EL Documentation of Securing the CP with SSL
Feature Requests
It’s a little surprising and disappointing that steps to secure the CP with HTTPS is still not in the actual EE docs (if it is, I don’t see it). Even better, have settings in the CP to do so. Considering EL boasts EE as being very secure, it seems that making the information easily available should be front and center. In fact it should be encouraged in detail under best practices.
Add in the fact that Google is preferring sites using HTTPS, it’s a no-brainer.
A starting point: https://ellislab.com/forums/archive/viewthread/245209
Hi Jeremy, only one of the steps in the linked thread involves ExpressionEngine config — and it’s a pretty typical step to make sure your CP URL setting is correct. Most of those steps are all server side related and different for every server set up (for instance, I run EE on NGINX a lot and most of those steps are different for NGINX). And if you run the initial install on SSL, you don’t even have to worry about it. Essentially, switching EE to SSL is about the same as switching site URLs.
I run every EE site I build on SSL site-wide without any issue. EE really doesn’t care one way or the other if the site is running on SSL or not. A dynamic config may help alleviate some of the pain in either case.
There are numerous threads on the net indicating people are unsure what to do. We can’t look at it as experienced users, we have to consider it like a first time user. EE is often heralded as great for designers. Well, many designers need a little more help than Devs do in these areas.
Several other CMS’s out there document the basics (.htaccess and config changes) for securing a site, member’s areas and/or control panels. I don’t see why EE shouldn’t.
These may seem simple steps, but elude many people…
Edit the cp_url parameter so that is uses HTTPS:
$config['cp_url'] = 'https://site.com/admin.php';Edit the theme_folder_url so that it only specifies the correct subfolder. Often times theme_folder_url is hard coded to something like ‘http://site.com/themes/’ which will interfere with your ability to run the Control Panel completely under HTTPS/SSL:
$config['theme_folder_url'] = '/themes/';
We can’t look at it as experienced users, we have to consider it like a first time user. EE is often heralded as great for designers. Well, many designers need a little more help than Devs do in these areas.
I respectfully disagree. Well, not as such: designers might need a little more help than devs, but I think this is really beyond the scope of EE installation instructions or similar. The docs don’t explain how to setup your web server or even how to create a mysql db, either, they just assume it’s there.
Enabling SSL is a rather complex issue, and while that’s slowly beginning to change, this is and will remain a server issue. EE itself is pretty agnostic in that regard: enable SSL on your server, optionally rewrite non-https requests and make sure your EE paths are in order, that’s really all it should take.
Wow, I can’t believe the resistance to such a simple suggestion. I had a colleague refer to the EE community as having become a ‘shrinking, old boys club’. I didn;t like that, but today I am getting a sense of that. And I dislike it.
Interesting… I’ll bet a few people have found THIS helpful (sorry to have to go here). Even as just a starter guide, it’s there to help users, and although it’s not 100% apples to apples, I think it makes my point:
https://craftcms.com/support/force-ssl
But, let’s just keep things the way it is.
https://docs.expressionengine.com/latest/security/general_tips.html#use-ssl-certificates
Hi Jeremy,
Thanks for pointing this out. You are right, we need better documentation related to securing your site with SSL. Naturally we cannot cover all the server environments but we need to do a better job than we are.