Enforcing SSL Encryption for the Opencms workplace
m (→Enforce secure login) |
|||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
== Prerequisites == | == Prerequisites == | ||
| − | The main prerequisite for this is that the workplace ''can'' be reached through SSL at all. For this to | + | The main prerequisite for this is that the workplace ''can'' be reached through SSL at all. For this to work, the webserver must be configured to use SSL and it needs a certificate and a private/public key pair. |
| − | The certificate certifies that the server is authentic - that means - that no other server | + | The certificate certifies is usually created by a third party (a so-called certificate authority) which certifies that the server is authentic - that means - that no other server has been set up that only pretends to be your server. The private/public key pair is used for starting the encryption process itself. |
| + | |||
| + | For not-very-public setups, a self-signed certificate will be sufficient. In that case a third person, that does not know the website administrator will not be able to certify that the server is really the authentic server that should serve the given website. But still the website is encrypted, so if all participants know directly that the server and its certificate is trustworthy, then a self-signed certificate will be enough. Most web hosting providers offer tools that generate and install a set of keys plus a self-signed certificate into the webserver. | ||
| − | |||
== Enabling SSL for the workplace == | == Enabling SSL for the workplace == | ||
| Line 11: | Line 12: | ||
If the webserver has been configured to allow SSL, then the workplace URL must be changed. | If the webserver has been configured to allow SSL, then the workplace URL must be changed. | ||
| − | The configuration file | + | The relevant setting is in '''[[opencms-system.xml]]''', a configuration file located in [[:Category:Configuration_Files|OpenCms' configuration folder]]. In this file, find the '''workplace-server''' node under '''sites''', e.g.: |
<sites> | <sites> | ||
| − | <workplace-server>http:// | + | <workplace-server>'''http'''://www.server-name.com/opencms/opencms/</workplace-server> |
<''!-- etc --''> | <''!-- etc --''> | ||
</sites> | </sites> | ||
| − | + | In the '''workplace-server''' node, change "http" to "https" so that the workplace can be accessed with SSL (https): | |
<sites> | <sites> | ||
| − | <workplace-server>https:// | + | <workplace-server>'''https'''://www.server-name.com/opencms/opencms/</workplace-server> |
<''!-- etc --''> | <''!-- etc --''> | ||
</sites> | </sites> | ||
| + | Save and restart OpenCms. | ||
| + | |||
| + | |||
| + | == Enforce secure login == | ||
| + | |||
| + | To enforce secure login, set up a HTTP-->HTTPS redirect for the login URLs. | ||
| − | + | An example redirect, for Apache ''(added inside the relevant :80 VirtualHost)'': | |
| + | # Turn on rewrite engine (if necessary) | ||
| + | RewriteEngine on | ||
| + | # Enforce secure login | ||
| + | RewriteRule ^/system/login/(.*)$ <nowiki>https://your.site.domain/system/login/$1</nowiki> [R=301,L] | ||
Latest revision as of 15:43, 16 April 2014
Prerequisites
The main prerequisite for this is that the workplace can be reached through SSL at all. For this to work, the webserver must be configured to use SSL and it needs a certificate and a private/public key pair.
The certificate certifies is usually created by a third party (a so-called certificate authority) which certifies that the server is authentic - that means - that no other server has been set up that only pretends to be your server. The private/public key pair is used for starting the encryption process itself.
For not-very-public setups, a self-signed certificate will be sufficient. In that case a third person, that does not know the website administrator will not be able to certify that the server is really the authentic server that should serve the given website. But still the website is encrypted, so if all participants know directly that the server and its certificate is trustworthy, then a self-signed certificate will be enough. Most web hosting providers offer tools that generate and install a set of keys plus a self-signed certificate into the webserver.
Enabling SSL for the workplace
If the webserver has been configured to allow SSL, then the workplace URL must be changed.
The relevant setting is in opencms-system.xml, a configuration file located in OpenCms' configuration folder. In this file, find the workplace-server node under sites, e.g.:
<sites> <workplace-server>http://www.server-name.com/opencms/opencms/</workplace-server> <!-- etc --> </sites>
In the workplace-server node, change "http" to "https" so that the workplace can be accessed with SSL (https):
<sites> <workplace-server>https://www.server-name.com/opencms/opencms/</workplace-server> <!-- etc --> </sites>
Save and restart OpenCms.
Enforce secure login
To enforce secure login, set up a HTTP-->HTTPS redirect for the login URLs.
An example redirect, for Apache (added inside the relevant :80 VirtualHost):
# Turn on rewrite engine (if necessary) RewriteEngine on # Enforce secure login RewriteRule ^/system/login/(.*)$ https://your.site.domain/system/login/$1 [R=301,L]
