As part of today’s admin track at WordCamp San Diego, I delivered a talk titled “Getting Started with SSL.” My intent was to demystify the terminology and process involved with securely delivering traffic. I described my talk this way:
Revelations like Edward Snowden’s about NSA spying, and Google’s announcement that it will begin considering a site’s HTTPS status in its rankings, led to a lot of talk about moving websites to secure connections. Similarly, the rise in ecommerce, and the simplicity with which one can accept payments online, has increased the need for sites to be available securely. With so much terminology that’s likely new, often very similar, and rarely more than a stream of initialisms, this entire discussion can be very intimidating. I’ll clarify basic terminology, offer some reasons why it’s worthwhile to secure a site whenever possible, and share several solutions to cover everything from simple to enterprise needs.
While securing a site can be intimidating at first, the recent introduction of Let’s Encrypt (https://letsencrypt.org/) significantly simplifies the process for most sites. Many hosts have introduced support for this service, which I’ll discuss before delving into options for sites and circumstances that aren’t suited to Let’s Encrypt.
The slides from my talk are embedded below:
The slides are also available at https://slides.e15r.co/wcsd-getting-started-ssl/.
Additionally, here are several resources that I shared during the talk:
- SSL test from Qualys: https://www.ssllabs.com/ssltest/index.html
- Command-line SSL tests: https://testssl.sh/
- Common SSL command-line interactions: https://www.sslshopper.com/article-most-common-openssl-commands.html
Lastly, I’ve written several posts about SSL and my experience securing this site:
- Automatically renewing a lot of Let’s Encrypt certificates
- Ensuring encrypted web traffic with Strict Transport Security headers (HSTS)
- Creating Public Key Pinning headers (HPKP)
- Economically monitoring SSL certificate expiration
- External tools for checking my configurations
- nginx header inconsistency, aka setting headers all the way down
For everything I’ve written on the subject, check out http://ethitter.com/tag/ssl/.
Hi Erick,
Past weekend I watched your presentation at WordCamp San Diego 2016 about SSL and enabling it just for the Admin side.
It is exactly what I am trying to do on my website, but it is getting in an endless looping whenever I set it up.
My question for you is, have you ever done the setup on an environment with Load Balancer + Nginx (as a proxy) + Apache?
for me it seems like the issue is in the Apache portion of the scenario.
thank you and great presentation and topic!
Thanks for coming to my talk!
Based on what you’ve described, I’d check on two things. First, ensure that the load balancer is sending the
X-Forwarded-Proto
header to the Apache server, and that WordPress is respecting that header. Otherwise, WordPress has no idea if the connection was secure or not, which is likely contributing to the loop. From the Codex page linked below:Second, check that the constant
FORCE_SSL_ADMIN
is definedtrue
, as this is key to WordPress knowing which parts of the site are SSL-only and which should be available over HTTP.There’s more about securing the WordPress admin at https://codex.wordpress.org/Administration_Over_SSL.
(Aside, hopefully Apache is listening for both secure and non-secure traffic already; doing so ensures that communications are secured from the end-user all the way to the application layer, and makes things easier to deal with in WordPress as it can handle switching between protocols, rather than relying on the load balancer to rewrite requests.)
Thank you very much Erick!…
I am checking my load balancer settings and will get back to you here.. to close this question.
The video is now available from WordPress.tv: