Connecting via HTTPS

geotux · March 20, 2018, 10:12pm

Hello,

I don't like the idea of connecting via HTTP so I was wondering how I get my plone site to offer HTTPS. Should this not be default nowadays?

Cheers

gp54321 · March 21, 2018, 1:00am

Plone sites are usually behind a classic Web server that provides https.
see
https://docs.plone.org/manage/deploying/front-end/index.html
and
https://docs.plone.org/manage/deploying/production/index.html
if you find all this a bit overwhelming, you can use a tool like ansible plone that will handle all this for you from a configuration file.

ezvirtual · March 21, 2018, 1:03am

What have you tried? Are you stuck on something?

Do you have an SSL certificate?
Let's Encrypt can help you with this for free:

idgserpro · March 21, 2018, 6:28pm

Another way is to use cloudflare, they give you their full universal ssl for free https://www.cloudflare.com/ssl/ (read carefully to see if the security implications of using their ssl is ok to your use case).

geotux · March 23, 2018, 7:09am

Thanks guys, yes this is a bit overwhelming but sometimes you are just so keen to make progress that you skip some docs that are already there. From what I now understand, Plone doesn't offer https directly. You have to implement this by re-directing requests to through Apache. Its Apache that will then offer over https.

What I'm not so clear on, is whether Plone will still respond to 8080 (must do otherwise what would Apache redirect to?) which is clearly undesirable because someone that know the link http://X.X.X.X:8080/Plone can circumvent the Apache. Is it through the firewall that you control this scenario i.e. you allow the firewall to pass requests via port 80 to Apache which then redirects to 8080 and you block all external request to 8080?

I guess this is not a massive issue as my site is an intranet not open to the internet but there still could be risks via the intranet, particulalry when you have open wireless networks.

Thanks for you help guys.

gp54321 · March 23, 2018, 7:16am

yes
you can setup a firewall on your computer to shutdown any port other than 80 and 443
keep an access for yourself to port 8080 since it's the only way to access the ZMI (Zope Management Interface) that is sometimes useful.

espenmn · March 23, 2018, 3:58pm

In case you dont know:
If you make a website with https and do not have a certificate, the users will get a message about your site not being safe / certificated. (ok, it can be turned off on each computer, but still… )

So this is probably the first to do. If you use apache you can set it up so it does all the certificate stuff for you. After that, the rest is easy, just open / enabling SSL / https ports.

If it sounds complicated to set up apache, I would consider to install webmin, then you get a UI to install, configure it etc.