Showing posts with label https. Show all posts
Showing posts with label https. Show all posts

Monday, September 9, 2013

Redirect your site to https and www using htaccess

<ifmodule mod_rewrite.c>
   RewriteEngine on

   RewriteCond %{HTTPS} off
   RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
   RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

   RewriteCond %{HTTPS} off
   RewriteCond %{HTTP_HOST} !^www\.(.+)$ [NC]
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

   RewriteCond %{HTTPS} on
   RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
   RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

   RewriteRule    ^$ app/webroot/    [L]
   RewriteRule    (.*) app/webroot/$1 [L]
</ifmodule>

Tuesday, July 23, 2013

Create Self-Signed Certificate Windows

At first install OpenSSL in your windows machine.

Several files related to your your SSL certificate will be created in this section, so choose a common base name to use. In my examples I use "blarg", which I've italicised to show it should be replaced by your choice. In practice, I recommend extracting the essence from your domain name; for example, if I was creating a certificate for https://www.neilstuff.com/ then I'd use "neilstuff".
Open up a command prompt and go to the directory where you unzipped OpenSSL and run the following command to create a new certificate request:

openssl req -config openssl.cnf -new -out blarg.csr -keyout blarg.pem


You'll be prompted to answer many questions, which ones depend on your openssl.cnf file; all except two of these can be left blank:
  • PEM pass phrase: Password associated with the private key (blarg.pem) you're generating. Since we'll be removing this for the benefit of Apache 2.0.X, I suggest using something like "none" or "password".
  • Common Name: The fully-qualified domain name associated with this certificate. In my example, I use www.blarg.com which means I damn well better use that certificate on https://www.blarg.com/. For personal security, testing, or intranets it's okay for this to not quite match -- just be prepared to deal with warnings from web browsers and such.
Now it's time to create a non-password protected key for Apache 2.0.X by executing the following:
openssl rsa -in blarg.pem -out blarg.key

The only thing you'll be asked is the password you had used. Your resulting KEY file is essential the same thing as the PEM, just not password protected.
Before we go on, delete the .rnd file. This contains entropy information which could be used by malicious people to try and crack your certificate later on (if they get a hold of it).
Finally, run the following command to create an X.509 certificate, e.g. the kind of certificate that SSL likes to munch:
openssl x509 -in blarg.csr -out blarg.cert -req -signkey blarg.key -days 365

 
Congratulations, you've created a self-signed certificate! Keep the KEY and CERT files some place safe, we'll be using them soon.

Redirect To SSL Using Apache’s .htaccess

There are plenty of times I want to require users to be accessing a site only via SSL. My first try at this was to simple create a .htaccess file that contained SSLRequireSSL, which basically tells Apache that access to a site can only be allowed if SSL is being used. This accomplished what I wanted, but it brought a side issue to requiring SSL, users often leave off (or forget) the the s in https. So after a little bit of digging around I found another approach to this. The new .htaccess file looks like this:


RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
The first line tells Apache we are going to use mod_rewrite. The second line only matches if the port being used to access the site is 443 (the port reserved for https use). If that second line matches then the third takes kicks in, which simply redirects the user to the SSL version of your URL. This still enforces the use of SSL, but saves you from trying figure why you can’t get to your site just because you forget the s in https.

Thursday, April 25, 2013

cURL in PHP to access HTTPS (SSL/TLS) protected sites

The problem


From PHP, you can access the useful cURL Library (libcurl) to make requests to URLs using a variety of protocols such as HTTP, FTP, LDAP.

If you simply try to access a HTTPS (SSL or TLS-protected resource) in PHP using cURL, you’re likely to run into some difficulty. Say you have the following code: (Error handling omitted for brevity)

// Initialize session and set URL.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);

// Set so curl_exec returns the result instead of outputting it.
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    
// Get the response and close the channel.
$response = curl_exec($ch);
curl_close($ch);

If $url points toward an HTTPS resource, you’re likely to encounter an error like the one below:

Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

The quick fix


There are two ways to solve this problem. Firstly, we can simply configure cURL to accept any server(peer) certificate. This isn’t optimal from a security point of view, but if you’re not passing sensitive information back and forth, this is probably alright. Simply add the following line before calling curl_exec():


curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);