{"id":547056,"date":"2010-04-29T03:00:00","date_gmt":"2010-04-29T07:00:00","guid":{"rendered":"tag:blogger.com,1999:blog-1652419620964346731.post-176519025340391555"},"modified":"2010-04-29T03:00:00","modified_gmt":"2010-04-29T07:00:00","slug":"how-to-force-ssl-using-php","status":"publish","type":"post","link":"https:\/\/mereja.media\/index\/547056","title":{"rendered":"How To Force SSL Using PHP"},"content":{"rendered":"

I mentioned a few days ago using osTicket<\/a>, we have been using it for a while. We also have to make it public facing so our customers can use it, and so we can use it from outside of the office. The problem is that since we are using our AD credentials to login there is a major security concern since by default, osTicket is not encrypted. We opted to use SSL encryption<\/a> on our ticket system. <\/p>\n

No big deal right? Well, we also want to make it so users don\u2019t have to remember to type in the httpS<\/font><\/em><\/strong> <\/font>part in the address. We want them to be able to type support.companydomain.com<\/em><\/strong> and have it automagically go to our ticket system. Likewise, on the admin page we want to make it so that when you go to support.companydomain.com\/admin<\/em><\/strong> it automagically gets SSL encryption too. One way to do it is to drop an index.html file in with a redirect, that works ok too, but what if you want to ensure that if the S<\/font><\/strong> in httpS<\/font><\/em><\/strong> is removed, users still get forced to use SSL without any errors? Well in this case I used a little PHP magic.<\/p>\n

I created a file called encrypt.php<\/em><\/strong> with the following code:<\/p>\n

\n

<?
function secure_page()
{
if ( !isset($_SERVER[‘HTTPS’]) || strtolower($_SERVER[‘HTTPS’]) !== ‘on’ )
{
header (‘Location: <\/font><\/strong>https:\/\/’<\/font><\/a>.$_SERVER[‘HTTP_HOST’].$_SERVER[‘REQUEST_URI’]);
exit();
}
}
secure_page();
?><\/font><\/strong><\/p>\n<\/blockquote>\n

\"php\"<\/a> On any pages where I wanted to ensure SSL, I added the following line:<\/p>\n

\n

require(‘encrypt.php’);<\/font><\/strong><\/p>\n<\/blockquote>\n

Similarly, in our old ticket system (Which we are upgrading today now that Ubuntu 10.04<\/a> is out!) we added a custom reCaptcha<\/a> on the ticket request page. Since we weren’t hosting the reCaptcha ourselves we couldn\u2019t encrypt it with our SSL cert, and users would get prompted if they wanted to display the unsecure items. That confused people, so we wanted to make sure that page was not encrypted with SSL. <\/p>\n

To do that, we did the same as above except this time we created a file called decrypt.php<\/em><\/strong> with the following code:<\/p>\n

\n

<?
function unsecure_page()
{
if ( isset($_SERVER[‘HTTPS’]) || strtolower($_SERVER[‘HTTPS’]) == ‘on’ )
{
header (‘Location: <\/font><\/strong>http:\/\/’<\/font><\/a>.$_SERVER[‘HTTP_HOST’].$_SERVER[‘REQUEST_URI’]);
exit();
}
}
unsecure_page();
?><\/font><\/strong><\/p>\n<\/blockquote>\n

And once again on that page we added the following line:<\/p>\n

\n

require(‘decrypt.php’);<\/font><\/strong><\/p>\n<\/blockquote>\n

Done, now on all the pages we want to be encrypted, it is encrypted, and on the pages we don\u2019t want to encrypt it isn\u2019t. Luckily in the new version of osTicket captcha<\/a> is built in, so I can encrypt all pages without issue. <\/p>\n

In both cases, since we wrote those files we can include them on any page we want, including on our phpMyAdmin<\/a> page! Boom!<\/p>\n

Do you use this method to force SSL on your LAMP<\/a> servers? If not, what do you do? Let us know in the comments.<\/p>\n

Technorati Tags: how to<\/a>,force<\/a>,ssl<\/a>,php<\/a>,apache<\/a>,lamp<\/a><\/div>\n


\n\"Great<\/a><\/center><\/div>\n
\n<\/img><\/a> <\/img><\/a> <\/img><\/a> <\/img><\/a> <\/img><\/a> <\/img><\/a> <\/img><\/a> <\/img><\/a> <\/img><\/a> <\/img><\/a> <\/img><\/a> <\/img><\/a> <\/img><\/a>\n<\/div>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

I mentioned a few days ago using osTicket, we have been using it for a while. We also have to make it public facing so our customers can use it, and so we can use it from outside of the office. The problem is that since we are using our AD credentials to login there […]<\/p>\n","protected":false},"author":1521,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-547056","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/547056","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/users\/1521"}],"replies":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/comments?post=547056"}],"version-history":[{"count":0,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/547056\/revisions"}],"wp:attachment":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/media?parent=547056"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/categories?post=547056"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/tags?post=547056"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}