* [Home](help)
-Disclaimer
----
-**This document has been updated in November 2015.
+## Disclaimer
+
+**This document has been updated in November 2016.
SSL encryption is relevant for security.
This means that recommended settings change fast.
Keep your setup up to date and do not rely on this document being updated as fast as technologies change!**
-Intro
----
+## Intro
+
If you are running your own Friendica site, you may want to use SSL (https) to encrypt communication between servers and between yourself and your server.
There are basically two sorts of SSL certificates: Self-signed certificates and certificates signed by a certificate authority (CA).
There are ways to get a trusted certificate for free.
-Chose your domain name
----
+## Choose your domain name
Your SSL certificate will be valid for a domain or even only for a subdomain.
Make your final decision about your domain resp. subdomain *before* ordering the certificate.
Once you have it, changing the domain name means getting a new certificate.
-Shared hosts
----
+### Shared hosts
If your Friendica instance is running on a shared hosting platform, you should first check with your hosting provider.
They have instructions for you on how to do it there.
You can always order a paid certificate with your provider.
They will either install it for you or provide an easy way to upload the certificate and the key via a web interface.
+With some providers, you have to send them your certificate.
+They need the certificate, the key and the CA's intermediate certificate.
+To be sure, send those three files.
+**You should send them to your provider via an encrypted channel!**
+### Own server
-It might be worth asking if your provider would install a certificate you provide yourself, to save money.
-If so, read on.
-
-Getting a free StartSSL certificate
----
-StartSSL is a certificate authority that issues certificates for free.
-They are valid for a year and are sufficient for our purposes.
-
-### Step 1: Create a client certificate
-
-When you initially sign up with StartSSL, you receive a certificate that is installed in your browser.
-You need it for the login on startssl.com, also when coming back to the site later.
-It has nothing to do with the SSL certificate for your server.
+If you run your own server, we recommend to check out the ["Let's Encrypt" initiative](https://letsencrypt.org/).
+Not only do they offer free SSL certificates, but also a way to automate their renewal.
+You need to install a client software on your server to use it.
+Instructions for the official client are [here](https://certbot.eff.org/).
+Depending on your needs, you might want to look at the [list of alternative letsencrypt clients](https://letsencrypt.org/docs/client-options/).
-### Step 2: Validate your email address and your domain
+## Web server settings
-To continue you have to prove that you own the email address you specified and the domain that you want a certificate for.
-Specify your email address, request a validation link via email from the "validations wizard".
-Same procedure for the domain validation.
+Visit the [Mozilla's wiki](https://wiki.mozilla.org/Security/Server_Side_TLS) for instructions on how to configure a secure webserver.
+They provide recommendations for [different web servers](https://mozilla.github.io/server-side-tls/ssl-config-generator/).
-### Step 3: Request the certificate
+## Test your SSL settings
-Go to the "certificates wizard".
-Choose the target web server.
-When you are first prompted for a domain to certify, you need to enter your main domain, e.g. example.com.
-In the next step, you will be able to specify a subdomain for Friendica, if needed.
-Example: If you have friendica.example.com, you first enter example.com, then specify the subdomain friendica later.
+When you are done, visit the test site [SSL Labs](https://www.ssllabs.com/ssltest/) to have them check if you succeeded.
-If you know how to generate an openssl key and a certificate signing request (csr) yourself, do so.
-Paste the csr into your browser to get it signed by StartSSL.
+## Configure Friendica
-If you do not know how to generate a key and a csr, accept StartSSL's offer to generate it for you.
-This means: StartSSL has the key to your encryption but it is better than no certificate at all.
-Download your certificate from the website.
-(Or in the second case: Download your certificate and your key.)
+If you can successfully access your Friendica instance through https, there are a number of steps you can take to ensure your users will use SSL to access your instance.
-To install your certificate on a server, you need one or two extra files: sub.class1.server.ca.pem and ca.pem, delivered by startssl.com
-Go to the "Tool box" section and download "Class 1 Intermediate Server CA" and "StartCom Root CA (PEM encoded)".
+### Web server redirection
-If you want to send your certificate to your hosting provider, they need the certificate, the key and probably at least the intermediate server CA.
-To be sure, send those three and the ca.pem file.
-**You should send them to your provider via an encrypted channel!**
+This is the simplest way to enforce site-wide secure access.
+Every time a user tries to access any Friendica page by any mean (manual address bar entry or link), the web server issues a Permanent Redirect response with the secure protocol prepended to the requested URL.
-If you run your own server, upload the files and check out the Mozilla wiki link below.
+With Apache, simply add the following lines to the [code].htaccess[/code] file in the root folder of your Friendica instance (thanks to [url=https://github.com/AlfredSK]AlfredSK[/url]):
-Let's encrypt
----
+[code]
+#Force SSL connections
-If you run your own server, the "Let's encrypt" initiative might become an interesting alternative.
-Their offer is in public beta right now.
-Check out [their website](https://letsencrypt.org/) for status updates.
+RewriteEngine On
+RewriteCond %{SERVER_PORT} 80
+RewriteRule ^(.*)$ https://your.friendica.domain/$1 [R=301,L]
+[/code]
-Web server settings
----
+With nginx, configure your [code]server[/code] directive this way (thanks to [url=https://bjornjohansen.no/redirect-to-https-with-nginx/]Bjørn Johansen[/url]):
-Visit the [Mozilla's wiki](https://wiki.mozilla.org/Security/Server_Side_TLS) for instructions on how to configure a secure webserver.
-They provide recommendations for [different web servers](https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Server_Configurations).
+[code]
+server {
+ listen 80;
+ listen [::]:80;
+ server_name your.friendica.domain;
+ return 301 https://$server_name$request_uri;
+}
+[/code]
-Test your SSL settings
----
+### SSL Settings
-When you are done, visit the test site [SSL Labs](https://www.ssllabs.com/ssltest/) to have them check if you succeeded.
+In the Admin Settings, there are three SSL-related settings:
+- **SSL link policy**: this affects how Friendica generates internal links. If your SSL installation was successful, we recommend "Force all links to SSL" just in case your web server configuration can't be altered like described above.
+- **Force SSL**: This forces all external links to HTTPS, which may solve Mixed-Content issues, but not all websites support HTTPS yet. Use at your own risk.
+- **Verify SSL**: Enabling this will prevent Friendica to interact with self-signed SSL sites. We recommend you leave it on as a self-signed SSL certificate can be a vectorfor a man-in-the-middle attack.
\ No newline at end of file
projects / friendica.git / blobdiff