How you can enable secure HTTPS on your webserver

Garikai Dzoma Avatar

As promised in an earlier post, this week we will be looking at how and why you might want to set up HTTPS on your webserver. We will be assuming that you have already installed and configured your webserver to serve web pages over HTTP on port 80 as is the standard.

We will also be assuming that you will be using a modern Apache server for the actual configurations via the command line on Ubuntu 14.04 although the setup should work with modifications on other distros. Those who use other web servers such as Nginx  and have the know how can add their knowledge in the comment section.

Why HTTPS?

HTTPS is a must if you run an e-commerce site no matter how small it is. As it stands, most payment providers require your site to have HTTPS. An HTTPS connection boosts your visitors confidence in your site, makes man in the middle attacks more difficult (you will probably not stop the NSA but the normal hacker will most likely move on to easier targets) and using SSL, among other things will boost your SEO rankings.

There are drawbacks, real and imagined/exaggerated, to using SSL. Serving pages using HTTPS uses more server resources and takes a little more time than using clear HTTP. These are not things you should be worrying about unless you receive a lot of visitors and use one of those tiny weeny servers with 128 MB of RAM and a 10 Mbps connections.

The biggest issue you might encounter is if you use free CDN services like those offered by Cloudflare in which case your HTTPS setup will likely not work unless you upgrade to a higher or paid plan.

One work around is to do what Google did with their search page in the early days: create a Virtual host and name it “secure.yourwebsite.co.zw” and serve it over HTTPS so that the security conscious users might access your site via this address instead.

Using the same idea you can serve the security sensitive parts of your web over such an address for example you could serve the rest of your site via HTTP and server store.yourwebsite.co.zw via HTTPS.

A case

Several weeks ago I was thinking of buying a scanner and took to Google to find sellers. I clicked a link to one very famous local IT equipment supplier’s website. I noticed the site had a shop section on the url shop.somecompany.co.zw complete with a shopping basket and checkout option.

I decided to try it, added the scanner to the basket and checked out, was asked to register and so I filled in my details, I selected a payment method and completed the order. At no point was the connection ever secure.

Not only that, but on a later cursory research I discovered it was a WordPress site running an outdated version of WordPress with Directory Indexing and User Enumeration both turned on.

In light of such folly  and the fact that almost a quarter of the websites out there use it, I have decided to use a WordPress site as an example.

How to

  • Generate a certificate for your web server using the instructions given in our earlier tutorial here. The certificate should be for the subdomain that you want to use for example www.yoursite.co.zw.
  •  In addition to the CA certificate download StartSSL’s subclass 1 intermediate certificate to your computer.
  • Copy the certificates to your server using the command:
    scp {ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} yourusername@serveraddress.co.zw:/home/yourusername/

    or you can use software like WinScp

  • If you have not yet done so at this stage decrypt the key using the command
    openssl rsa -in tls.key -out private.key

    in the directory with the keys.

  • On the server run the commands:
    sudo a2enmod ssl
    sudo service apache2 restart
    sudo mkdir -p /etc/apache2/ssl
    cp ~/{ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} /etc/apache2/ssl
    sudo chown root:root -R /etc/apache2/ssl/
    sudo chmod 644 -R /etc/apache2/ssl/
  • Append these lines to the file: /etc/apache2/sites-available/000-default.conf
  • Run the command:
     sudo service apache2 restart

You should be able to access your server at www.yoursite.co.zw make sure you have opened up port 443 on your server and check the log file /var/log/apache2.error.log if you encounter any problems.

If you are using WordPress you can make sure everyone is redirected to the HTTPS version of your site whether they type the naked domain or the HTTP version of www.yoursite.co.zw by adding the following lines to your .htacess file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.yoursite.co.zw/$1 [R,L]
</IfModule>

You can alternatively add the following line into your wp-config.php file.

define('FORCE_SSL_ADMIN', true);

A plugin called WordPress HTTPS allows you to have HTTPS on a select number of pages. You can use it to have the best of both worlds, HTTPS on pages that require it and HTTP on pages that do have no need for it.

As always you can leave you insightful and helpful comments below.

5 comments

  1. kilotango

    Hi Garikai, i think you may want to edit the title of your article to “how https can get you a secure website” https and SSL certificates do almost nothing to protect a webserver

    1. Garikai Dzoma

      Thanks. Tweaked the title a bit.

      1. Beaton Nyamapanda

        Whilst on this topic of security for web servers, you can probably write an article on using free tools like ConfigServer Firewall (csf), maldet scanner, clamAV and the paid config server exploit scanner to web masters running their web-servers to provide real security and protection from malicious uploads, hackers and so on

  2. Tinarwo

    Hi, we have a payroll solution which sends your pay slip through a browser using local IP address, I need to create a virtual address mycompany.co.zw so that I can send out pay slips in the public domain, please advise, I have net done web publishing

    1. Garikai Dzoma

      First of all the word virtual address has a very specific meaning in the email world and I am not sure you mean it like that.

      Does your payroll allow you to send payslips to everyone’s addresses i.e. as a list? How is it sending emails? That’s the first thing you need to understand how things work at the moment. If the email server is sending emails directy then you need to figure out if it supports sending mail through a relay i.e. configure it almost the same way as one would do outlook. For example my router is behind a firewall but I have configured the settings to allow it to email me the logfile every 12 hours via one of my mail servers that way I can view the files no matter where I am.

      If your system allows setting up a relay then you should consider the following setup. Since it’s unlikely that you have 12 000 employees you can use https://www.mandrill.com/ as your relay server. Follow their guide.

      You will have to register for a domain with name.co.zw first before you make the setup.