SSL and Maxsons.org

Oh brother where art thou

I’ve got the website, I think, all converted to force SSL every place.  I’ve also redirected a TON of URLs via .htaccess files to secure equivalents.  Here’s a rundown of what I’ve done:

Maxsons.org -> https://www.maxsons.org
files.maxsons.org -> https://www.maxsons.org/files
media.maxsons.org -> https://www.maxsons.org/files/media
update flickr pictures to use https in both the href and img src tags

The flickr stuff was fairly easy.  I just had to run a couple of SQL queries to do a find and replace on a few fields in a few tables.  By the way, if you care, the find and replace syntax for MySQL is:

update [table_name] set [field_name] = replace([field_name],'[string_to_find]’,'[string_to_replace]’);

http://www.mediacollege.com/computer/database/mysql/find-replace.html

In general, the check I use in the .htaccess file looks like:

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent]

In reality, it isn’t that easy.  From how I’ve seen it work, if you have one .htaccess file in a directory, that overrides something higher up.  That means I’ve had to put a .htaccess file in each of the directories for the domains above and test several cases of with www and https, without www and https, with www and no https, etc… for each case.  I think I finally have it worked out.  Worst case, the [L] directive doesn’t seem to be working.  What does L do in a .htaccess file?  Well, I think it is supposed to tell Apache to stop processing redirects.  Mine keeps going.

Oh, and while the URL gets rewritten, it doesn’t reassign variables in the .htaccess file.  That means you have to order things right so stuff works out.  Here’s an example:

RewriteCond %{HTTP_HOST} host1
RewriteRule ^.*$ https://NewLocationHost1%{REQUEST_URI} [NC,R=perman$
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !host1
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent]
RewriteCond %{HTTP_HOST} ^DomainWithNoWWW$
RewriteRule ^.*$ https://DomainWithWWW%{REQUEST_URI} [R=permanent]

When you get to line 4 (RewriteCond %{HTTP_HOST} !host1) to do a generic check of is https turned on or off, you have to also check to make sure you aren’t coming from a different host (files vs media vs www).  If you don’t, you’ll end up and rewrite using the generic %{HTTP_HOST} with a wrong host and get certificate errors.

Oh, one other thing I did, after I had all the redirection already done, was to insert the following line into my .htaccess files:

Header set Strict-Transport-Security max-age:31337

http://www.debian-administration.org/article/662/Enabling_HTTP_Strict_Transport_Security_on_debian_servers

If you are wanting to do something similar, that looks like the better way to do it.  From what I’ve read (at eff and wikipedia) that header, by itself, would force a browser that understood it to make a https connection.  If it couldn’t, the page wouldn’t load.  But, if the browser didn’t understand it, the page would load via http.  So, if you are starting out from scratch and didn’t already have 30 lines of .htaccess written, try that.  If it works, you are done…if not, then you can delve into .htaccess and mod_rewrite.

Now, why did I do this?  Over the weekend, I did some reading regarding rights and the government.  I found out that the 4th Amendment–protection against unreasonable search–doesn’t apply if you’ve shared the information with a third party.  This means the government can get a list of the phone numbers you have dialed from the phone company with just a court order…they don’t have to get a warrant.  Now, enabling https on my website doesn’t help there; however, it does allow me to use a feature of my new hosting plan (a dedicated ssl certificate) to make the logins for the website safe so prying eyes at Starbucks can’t see my username and password.  Or, better yet, someone can’t sniff my login credentials when I get set up to blog from my mobile phone (or upload pictures).  A bonus is that no one can read the other stuff as it goes over the wire…that means a “bad guy” government couldn’t sniff packets and find out what I’ve written.  Now, they could go to the website and look…but what if I make some things public and other things not…then you have to have the ID and password to login to see what’s up.

Oh, by the way, the 4th Amendment stuff I mentioned above means I may look to stop using disquis for comments and go back to native comments.  But, on the other hand, comments are already shared with a 3rd party so is there a reasonable expectation of privacy there?  Probably not….

[Update 2012-12-26 08:12:01] I’m getting mixed content warnings.  I can’t see what’s wrong…can anyone help? They are fixed.

[Update 2012-12-27 07:32:51] If you came here looking to see how % or $ work in htaccess files, check out this post where I give some examples and explain % and $ in htaccess files.

Image from legofenris via flickr 

Leave a Reply

Your email address will not be published. Required fields are marked *