How to Force SSL Connections with a Website

You can force visitors of your website to use SSL connections (HTTPS) if your web server uses Apache for its web services. Most web hosting providers use Apache for their Linux servers. To automatically redirect someone to the SSL (HTTPS) version of your website place the following at the top level of your website directory inside of a file named .htaccess:

RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]

Alternatively, you can use this instead:

RewriteEngine On
RewriteCond %{SERVER_PORT} !443$
RewriteRule ^(.*)$ https://www.example.com/$1 [L,R]

PHP Parse error: syntax error, unexpected $end

The following error may appear in your Apache error log file or displayed on a PHP web page:

Parse Error: syntax error, unexpected $end in ….. scripts.php on line …

If you are running PHP 5 then that means you probably need to enable the PHP configuration file option “short_open_tag”. In your php.ini file enable the option as follows:

short_open_tag = On

How to Check if an Apache Module Has Been Loaded

Sometimes it is useful in the Apache configuration httpd.conf file to only apply configuration settings if a particular module has already been loaded. Or it is useful to load settings in the event an Apache module has not been loaded. Here is how to handle both cases:

<IfModule module_identifier>
  # do these Apache settings if the module has already been loaded
</IfModule>
<IfModule !module_identifier>
  # do these Apache settings if the module has NOT already been loaded
</IfModule>

Here are some examples:

<IfModule !php5_module>
  # If the PHP5 module has NOT already been loaded, load it
  LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule php5_module>
  # If the PHP5 module has already been loaded, then do these settings
  AddHandler php5-script .php
  AddType text/html .php
  DirectoryIndex index.php
</IfModule>

The module_identifier argument can be either the module identifier or the file name of the module, at the time it was compiled. For example, rewrite_module is the identifier and mod_rewrite.c is the file name. If a module consists of several source files, use the name of the file containing the string STANDARD20_MODULE_STUFF. You can read more about the <IfModule> Apache directive in the Apache documentation.

How to Install an ipsCA SSL Certificate in OS X

ipsCA is a company that sells SSL certificates. Their SSL certificates are recognized by all the major browsers so you don’t need to worry about manually installing additional Certificate Authority (CA) certificates into your users’ web browsers like you have to do with CA companies whose certificates are not included by default in the major web browsers. What is great about ipsCA is that they offer free 2 year SSL certificates for educational institutions such as Universities. If your domain ends in .edu then you qualify for a free 2 year SSL certificate.

ipsCA certificates are a little unusual in that you need to install two certificates onto your server before it will work. I couldn’t find a documented set of procedures for installing ipsCA certificates on a MacOS X 10.4 server so I wrote some up:

Installing an ipsCA SSL Certificate in OS X 10.4

Generate the CSR

  1. In Server Admin, select the server you would like to secure.
  2. Click “Settings” > “Certificates” tab > “Add(+)” button.
  3. A dialog box will appear to enter your certificate information. Please refer to vs7313 for detailed CSR requirements.
  4. Enter starting and ending validity dates.
  5. Select private key bit length size (1024 is recommended and required for three year certificates)
  6. Enter a passphrase (“password”) for your private key.
    • Apple recommends “use at least 20 characters, include mixed case, numbers and/or punctuation, have no characters repeat, and having no dictionary terms.”
  7. Click “Save”. Now, “Request Signed Certificate From CA” can be selected.
  8. A dialog box will appear. Drag the certificate icon onto your desktop. This will create your CSR file.
  9. copy and paste the text of the CSR file into the certificate request form on the ipsCA website.
  10. Submit the request and wait for ipsCA’s email response.

Import the Signed Certificate

  1. In Server Admin, select the server the certificate needs to go on.
  2. Click “Settings” > “Certificates” tab
  3. Highlight the certificate the signed certificate corresponds to.
  4. Click the “edit” icon.
  5. Click the “Add Signed Certificate…” button.
  6. Paste the contents of the signed certificate text file you received from ipsCA into the text box that appears. Press OK to import the signed certificate.
  7. Quit and restart the Server Admin app to make sure it refreshes the status of the signed certificate.
  8. When you try to edit the certificate all the fields should be greyed out to indicate the certificate is signed and the import was successful.
  9. You may need to redesignate the newly signed certificate in the web server and/or restart it before Apache will start using the newly signed certificate.

Install the ipsCA Intermediate Certificates

1. Copy the ipsCA intermediate certificates bundle file into the /etc/certificates/ directory on the web server. At the time of this writing this file was named “IPS-IPSCABUNDLE.crt. The file is available on the ipsCA website.

2. Change the permissions on the certificate bundle to “640”.

  • cd /etc/certificates
  • sudo chmod 640 IPS-IPSCABUNDLE.crt

3. Navigate to the folder /etc/httpd/sites/ and locate the .conf file that corresponds to the the SSL virtual host that the certificate belongs to. Usually the filename of the .conf file will be named in the format “someNumber_IPAddress_443_fullyQualifiedHostName.conf”

4. Once you locate the file, open it in a text editor at locate the part of the virtual host section that covers the SSL certificate settings. The section you are looking for will look something like this:

SSLEngine On
SSLLog "/var/log/httpd/ssl_engine_log"
SSLCertificateFile "/etc/certificates/www.foo.com.crt"
SSLCertificateKeyFile "/etc/certificates/www.foo.com.$
SSLCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP$

5. Add the following setting in between the “SSLCertificateKeyFile” and “SSLCipherSuite” setting:

SSLCertificateChainFile /etc/certificates/IPS-IPSCABUNDLE.crt
  • When you are done the certificate section should looking something like this:
SSLEngine On
SSLLog "/var/log/httpd/ssl_engine_log"
SSLCertificateFile "/etc/certificates/www.foo.com.crt"
SSLCertificateKeyFile "/etc/certificates/www.foo.com.$
SSLCertificateChainFile /etc/certificates/IPS-IPSCABUNDLE.crt
SSLCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP$

6. Save your changes and restart the web service. You should now be able to navigate to your SSL website and receive no “invalid” certificate errors. You can test your web server by using the ipsCA test website at: http://certs.ipsca.com/checkserver/

SSL Certificate