Benefit of a Properly-Installed SSL Certificate
Right from the start, we are going to break out the soap box. Encryption is good. It will help to protect your website from those shady characters who sit across from you at Starbucks with their WiFi password sniffers. Given the rise in cell phone use, it is also a good idea to plan for the unencrypted air waves those signals traverse.
To put it simply: It is way too easy to steal passwords and other sensitive information.
The most wide-spread method of protecting this data involves the use of SSL certificates to encrypt connections to the server. Over the past few years various people have taken different positions on exactly what should and what should not be encrypted.
One of the oldest configuration choices involves encrypting password and credit card forms, but leaving the rest of the site unencrypted. This results in faster page requests while securing the critical data.
Other people do not want to waste resources on whatever pages the search engines can see, but they do want to encrypt their members-only area.
With more people getting faster computers and speedier internet, some server administrators are choosing to route all requests through SSL. There are a number of tech-savvy users who are beginning to demand SSL from their favorite sites. Facebook, Google, Wikipedia and many others have obliged.
Building on this, there has been a new web standard proposed called the "HTTP Strict Transport Security." Under HSTS, the server will direct all connections to use SSL. After the connection is encrypted, a special header is sent back with each page which instructs the browser to automatically use SSL for future connections. This means that if "example.com" were using HSTS and a returning visitor types in "example.com" one hour from now, the browser will automatically turn that into "https://example.com" before it even connects to the server.
We like HSTS and several large companies (like PayPal) have already implemented it. At the same time we realize that there are valid reasons to use lower security models. We cannot install the SSL certificate for you, but we have created this ExpressionEngine extension to make your site management easier.
Extension Settings
After you enable the Force SSL extension, you should visit its settings page. We try to automatically detect whether your SSL certificate has been installed correctly.
Successful SSL Detection
If the code is able to detect a valid SSL certificate installation, you will be greeted with a success message. Choose your preferred SSL usage model, save the settings, and you are on your way.
Unsuccessful Detection
If the detection is not successful, you will be directed to manually verify your SSL certificate installation with the help of SSL Labs or SSL Shopper. Both are free services and this is especially important if you wish to use HSTS, as an invalid certificate can lock you out of your site.
In some situations an outdated installation of Windows or Linux on your server may cause the detection to fail. This is not a serious issue but you should verify your installation as a precaution. Once the extension is activated, you will not see any warning messages about this.
After you have verified your certificate installation, please click on "Show Advanced Settings" and check the "Active" checkbox. Save the settings and you should be good to go.
Advanced Settings
Active
You can turn this module on and off through the use of the "Active" checkbox. This also hides any warning notices that may appear.
Default: On, if the SSL certificate can be detected.
Deny Unencrypted Form Submissions
When this mode is active, any attempt to POST data to the unencrypted website will be rejected with an error page. This is useful for verifying the security of your site but it may conflict with other add-ons. Enable with caution.
Default: Off.
Tamper with Theme and CP URLs
If tampering is enabled, we may rewrite the Site URL, Control Panel URL, and Theme URL to prevent HTTPS pages from requesting CSS and JS files via HTTP. The exact settings that are overwritten depend on the SSL mode selected.
Two types of operation are permitted: Absolute URLs and Automatic. Absolute is friendlier for older web browsers and Internet Explorer. On websites where the user shifts between HTTPS and HTTP connections, "Automatic" may provide a better caching experience.
Default: Absolute URLs.
HTTPS Port
Virtually all web servers use port 443 for encryption. In rare cases the SSL certificate will be installed on another port. If you do not know what this is, it can be safely ignored.
Default: 443.
Plugin Tags
{ exp:force_ssl}
In the event that you want to manually specify that a certain template always use SSL, all you have to do is use one template tag:
{exp:force_ssl}
It accepts no parameters. If you specified an SSL port other than 443 in the Extension Settings, that will be detected and used.
NOTE: If all you want is a plugin tag, you may be interested in the free plugin by Darren Miller, DM Force SSL. It is no longer under active development and requires configuration to be added to your config.php file. Our code is not related to his in any way except outcome.
{ exp:force_ssl:restore}
If you wish to prevent a template from being viewed over SSL, you can use this tag:
{exp:force_ssl:restore}
NOTE: Do not use this tag while "Automatically Force SSL" is set to "All" or "Full HSTS Mode." You will experience an infinite loop as the website attempts to follow both commands.
{ exp:force_ssl:proto}
This is a simple tag that spits out "http" or "https" depending on which protocol is currently in use.
<script type="text/javascript" src="{exp:force_ssl:proto}://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
{ exp:force_ssl:rewrite}
We also provide a tag pair to allow quick conversion when a bunch of external URLs are present. Simply wrap the relevant HTML code inside this tag pair:
{exp:force_ssl:rewrite}...{/exp:force_ssl:rewrite}