friendica-github/doc/SSL.md

68 lines
2.9 KiB
Markdown
Raw Normal View History

2013-01-25 21:45:48 +00:00
Using SSL with Friendica
=====================================
* [Home](help)
2015-11-07 19:43:04 +00:00
Disclaimer
2015-11-07 17:26:48 +00:00
---
2016-11-19 12:28:45 +00:00
**This document has been updated in November 2016.
2015-11-07 19:43:04 +00:00
SSL encryption is relevant for security.
This means that recommended settings change fast.
Keep your setup up to date and do not rely on this document being updated as fast as technologies change!**
2013-01-25 21:45:48 +00:00
2015-11-07 19:43:04 +00:00
Intro
2015-11-07 17:26:48 +00:00
---
2015-11-07 19:43:04 +00:00
If you are running your own Friendica site, you may want to use SSL (https) to encrypt communication between servers and between yourself and your server.
2013-01-25 21:45:48 +00:00
2015-11-07 19:43:04 +00:00
There are basically two sorts of SSL certificates: Self-signed certificates and certificates signed by a certificate authority (CA).
Technically, both provide the same valid encryption.
There is a problem with self-signed certificates though:
They are neither installed in browsers nor on other servers.
That is why they provoke warnings about "mistrusted certificates".
This is confusing and disturbing.
2013-01-25 21:45:48 +00:00
2015-11-07 19:43:04 +00:00
For this reason, we recommend to get a certificate signed by a CA.
Normally, you have to pay for them - and they are valid for a limited period of time (e.g. a year or two).
2013-01-25 21:45:48 +00:00
2015-11-07 19:43:04 +00:00
There are ways to get a trusted certificate for free.
2013-01-25 21:45:48 +00:00
2015-11-07 19:43:04 +00:00
Chose your domain name
2015-11-07 17:26:48 +00:00
---
2013-01-25 21:45:48 +00:00
2015-11-07 19:43:04 +00:00
Your SSL certificate will be valid for a domain or even only for a subdomain.
Make your final decision about your domain resp. subdomain *before* ordering the certificate.
Once you have it, changing the domain name means getting a new certificate.
2013-01-25 21:45:48 +00:00
2015-11-07 19:43:04 +00:00
Shared hosts
2015-11-07 17:26:48 +00:00
---
2013-01-25 21:45:48 +00:00
2015-11-07 19:43:04 +00:00
If your Friendica instance is running on a shared hosting platform, you should first check with your hosting provider.
They have instructions for you on how to do it there.
You can always order a paid certificate with your provider.
They will either install it for you or provide an easy way to upload the certificate and the key via a web interface.
2016-11-19 12:28:45 +00:00
With some providers, you have to send them your certificate.
They need the certificate, the key and the CA's intermediate certificate.
To be sure, send those three files.
2015-11-07 19:43:04 +00:00
**You should send them to your provider via an encrypted channel!**
2013-01-25 21:45:48 +00:00
2016-11-19 12:28:45 +00:00
Own server
2015-11-07 19:43:04 +00:00
---
2013-01-25 21:45:48 +00:00
2016-11-19 12:28:45 +00:00
If you run your own server, we recommend to check out the ["Let's Encrypt" initiative](https://letsencrypt.org/).
Not only do they offer free SSL certificates, but also a way to automate their renewal.
You need to install a client software on your server to use it.
Instructions for the official client are [here](https://certbot.eff.org/).
Depending on your needs, you might want to look at the [list of alternative letsencrypt clients](https://letsencrypt.org/docs/client-options/).
2013-01-25 21:45:48 +00:00
2015-11-07 19:43:04 +00:00
Web server settings
---
2013-01-25 21:45:48 +00:00
2015-11-07 19:43:04 +00:00
Visit the [Mozilla's wiki](https://wiki.mozilla.org/Security/Server_Side_TLS) for instructions on how to configure a secure webserver.
2016-11-19 12:28:45 +00:00
They provide recommendations for [different web servers](https://mozilla.github.io/server-side-tls/ssl-config-generator/).
2013-01-25 21:45:48 +00:00
2015-11-08 09:13:38 +00:00
Test your SSL settings
2015-11-07 19:43:04 +00:00
---
2013-01-25 21:45:48 +00:00
2015-11-07 19:43:04 +00:00
When you are done, visit the test site [SSL Labs](https://www.ssllabs.com/ssltest/) to have them check if you succeeded.