Technology Solutions for Everyday Folks
Gif of lock tumbler mechanism

Let's Expand Encryption!

This weekend I performed the quarterly actions to update my various letsencrypt certificates, which I've not written about since early May when I'd performed the first set of renewals. Let's Encrypt and SSL For Free are still outstanding services, and I'm super happy with them!

Time for Certificate Expansion

I've been using the aforementioned services for only a small handful of domains and key variations thereof. I had some time and ambition, so I decided to expand the number of domains covered. Since the creation and renewal process is so straightforward, adding a few minutes of effort each quarter isn't a big deal for me. So six additional domains were added to the mix.

This exercise provides me an opportunity to write about it so the next time I don't have to scour the Internet...

Drupal Expansions

The SSL business itself is all handled at a very different layer, but since I expanded the number of domains it was time to refresh the list of domains in the Drupal trusted host list. The setting for 'trusted_host_patterns' lives in settings.php and would look like this:

$settings['trusted_host_patterns'] = array(
  '^domain1\.com$',
  '^.+\.domain1\.com$',
  '^domain1\.net$',
  '^.+\.domain1\.net$',
  '^domain1\.org$',
  '^.+\.domain1\.org$',
  '^domain2\.com$',
  '^.+\.domain2\.com$',
  '^domain2\.net$',
  '^.+\.domain2\.net$',
  '^domain2\.org$',
  '^.+\.domain2\.org$',
  '^domain3\.com$',
  '^.+\.domain3\.com$',
);

To "force" SSL in Drupal (or other platforms as appropriate), you'd use the following in an .htaccess file (in/among other rewrite rules):

 # Force SSL:
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Wordpress Expansions

I don't personally use Wordpress, but one of the sites in the expansion does. It was time to do some minor configurations. Within the admin settings, there are options to set the base host...which is where the normal folk would change http:// to https://. That doesn't however, force Wordpress (or Apache, really) to use SSL. We do similar things in the wp-config.php file:

/** Force HTTPS for Admin */
define('FORCE_SSL_ADMIN', true);

Similarly, to "force" SSL in Wordpress adding this little nugget in/among other rewrite rules in .htaccess will force SSL:

RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Other Takeaways

It's super simple and easy to enable SSL for your sites, even if you don't have "someone" to do it automatically. Ideally, my inner unicorn would prefer to use nearly identical rules for Apache with Drupal and Wordpress. The examples above are not that, but I have the Internet to thank. Perhaps in a test instance I'll try fiddling with the rules to make them as common as possible without breaking functionality...what could possibly go wrong!

Headline image via giphy