I am new to setting up SSL, so please bear with me....
My boss would like our site (which is a working Drupal site) to use SSL to protect the site and its information. Am I correct in understanding the steps I need to take:

1.) Obtain a dedicated ip from my host and purchase a SSL certificate through them or another party.

2.) Ask my webhost (Hostgator) to set up the SSL

3.) Install the Secure Pages module

4.) Follow module instructions to set up (I assume when I install the module there'll be some sort of instructions on using it).

Then, certain pages that I designate will be secure (i.e., https://www.mysite.com)

Is this correct?

CommentFileSizeAuthor
#4 12-15-2009 loginpic.png8.03 KBShannonK

Comments

vitis’s picture

vitis commented

sub

Dublin Drupaller’s picture

Dublin Drupaller commented

having used this (excellent) module before, that looks about right.

ShannonK’s picture

ShannonK commented

So, I did the steps in #1 and all went smoothly. But, if a person were to type in www.mysite.com, it shows the http: rather than https:. So when they login, that information (their name and password) could go out over the web, since it's not secure until after they login.

For instance, if you have a Yahoo email account. The first page, Yahoo.com is not secure, then when you click on the Email link to login to your email, it takes you to a secure page.

Is there a way in Drupal to have a secure login utilizing https ??

ShannonK’s picture

ShannonK commented
StatusFileSize
new 12-15-2009 loginpic.png8.03 KB

So I noticed there's a little gold key in the upper right-hand corner of the login box (see attached pic). Sorry if this is a dumb question...but does this mean login is secure? Or is this just a graphic?

izmeez’s picture

izmeez commented

I have not used secure pages and am curious to learn how that module handles this.

I have done this before in the .htaccess file with the following:

# Apache/PHP/Drupal settings:
#
# For this site only

  # SSL Redirect SSL, this redirects all sites
  # uncomment and adapt the following:
  SSLOptions +StrictRequire
  SSLRequireSSL
  SSLRequire %{HTTP_HOST} eq "example.com"
  ErrorDocument 403 https://example.net

I'm curious to learn how else it can be done because the approach I used with .htaccess does not allow using the same host account for additional domains that are not using the ssl.

Izzy

vitis’s picture

vitis commented

re: being able to see http

So, I did the steps in #1 and all went smoothly. But, if a person were to type in www.mysite.com, it shows the http: rather than https:. So when they login, that information (their name and password) could go out over the web, since it's not secure until after they login.

Are you wanting your site to always be https? If so, you need to redirect your site in your htaccess file. Your hosting company can help with this, if needed.

(basically same advice as above)

ShannonK’s picture

ShannonK commented

It's my understanding that having a whole site, every page, as https is very taxing on the server (correct me if I'm wrong). So, I was planning on only having certain pages be secure, which is something I can use the Secure Pages module to accomplish. The problem I'm having is with the login. If you go to www.mysite.com and login, you've just entered your login information in the clear. Secure Pages has the option "Make secure only the listed pages" and so I list there, however is only secure if you are logged in. It's not that I really need to be secure....it's just that I need the LOGIN to be secure, and then various other pages of the site.

I'm sure someone out there has a drupal site with a secure login...I just don't know how to do it.

vitis’s picture

vitis commented

Ooh - Yes, you do want your login information to be encrypted.

I have my whole site https because I didn't want users to get the message "you are leaving an encrypted page." But, you have a good point about site performance. Let me know how this goes - I may join you with mixing my pages.

Some things you could try (don't know if it will work):

1) Change the page where you login. List the login page as a page you want to be secure.

https://mysite.com/?q=user is a valid log in page. You could choose not to have the login block on your front page - you may need to specify that you want the login block visible on your designated page. Then you could put a "member login" link (maybe in secondary links) that points to https://mysite.com/?q=user . And you could list ?q=user in secure pages > Pages: .

2) List node in the pages you want secure. mysite.com/node is also the front page. If you do this, visitors will probably get the message "you are leaving an encrypted page" when they click on a landing page link.

ShannonK’s picture

ShannonK commented

Well, you made an excellent point about the "you are leaving...." message. I don't want my visitors to see that pop up all the time either. So, I think I'm going to contact my host about having the whole site encrypted, and then I'll see how it affects the speed of the site, if at all. Did you notice any performance change in your site when you switched it to be totally encrypted, or was it totally encrypted from the beginning?

If I don't like how the site is performing after making the whole thing secure...I'll probably try your suggestion. That is a good idea, but I really don't people getting warning messages all the time.

Hmmm.

vitis’s picture

vitis commented

I didn't notice my site getting slower after it became https. But, I did not look at the page load speed pre and post ssl.

About warning messages when going from secure to not secure - if you have only node/add* , node/*/edit , user/* , and admin* sections of the site secure, users will only get a warning message while they are logged in then leave those areas. That doesn't seem too bad. Non logged in visitors shouldn't get any warning messages.

ShannonK’s picture

ShannonK commented

To edit the .htaccess file, what's the preferred way to open it and edit it? Using Cpanel's code editor, the text is jumbled, and it's hard to click on a line (anyone else encounter this odd behavior?). Also, where in the file do I insert the code? Does it matter?

My host gave me this code:

# Always use https for secure connections
# Replace 'www.example.com' with your domain name
# (as it appears on your SSL certificate)
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

Is this basically the same as the code in #5? Which should I use?

vitis’s picture

vitis commented

see below

vitis’s picture

vitis commented

This is what is added to the end of my .htaccess file

# BELOW ADDED BY ME
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://www.mysite.org/$1 [R,L]

Oh, but you first need to get into it. Go to File Manager>highlight .htaccess>right click or click on an icon to change permissions so user (you) can read and write to it>click on the edit icon on the page to edit the file>change permissions back. If you double click to open the file, you might open it with the editor on your computer - that could be ugly.

Here is what I did a while back: I installed the ssl following the directions that came with it. Then I redirected the site from http to https through cpanel>domains>redirects. I then realized I did the redirect wrong, undid my redirect, and did it again correctly. But, that did not work. So, I called hostgator to help me. While I was asking them what I should do, they fixed the .htaccess file for me! They said the first redirect attempt was not erased and conflicted with my second, but correct, try.

You could successfully redirect your site through cpanel>domains>redirects or by adding text to the end of your .htaccess file.

If that doesn't work - call your host. Hopefully, they will be as helpful as hostgator.

ShannonK’s picture

ShannonK commented

Thank you so much for the step-by-step on changing the .htaccess. It's an easy thing, but I was nervous I'd mess something up! Anyway, I decided to use your instructions and then insert the code my host (also Hostgator) gave me, since they haven't misdirected me yet. It worked! Site is all secure now. I'm going to go with it like this, until I run into a reason not to, but for the moment my boss is very happy. Thank you for your help!

ShannonK’s picture

ShannonK commented

Update: I've found a conflict with Secure Pages and Views. I want to disable Secure Pages anytime I'm creating a View, so I go to admin/build/securepages and tell it to "Make secure every page except the listed pages:" views/* . However, the https stays https when I go to Views and try to add or edit a view. Is this because I set up the https with my host? (so it's hard-coded or something and Secure Pages can no longer tell it what to do??). Is there a workaround since Secure Pages won't let me "unsecure" the pages I need? I'm stumped.

vitis’s picture

vitis commented

Try listing these 2 as pages to exclude:

views/*
views

ShannonK’s picture

ShannonK commented

I did have views/* and I just added views to the exclusion list. However, all views pages still show as https. Does the redirect in htaccess trump all other instructions so it doesn't matter what I tell Secure Pages to do?

I haven't gone far with it yet, but I found that if I disabled Javascript in Views, then it'll let me use it again. I don't know why this would be. So, for now it's working, but I don't understand why it wasn't working in the first place or why turning off Javascript is making it work now. I'll post back if I ever figure that out. Or if someone can enlighten me, please do.

astonvictor’s picture

astonvictor commented
Issue summary: View changes
Status: Active » Closed (outdated)

I'm closing it because the issue was created a long time ago without any further steps.

if you still need it then raise a new one.
thanks