file and place it in the root direcotry. This lines will redirect any HTTP requests to HTTPS requests:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

Of course you should replace example.com with your own domain.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • Hi thanks for your feedback. I had not considered the user going directly to http. Regarding making the whole site https - does this not slow everything down considerably? Or slightly? Or not at all? If not at all, maybe this is the best way to go. Thanks for your help. – Edward Williams Jan 08 '12 at 09:38
  • @Edward Williams - Yes, it's an open discussion if that slows down a site or if you can ignore it. Fact is, that it is difficult to create a safe site, if you switch between HTTP and HTTPS (have a look at this question http://stackoverflow.com/q/5843305/575765 ). If you don't expect **very** much traffic on your site, then i would recommend to make it HTTPS only, you probably won't note any difference at all. – martinstoeckli Jan 08 '12 at 13:14
0

You have to edit your sites configuration file. You can find more info about it at (for apache2): http://www.geocerts.com/install/apache_2 (if using Ubuntu) http://www.tc.umn.edu/~brams006/selfsign_ubuntu.html

Do let me know the server you use and I can help you with the config of it too.

Neo
  • 6,753
  • 1
  • 19
  • 25
  • your answer is the one ;) Thanks for getting back, we are on Apache. I'll read the links you posted. – Edward Williams Jan 04 '12 at 07:27
  • (or anyone else) - I think our host company has already set up and configured the certificate, with the steps detailed in your link. What I am really looking for is - once all that is all installed and configured - how do I make a specific page https? Thanks for your help. – Edward Williams Jan 04 '12 at 10:01
  • to make the page support https, you need to use the apache config as mentioned in the link to allow https access on those pages so that the certificate is included with the page when it is opened using https. If your webhost has done all the settings, then you can try accessing your page with https instead of http. – Neo Jan 04 '12 at 11:02
  • hi, sorry I still don't get it. I read through the link again, this just tells me how to set up the certificate on the server, and test it works with https://secure.mysite.com. Are you then supposed to go through the site and make all relative links absolute and put "https://secure.page.php" in front of everything that needs to be secure? – Edward Williams Jan 05 '12 at 02:22
  • yeah, if they need it to be secure.page.php then yes all of them need to be changed, or you can set the .htaccess file and then it will automatically redirect it to secure.page.php – Neo Jan 06 '12 at 09:31