SSL/HTTPS Access¶
Enable Auto SSL (Let’s Encrypt) or add your Own Certificate to make your website reachable over HTTPS. Nowadays, this is considered good practice and should be enabled on all websites.
When SSL is enabled, access to the website by HTTP is not possible anymore but redirectet to HTTPS instead (HTTP Redirect for details).
Auto SSL (Let’s Encrypt)¶
We support free ssl certificates by Let’s Encrypt. Just activate Let’s Encrypt on your desired website. The certificates are automatically renewed 30 days before expiration.
Debug validation problems¶
In order to debug validation issues, we introduced the letsencrypt-renew
shortcut which will trigger a run of our Let’s Encrypt client, and let you see all debug output to identifiy possible problems.
Make sure that all hosts added to
Server name
point to the correct server (A and AAAA DNS records).Let’s Encrypt will try to reach your website at the endpoint
/.well-known/acme-challenge/
for validation purposes. Make sure that you do not overwrite this path within your own nginx configuration.You can check access to the validation directory by yourself by fetching the control file reachable at
http://example.com/.well-known/acme-challenge/monitoring
Renewal¶
Certificates from Let’s Encrypt will be valid for 90 days. They are renewed automatically as soon as they expire in under 30 days. You can follow these checks and renewals by grep for letsencrypt
in /var/log/syslog
.
Furthermore, we check all certificates from our monitoring and will contact you if there are certificates expiring in less than 21 days.
Export¶
Existing Let’s Encrypt certificates are saved within /etc/nginx/ssl
and
can be read with the Generic Admin User.
This is useful if you want to temporarily use the old certificate on a new server.
Own Certificate¶
You can add your own certificate by using the SSL cert and SSL key fields within the desired websites Advanced tab.
Before installing a custom certificate, please make sure that:
your key matches your certificate
all required intermediate certificates are included
you used up-to-date settings to generate your key and signing request
Tip
Please contact us if you are not proficient with this topic. We are happy to guide you through the process and can also order and install custom certificates on your behalf.
HTTP Redirect¶
By default, all HTTP requests within a given website are redirected
to HTTPS keeping the hostname supplied by the client. If you want to
change this behaviour somehow, for example by always redirect to the
first hostname of the vhost, you can set http_redirect_dest
string
within the Custom JSON Website Level Configuration:
{
"http_redirect_dest": "https://$server_name$request_uri"
}
Furthermore, it is possible to set the redirect destination globally
through website::http_redirect_dest
which will be used on all
HTTP redirects without a explicitly set http_redirect_dest
within the Custom JSON Server Level Configuration:
{
"website::http_redirect_dest": "https://$server_name$request_uri"
}
Advanced Configuration¶
We will make sure that all required settings do match the state of the art configuration. Usually it is not required to change those settings, nevertheless it is possible and might be required in certain use cases.
Cipher Suite¶
Configure your desired cipher suite trough website::ssl_ciphers
within the Custom JSON Server Level Configuration:
{
"website::ssl_ciphers": "desired-cipher-suites"
}
Warning
We configure and update this value with sane defaults. Overwrite only when really required, and if you are aware of the consequences.
Diffie-Hellman parameters¶
Diffie-Hellman parameters are used for perfect forward secrecy. We supply default Diffie-Hellman parameters and update them on a regular schedule. If you want to use your own Diffie-Hellman parameters, you can generate them:
openssl dhparam -out /tmp/dhparam.pem 4096
and configure them trough website::ssl_dhparam
within the Custom JSON Server Level Configuration:
{
"website::ssl_dhparam": "-----BEGIN DH PARAMETERS-----\nMIICCAKCAgEAoOePp+Uv2M34IA+basW9CBHp/jsZihB3FI8KVRLVFJPIUJ9Llm8F\n...\n-----END DH PARAMETERS-----"
}
HSTS Header¶
By default, we add a HTTP Strict Transport Security (HSTS) header to each SSL enabled website:
Strict-Transport-Security max-age=63072000 always;
Use the header_hsts
string to override the default HSTS header
within the Custom JSON Website Level Configuration:
{
"header_hsts": "max-age=3600; includeSubDomains; preload"
}
You can also disable HSTS as follows:
{
"header_hsts": "max-age=0"
}
Tip
See the OWASP HTTP Strict Transport Security Cheat Sheet for details.
Test¶
We recommend the following online services for testing: