Developers > Installation and Setup > Setting up a secure website with SSL

Setting up a secure website with SSL

It is easy to run ExSite on a secure server. This document explains some of the setup issues you may need to understand. (It only covers configuration of ExSite; you will need to consult other documentation for information on obtaining SSL certificates and installing them on your server, and configuring Apache to use them.)

If your website only runs from https:

This is the easiest option, since there is nothing special that you need to do to configure ExSite. It will auto-configure itself to the address used to access it, and will automatically use the secure server.

If your website runs from both http: and https:

In this scenario, you want all of your URLs to be accessible from both secure and insecure addresses. The server setup is straightforward: simply set up both the secure site and the regular site to serve from the same directories. If that is all you do, then the system will autoconfigure itself to the address used to access it, and will remain in that mode during the user's visit.

Usually, however, you want the user to find their way into the site even if they use an insecure URL, but you want all further communications with the user to be securely encrypted. This requires a few extra configuration steps. First, disable autoconfiguration entirely:
server.auto = 0
Without autoconfiguration, you need to manually specify your server name, protocol, and disk paths:
server.protocol = https
server.host = www
server.domain = foo.org
server.HTMLpath =
server.HTMLroot = /home/foo/html
server.CGIpath = /cgi
server.CGIroot = /home/foo/cgi
Finally, disable relative page URLs, to force the full server info to be included in each link:
page.relative_static_url = 0
page.relative_dynamic_url = 0
The effect of these changes is that every page URL generated by ExSite will link to a fully-qualified URL, which (because of the manual configuration) will link to the secure pages.

Mixing secure and insecure sites together

If you serve multiple hosts and domains from the same installation, you can in principle mix secure and insecure sites together.

If the root section is secure, follow the instructions above to get it set up. Insecure sub-sections should be set up as standalone websites.

If the root section is insecure, but a subsection is secure, then configure the subsection as a standalone website. You will need to specify its base URL (include the "https:") and documents directory in the Configure Section screen.

If you create a secure subsection of an insecure parent section, you may run into minor problems if you inherit content from the insecure section. For example, if the secure site inherits parts of its template from the insecure parent, that means that some elements of the graphic design may be addressed using insecure URLs. This is rarely a real security concern, but it can nevertheless cause browsers to display alarming security messages that will disconcert casual users of your site. In that case, it may be worthwhile to keep your templates entirely within the secure subsection.

Topics