SSL settings in default


#1

Hi

I run EE very successfully and love to use it. I am having a few issues with SSL certificates and their configs. I am using a StartSSL validated (but not authorised) self-signed certificate, with Cloudflare.

My issue: sites are intermittently redirected to the default server, and I am forced to use “Really Simple SSL” for permanent redirection

My question:

  1. do I need a separate certificate for each sub-site, with Cloudflare Flexible certification?
  2. or should I use “fixed” with 1 certificate per site?
  3. Can I have a single origin-pull cert for my server: ssl_client_certificate /etc/nginx/ssl/cloudflare-origin-pull.crt;
  4. Any suggestions for configs with Cloudflare
  5. Any comments about using StartSSL self-signed certificates? any other suggestions?

Thanks muchly, in advance


#2

Well, this is what I usually do:

a. Generate SSL certificate (self signed)

b. Edit nginx configuration in /etc/nginx/sites-available (example.com), add HTTPS block, restart nginx

c. Go to Cloudflare, choose Full SSL mode

d. Edit Wordpress setting: Settings > General, change all http to https, logout from Wordpress and relogin. This will force Wordpress to works in https connection but http connection still allowed. This is not recommended since Chrome and Firefox may throw mixed content warning.

e. Edit nginx configuration, edit HTTP block, create permanent redirect into HTTPS, restart nginx. This will force any connection fall into https connection. restart nginx

If you have multiple domain then you must generate another SSL certificate for each domain.

If you are talking about multisite Wordpress (the one with subdomains), I guess you must have wildcard SSL certificate but I’m not familiar with this…

*) If you got trouble, say infinite redirect loop, disable point e., edit wp-config.php remove https part, and then use phpmyadmin edit wp_options, change all https into http, then restart nginx


#3

This is exactly what I am looking for - thank you siprof.

Question: I have http block in nginx.conf. Do you duplicate this as https in the site file inside “sites-enabled” folder? Even better - would you post an example?

Really, really appreciate the help!


#4

No need to duplicate or edit nginx.conf, it’s already optimized by easyengine.

All you need is in /etc/nginx/sites-available

The /etc/nginx/sites-enabled is just a shortcut-like (in Linux, they called it symbolic link) to tell nginx which site should be active or not. Type ls -lah in this folder and to see what I mean.

You can create shortcut-like (symbolic link) with this command:

ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Anyway, this is what my example.com (nginx configuration) look like, located in /etc/nginx/sites-available:

http://pastebin.com/MAhDw9Nq

in this example, my site prefer to use non-www

If you got trouble, disable permanent redirect into HTTPS by commenting it:

return 301 https://example.com$request_uri;

into

#return 301 https://example.com$request_uri;

ps: I edit point b. in my answer before to make it clear


#5

Exactly what I needed - thank you siprof!


#6