It is easy to run ExSite on a secure server. This document
explains some of the setup issues you may need to understand. (It
only covers configuration of ExSite; you will need to consult
other documentation for information on obtaining SSL certificates and
installing them on your server, and configuring Apache to use them.)
If your website only runs from https:
This is the easiest option, since there is nothing special that you
need to do to configure ExSite. It will auto-configure itself to
the address used to access it, and will automatically use the secure
server.
If your website runs from both http: and https:
In this scenario, you want all of your URLs to be accessible from both
secure and insecure addresses. The server setup is
straightforward: simply set up both the secure site and the
regular site to serve from the same directories. If that is all
you do, then the system will autoconfigure itself to the address used
to access it, and will remain in that mode during the user's visit.
Usually, however, you want the user to find their way into the site
even if they use an insecure URL, but you want all further
communications with the user to be securely encrypted. This
requires a few extra configuration steps. First, disable
autoconfiguration entirely:
server.auto = 0
Without autoconfiguration, you need to manually specify your server name, protocol, and disk paths:
server.protocol = https
server.host = www
server.domain = foo.org
server.HTMLpath =
server.HTMLroot = /home/foo/html
server.CGIpath = /cgi
server.CGIroot = /home/foo/cgi
Finally, disable relative page URLs, to force the full server info to be included in each link:
page.relative_static_url = 0
page.relative_dynamic_url = 0
The effect of these changes is that every page URL generated by ExSite
will link to a fully-qualified URL, which (because of the manual
configuration) will link to the secure pages.
Mixing secure and insecure sites together
If you serve multiple hosts and domains from the same installation, you can in principle mix secure and insecure sites together.
If the root section is secure, follow the instructions above to get it
set up. Insecure sub-sections should be set up as standalone
websites.
If the root section is insecure, but a subsection is secure, then
configure the subsection as a standalone website. You will need
to specify its base URL (include the "https:") and documents directory
in the Configure Section screen.
If you create a secure subsection of an insecure parent section, you
may run into minor problems if you inherit content from the insecure
section. For example, if the secure site inherits parts of its
template from the insecure parent, that means that some elements of the
graphic design may be addressed using insecure URLs. This is
rarely a real security concern, but it can nevertheless cause browsers
to display alarming security messages that will disconcert casual users
of your site. In that case, it may be worthwhile to keep your
templates entirely within the secure subsection.