Running a Secure Website on Pantheon

Apr 15, 2013

A couple of month ago I wrote about my hosting experience with Pantheon. Today I like to follow up with my experience on setting up SSL on Pantheon. Disclaimer: I am in no way associated with Pantheon, I just believe that they are providing the best Drupal hosting experience there is!

You can find bits and pieces of the below on various websites. This post fits them all together as one continuous piece.

Running a website with SSL ( Secure Socket Layer) , using a URL that starts with an https://, means that the browser and the server will communicate using encryption and secure identification of the server. For this to work we’ll need to install a SSL certificate on the server.

A SSL Certificate is a file containing the "identity" of your your domain. This file is encoded for security. If a browser requests a webpage with an https:// prefix the certificate is used to proof the website’s authenticity to the browser. If the authentication fails, a security warning will be displayed by your web browser software.

We can get a SSL certificate from a variety of issuers. But cost can be dramatically different and the process of obtaining one can be very cumbersome. I will use RapidSSL because it’s cheap and it is easy to get.

Before we can get a certificate we need a Certificate Signing Request (CSR). A CSR contains all the information that will be included in your certificate such as your organization name and your domain name. It also contains a RSA key (RSA stands for the initials of the surname for Ron Rivest, Adi Shamir and Len Adleman, the inventors of this cryptography algorithm).

Generating an RSA key and a CSR is straight forward. We are using a wizard at: https://www.digicert.com/easy-csr/openssl.htm to get us started. In this wizard we will input out info:

  • Common Name: mysecurewebsite.com
  • Organization: My Company Name
  • Department: -
  • City: Palo Alto
  • State: California
  • County: USA
  • Key Size: 2048

The wizard will generate this command which we will paste into our command line terminal:

MyMac:~ $ openssl req -new -newkey rsa:2048 -nodes -out mysecurewebsite_com.csr -keyout mysecurewebsite_com.key -subj '/C=US/ST=CA/L=Palo Alto/O=My Company Name/CN=mysecurewebsite.com'

This command will result in:

Generating a 2048 bit RSA private key ............................+++ ...............................................................+++ writing new private key to 'mysecurewebsite_com.key' -----

Now we have two files in our home directory

mysecurewebsite_com.csr
mysecurewebsite_com.key

Now we are ready to get out SSL certificate from: http://www.rapidssl.com

The certificate process includes a email authentication with the domain owner. Once the domain owner has been authenticated, the certificate will be issued. We will receive the certificate in form of four code blocks which must be copied and pasted in the appropriate fields of the hosting site

The CSR:

-----BEGIN CERTIFICATE REQUEST-----

MIICyDCCAbACAQAwgYIxCzAJBgNVBAY..........

-----END CERTIFICATE REQUEST-----

The Key:

-----BEGIN RSA PRIVATE KEY-----

MIIEowIBAAKCAQEAkpmaUo1ON........

-----END RSA PRIVATE KEY-----

Web Server CERTIFICATE:

-----BEGIN CERTIFICATE-----

MIIFODCCBCCgAwIB.......

-----END CERTIFICATE-----

INTERMEDIATE CA:

-----BEGIN CERTIFICATE-----

MIID1TCCAr2gAw.......

-----END CERTIFICATE-----

Now we can complete our setup on the Pantheon website. Their support documentation describes this very well here.

After we have completed the setup, our site is available at https://live.mysecurewebsite.gotpantheon.com.

The last thing we need to do is add our domain name www. mysecurewebsite.com. We are following the instructions here

Almost done.

One last thing we need to do is to redirect incoming requests to our domain. I need to add this snippet to my setting.php file:

if (isset($_SERVER['PANTHEON_ENVIRONMENT']) && $_SERVER['PANTHEON_ENVIRONMENT'] === 'live') {
  if ($_SERVER['HTTP_HOST'] == 'mysecuresite.com' ||
    $_SERVER['HTTP_HOST'] == 'live. mysecuresite.gotpantheon.com' ||
    !isset($_SERVER['HTTP_X_SSL']) ||
    $_SERVER['HTTP_X_SSL'] != 'ON' ) {
      header('HTTP/1.0 301 Moved Permanently');
      header('Location: https://www.mysecuresite.com'. $_SERVER['REQUEST_URI']);
      exit();
    }
  else {
   // This is required by some Drupal modules that are Apache-centric
   $_SERVER['HTTPS'] = 'on';
  }
}

You can read more about redirecting Incoming requests on Pantheon here.

That wasn’t too bad, wasn’t it. 

Add new comment