SSL is available for all to use on RCI and Eden. This document will discuss what SSL is and how to take advantage of it.

This document also has some PHP code which you can include in any page, in order to force your RCI/Eden site to use SSL (i.e. even if the user types http://yoursite they will be auto-directed to https://yoursite. The example code is being used on this site. You can test it by changing the URL of this site to "http" and pressing enter. You should see it goes back to "https".

For those new to SSL

In a Nutshell, SSL is a module that allows Apache (the Web Server RCI/Eden uses) to use the 'https' protocol, as opposed to the 'http' protocol. 'https' is a secure version of 'http'. 'http' sends data over the web in a non-encrypted format, therefore if I intercepted the data as it traveled over 'http' I could read it. 'https' encrypts the data before it sends it, therefore if I intercepted the data as it traveled over 'https', I would have to break the encryption before I could read it. Breaking the encryption is difficult, even with a super-computer, so if you are sending sensitive information over the web you should use 'https'.

Remember, that this is a way to transmit sensitive data, but OIT does not encourage you to store sensitive data on RCI or Eden.

For more information see the SSL-Certificates-HOWTO.

Using SSL on RCI/Eden

RCI/Eden have the SSL module installed so that any user can use the 'https' protocol. To use SSL for a site of the form:

http://www.eden.rutgers.edu/~username
http://www.rci.rutgers.edu/~username

All you have to do is change the protocol in the URL to:

https://www.eden.rutgers.edu/~username
https://www.rci.rutgers.edu/~username

Note the s in 'https'. It is that simple.

A certificate for www.rci.rutgers.edu and www.eden.rutgers.edu already exists, so any page on RCI or Eden that contains ~username can use that certificate. However, it is not this simple for virtual hosts.

Certificates are generated on a per URL basis. If your site is on a become account called become then you can access your site by going to example 1:

http://www.rci.rutgers.edu/~become/

You can also setup a virtual host for your become account, so that your site has a more user-friendly name. See example 2:

http://become.rutgers.edu/

You can only use RCI's certificate for sites that follow example 1 from above, since RCI's certificate needs the URL to contain "www.rci.rutgers.edu". The same is true for Eden.

There are procedures for getting an SSL Certificate from NBCS here, but these procedures are not yet oriented to using those certificates on the RCI or Eden webservers. There is currently no procedure for getting a certificate for RCI and Eden virtual hosts.

When a procedure is available it will be posted on this site, but the current lack of certificates for virtual hosts is not as limiting as it sounds. You only need SSL when your users are using an online form. The rest of your site should not need SSL. Therefore, when you use an online form, have a link to a your form with a URL that conforms to https://www.rci.rutgers.edu/~become, but make the URLs for the rest of your site use the virtual host.

NOTE: You should only use SSL if you are requesting sensitive data through an online form. There is no need to use it for your entire website. Using SSL when it is not needed will put more load on the server, and make your site run more slowly. Please only use it when it is necessary.

Redirecting 'http' sites to 'https' sites

The rest of this document will discuss some PHP code which you can include in your site in order to be sure that the people who come to your site are using SSL. It is important to do this, since someone could accidently transmit sensitive data over 'http' using your form, unless you prevent it. If you don't know PHP, there is an Introductory Tutorial here.

This code relies on special variables that PHP reserves, which describe the protocol being used. If the $SSL_PROTOCOL variable is empty, then the client viewing your site is not using SSL. From this fact we can define the following algorithm:

If the $SSL_PROTOCOL variable is empty redirect the user accordingly.

To see a demo of some code that uses the above algorithm see:

http://www.rci.rutgers.edu/ssl/demo.php

You can see demo.php's code by clicking here. Note that the ask_them() function was called for demo purposes. It is up to you as to whether or not you want to ask the user to move to your secure site or move them automatically. You can do either by calling the ask_them() or move_them() functions.

Here is some generic code which you can include (with the following include statement) in all of the sites that you need to be secure:

<?php include "ssl_only.php"; ?>

Disclaimer, this code is intended for use on RCI/Eden

This document is oriented towards using SSL on RCI/Eden, i.e. systems where root doesn't have the resources to edit http.conf for every user. If you are interested in forcing 'https' on a system that you administer, you can edit your http.conf file as opposed to using this code.

Doing this is highly recommended, especially if you want to secure web scripts that send raw headers, which might conflict with some of the options available in the code offered in this document.

For example, if you want to force a redirect to 'https' for a virtual host on your system, you could add a line like the following to your httpd.conf:

<VirtualHost X>  # where X is your v_host's IP
    ServerAdmin webmaster@host.rutgers.edu
    ServerName your_v_host.rutgers.edu
    Redirect permanent / https://your_v_host.rutgers.edu
</VirtualHost>

For more information about configuring your apache webserver see this.