WordPress.org

Ready to get started?Download WordPress

Forums

WordPress HTTPS (SSL)
[resolved] [Plugin: WordPress HTTPS] What is the purpose of the shared SSL option? (35 posts)

  1. Olivier
    Member
    Posted 3 years ago #

    Hello,
    What is the purpose of the shared SSL option?
    I'm using the extension on a WP Network, meaning that the main domain's certificate is used and I get warnings when connecting to the mapped domains. Is that option trying to fix this?

    Cheers,

    Olivier

    http://wordpress.org/extend/plugins/wordpress-https/

  2. Mvied
    Member
    Plugin Author

    Posted 3 years ago #

    Yes!

    If your website is http://www.example.com and your SSL certificate is a shared certificate at http://ssl-account.com/example.com, then you could turn on the Shared SSL option and enter that as your Shared SSL Host and it should solve your issues with warnings.

    That's the idea anyways. If you run into issues, let me know. This part of the plugin is very new and has only been testing one one site (that I know of). If anyone has used the plugin for Shared SSL successfully, I'd like to see it. :)

    Thanks for downloading!

  3. Olivier
    Member
    Posted 3 years ago #

    OK.
    I just tried and it didn't work for me
    I tried:
    sub.domain.com
    http://sub.domain.com
    https://sub.domain.com

    Could be because I'm using multiple certs per IP, could be something else.

  4. Mvied
    Member
    Plugin Author

    Posted 3 years ago #

    Well, you can't use just any SSL, you have to be sure that it is a Shared SSL that you are allowed to use. I've never used one personally, but I hear that's how it works. :P

    When writing this addition to the plugin, I actually used a user's site to test and debug.

  5. Olivier
    Member
    Posted 3 years ago #

    Hmmm...
    Maybe we don't have the same definition?
    To me, a shared cert is the one attached to an IP or a vhost. No matter which domain name you're using, the web server will always present you that one cert that was assigned to that IP/Vhost.

    In this example, the cert will only be valid for http://www.shared.domain.com or shared.domain.com
    <VirtualHost IP:443 >
    SSLEngine on
    SSLCertificateFile /home/shared.domain.com.cert
    SSLCertificateKeyFile /home/shared.domain.com.key

    ServerName http://www.shared.domain.com
    ServerAlias http://www.shared.domain.com shared.domain.com
    ServerAlias otherdomain.com superdomain.com extradomain.com
    </VirtualHost>

    Is the plugin trying to load content using shared.domain.com while maintaining links with the proper URL?
    In my tests, all the links were using otherdomain.com

  6. Mvied
    Member
    Plugin Author

    Posted 3 years ago #

    Yes, the plugin uses the Shared SSL Host as a proxy. If your Shared SSL is issued through simply going to https://www.yoursite.com you don't need this option.

    Basically, where the plugin would normally redirect/replace http://www.yoursite.com/ with https://www.yoursite.com/ it would replace it with whatever you type in your Shared SSL Host.

    Like I said, I've never used them so my terminology and such might be off, but I know this worked for one site, so there must be other sites that need this functionality.

    Maybe I should change the wording if it is misleading?

  7. Olivier
    Member
    Posted 3 years ago #

    Oh, maybe I see what you mean.

    Let's say I have http://domain.com, but I have a secure form on the site that I want to make accessible via SSL.

    If my web host allows me to use a shared cert, then I would type it in the preferences and I would automatically be redirected to https://shared.webhost.com on that specific secure form page.

    If I have my own cert, then I wouldn't need this, it would automatically be used when going to https://domain.com

  8. Mvied
    Member
    Plugin Author

    Posted 3 years ago #

    You got it. I'm actually asking the author of the test site I used if I can post his site as an example so that people can see it in action.

    So, say you had something like a checkout page at http://www.example.com/checkout/, that you wanted to be secure, and your host provides a Shared SSL. You could simply enable this option, type in the shared ssl host (example: https://shared.webhost.com/example.com) and when someone hits http://www.example.com/checkout/ they will be redirected to https://shared.webhost.com/example.com/checkout/.

    It also fixes images, stylesheets, scripts, etc. in the same fashion.

  9. Mvied
    Member
    Plugin Author

    Posted 3 years ago #

    Hey, he finally gave me the OK to use his site as an example.

    You can go to http://www.horizonte.com/en-german-courses/enrolment-for-a-german-course and you'll see it redirect to https://ssl-account.com/horizonte.com/en-german-courses/enrolment-for-a-german-course. Redirects also work when going from HTTPS to HTTP.

  10. Olivier
    Member
    Posted 3 years ago #

    Nice touch for people who can't afford to get their own IP address or who want to have a secure page while their blog is hosted on a WP Network. :)

  11. yur1
    Member
    Posted 3 years ago #

    Hi Mvied,

    I'm also trying to use the Shared SSL option as I run a small club website

    http://mkivc.org.uk/phoenix

    and we don't really want to splash out on our own Cert; plus we'd need to upgrade our hosting to a fixed IP.

    I would like to secure the login page only, just so that login credentials are not interceptable if a User logins via a dodgy network. Not too worried about the rest of the content.

    To this end, I put a link on the site to the login page via our shared SSL host

    https://delta.justhostme.co.uk/~mkivcorg/phoenix/wp-login.php?action=login

    But it appears default Worpress behaviour is to force all links and submits to the main domain

    https://mkivc.org.uk/phoenix ,

    which of course breaks the SSL authentication.

    So I thought your plugin with the Shared SSL option was just what I was looking for.

    But this doesn't seem to be happening i.e the Shared SSL host name is not being automatically prepended to URLS within the page

    I've also enabled "Disable Automatic HTTPS"

    Is this how the plugin is supposed to work and is it possible to do do what I'm trying to do ?

    Many thanks,
    Yuri.

  12. Mvied
    Member
    Plugin Author

    Posted 3 years ago #

    Hey Yur1,

    The plugin cannot do this in its current state, but it most certainly can with modifications.

    I'll work this into the next update, which I'm hoping to get out in the next few days. I'll post in this topic when I push out the new version, and we'll see if it works for you.

    Thanks for downloading!

  13. yur1
    Member
    Posted 3 years ago #

    Ok thanks Mvied, I look forward to your mods.

    But I'm still wondering how the horizonte site achieved the redirect on that specific page, as that seems to have the correct urls for the Shared SSL host ??

    They also have normal non-https pages, so that method would probably work for me too.

    Many thanks,
    Yuri.

  14. Mvied
    Member
    Plugin Author

    Posted 3 years ago #

    Hey Yuri,

    Horizonte used the 'Shared SSL' option. In your cause, you would enable that option and type 'https://delta.justhostme.co.uk/~mkivcorg/phoenix' for your 'Shared SSL Host'.

    However, this will only work for forcing pages and posts to SSL, not necessarily login pages and such. That's why I need to add some functionality to the plugin.

    Thanks,
    Mike

  15. yur1
    Member
    Posted 3 years ago #

    Thanks for your advice Mvied.

    As it happens I'm now using the Admin-SSL plugin to do exactly what was required, w.r.t. Shared SSL.

    Many thanks,
    Yuri.

  16. Mvied
    Member
    Plugin Author

    Posted 3 years ago #

    Awesome!

    I'll still be adding it the same functionality to mine here shortly. No reason not to since it's not that big of a modification, and it makes the plugin more useful. Thanks!

  17. fwchapman
    Member
    Posted 3 years ago #

    Hi Mike,

    I am trying to use your plugin with a shared SSL certificate on a WordPress website hosted by InMotion Hosting. Unfortunately, neither the login page nor the administrative pages are using HTTPS. Will the new version of your plugin provide this functionality?

    By the way, I found a small mistake in the installation instructions. Step 1 says to "Upload wordpress-https.php to the /wp-content/plugins/ directory." It should say to upload the "wordpress-https directory" (not just the PHP file) to the plugins directory.

    Thanks for all your hard work on this plugin! I hope it can do what I need so that my clients and I won't have to pay more $$$ for dedicated SSL certificates.

    All the best,

    Fred Chapman

  18. fwchapman
    Member
    Posted 3 years ago #

    P.S. I tested the plugin using three different browsers: Chrome, Firefox, and Internet Explorer. None of them used HTTPS for login/admin pages.

  19. Mvied
    Member
    Plugin Author

    Posted 3 years ago #

    Hey Fred,

    Have you tried setting the global variable FORCE_SSL_ADMIN to true in the wp-config.php file? (How to) When you do that and try to go to your admin panel, does it try to redirect to just https://yourdomain.com or your Shared SSL URL? Ideally, I want to find that redirect and change it if it doesn't redirect to the Shared SSL URL.

    I actually don't have a Shared SSL to test this functionality out, it's all kind of guesswork from user feedback, haha. One user did let me use their server for a while, which was helpful. :)

  20. fwchapman
    Member
    Posted 3 years ago #

    Hi Mike,

    Thanks for your speedy reply! I put these two lines in my wp-config.php file:

    define('FORCE_SSL_LOGIN', true);
    define('FORCE_SSL_ADMIN', true);

    When I go to login, it still uses plain old HTTP. When I access my admin panel, it again uses plain old HTTP. It never tries to redirect to anything. In fact, none of the SSL/HTTPS plugins I've tried seem to work with shared SSL.

    I checked the Shared SSL box in your plugin and entered the secure URL. For InMotion Hosting, it has the form:

    https://secureNN.inmotionhosting.com/~USERNAME

    where NN is the server number and USERNAME identifies the account.

    Since I posted my question, I've done a lot of shopping around for SSL certificates. Comodo sells SSL certificates with 1024-bit public keys and 256-bit session keys for only $10/year. A cryptography expert I know confirms that 1024-bit RSA can still be considered secure for a few more years, despite the recent hype to the contrary. (Tampering with the power supply to induce and exploit hardware faults can hardly be considered a realistic scenario in any good commercial data center.)

    At $10/year, anyone can afford to get a dedicated SSL certificate. A secure URL based on the domain name looks more professional, and that inspires confidence in customers. I think it's well worth the money!

    Fred

  21. fwchapman
    Member
    Posted 3 years ago #

    P.S. You can purchase a PositiveSSL certificate from Comodo here:

    http://www.positivessl.com/ssl-certificate-products/ssl/ssl-certificate-positivessl.html

  22. fwchapman
    Member
    Posted 3 years ago #

    P.P.S. You can try a PositiveSSL certificate for FREE for 30 days here:

    http://www.positivessl.com/ssl-certificate-products/free-ssl-certificate.html

  23. Mvied
    Member
    Plugin Author

    Posted 3 years ago #

    Hey Fred,

    I agree about SSL certificates. I don't think $10 a year is much to ask, but this feature is requested, so I must give the people what they want. :)

    I'll need more time to look into how to best accomplish the admin panel redirect to a Shared SSL. I could do it quick and dirty, but I want to do it the right way. I'll update the thread when I know more.

    Thanks,
    Mike

  24. Mvied
    Member
    Plugin Author

    Posted 2 years ago #

    In version 1.9, the ability to login to the admin panel via Shared SSL has been added.

  25. fwchapman
    Member
    Posted 2 years ago #

    Mike,

    Thanks for the new feature! That should help a lot of people, especially those who just want a cheap, easy, secure way to maintain their WP sites.

    Fred

  26. Josh68
    Member
    Posted 2 years ago #

    Sorry if this is answered somewhere else, or if I'm just being a numbskull, but should it be possible with the Shared SSL setting enabled to redirect a single page within your site? I know that I have my base URL set to my non-secure, paid domain name in several places (eg, in WP settings and elsewhere in the DB), and therefore I don't want to simply change all of my settings to my host's secure URL, but I can only navigate to my site's homepage and wp-admin using the https URL - none of the subpages work (I get 404s). The plugin does seem to work properly, though, by just redirecting at the page level.

  27. Mvied
    Member
    Plugin Author

    Posted 2 years ago #

    Hey Josh68,

    Some Shared SSL hosts have issues with custom permalink structures. Try setting your permalinks to the default and see if that fixes it.

    Thanks,
    Mike

  28. Josh68
    Member
    Posted 2 years ago #

    Thanks. I'll have to determine whether that will mess up anything else for me. I'm beginning to think I should just get my client to purchase a private ssl cert, which I hope would avoid those problems.

  29. fwchapman
    Member
    Posted 2 years ago #

    I just reread some of this thread and wanted to add a couple new thoughts:

    Comodo's Positive SSL certificates now use 2048-bit RSA public keys, which are much more secure than 1024-bit keys.

    I noticed a very important point in the WordPress documentation about where to put these lines in the wp-config.php file:

    define('FORCE_SSL_LOGIN', true);
    define('FORCE_SSL_ADMIN', true);

    The WordPress codex says (with boldfacing added by me):

    The constant FORCE_SSL_LOGIN can be set to true to force all logins to happen over SSL. This (and all other such definitions) must be placed before

    /* That's all, stop editing! Happy blogging. */
    ...
    require_once(ABSPATH . 'wp-settings.php');

    in the file, otherwise they will not take effect.

    I think this point is worth emphasizing since it's not obvious from the comments included in the wp-config.php file.

    Best wishes,

    Fred

  30. Mvied
    Member
    Plugin Author

    Posted 2 years ago #

    I'm pretty sure that's why it says "/* That's all, stop editing! Happy blogging. */". Lol.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic