SSL Certificate and Nginx management features now built-in to Jetendo CMS
Implementing SSL is one of the best ways to protect financial data, password and other information in transit over the Internet.
It's becoming even more important now as privacy concerns have increased due to government and malicious users spying on our Internet activity.
Recently Google announced that they are making SSL a part of the search results ranking algorithm so that sites that use it get a boost in their rank. This will have an increasing benefit to everyone around the world over time as security of the Internet improves.
With companies like godaddy.com, namecheap.com and others offering great deals on domain validated SSL certificates, it's not that expensive to add an SSL Certificate to a web site. However, it does take some time for someone to setup the CSR, purchase the certificate, wait for email approval, download the certificate, configure the web server with the new certificate and test it's working each year. Many companies will feel they need to charge an hour or more for this labor, which makes SSL cost quite a bit more then purchase especially if you begin to manage dozens or hundreds of SSL Certificates. Also, if you forget to renew an SSL Certificate, it will seriously reduce the public traffic to a web site when it expires because everyone will see a huge security warning instead of your web site.
For the above reasons, SSL is not free and it must be managed well for it to add lasting benefit to your company's web site.
Automating SSL Certificate Management In Jetendo
As a web developer, I try to automate as much of the work as possible, and over the last 10 years, I've built just about everything you could need for custom web apps into Jetendo CMS.
Now with SSL growing in importance, the time was right to integrate SSL certificate automation and management features into Jetendo's Server Manager browser interface.
As a result of the new SSL / Nginx management integration, you get the following benefits:
Automatic Nginx Configuration / Validation / Testing
You can also generate and install self-signed SSL certificates in one step for using / testing SSL certificates without having to buy a signed certificate.
The ability to disable Jetendo's Nginx includes and/or override the Nginx configuration through the web interface (this works even when not using SSL).
Automatic email alerts for upcoming SSL Certificate expirations for all certificates installed to the Jetendo Nginx SSL Directory.
Very secure private key installation that can't be read/altered by the browser interface. A good thing in case someone unauthorized gains access to your server manager account as SSL is only as good as the secrecy of the private key. The private key is also not stored in the database for this reason.
Recent versions of Nginx support the SPDY protocol which was originally designed by Google to help speed up the Internet. SPDY relies on SSL and a multi-cast protocol design to reduce the number of connections needed to serve all files needed to view a web site. Jetendo automatically enables SPDY when you install an SSL certificate, which makes the web site a bit faster, especially on higher latency connection such as Cellular Internet and wi-fi. Yet another reason to invest in SSL for all your customer's domains.
Plenty of validation is in place to ensure the SSL Certificate will be installed correctly with easy to understand error messages for all failure conditions.
Jetendo already came with a secure SSL Nginx configuration that locks down filesystem permissions on SSL certificate files with further access limitations configured in AppArmor to prevent any of the web processes reading/changing the certificate files and automatic self-healing of those permissions on a scheduled basis. The new SSL interface takes advantage of all these features.
The new interface also allows you to install multiple SSL Certificates for each site, and it automatically selects the newest certificate when publishing the Nginx configuration. Once you've activated a new certificate, you can delete the older certificate if you like.
Additionally, Jetendo Server Manager users can be authenticated through mandatory multi-factor authentication through OpenID to further reduce the chances of someone gaining access to modify the configuration.
Email alerts keep you aware of changes
The server administrator also receives an email alert each time an SSL Certificate modification is made through the interface regardless of whether it was successful or not. This will help you be aware of anyone changing the SSL configuration without telling you.
To avoid mistakes resulting in the accidental deletion / modification of active SSL certificate, we've implemented the interface in such a way that you can't modify certificate information once it is activated.
Reporting and Security Auditing
I also added a feature to show a report of all the IP Addresses, which SSL certificate is associated with it, and the common name. This makes it easy to see at a glance what IPs are in use, and for what sites.
There is also an login log and audit log for all CMS manager functions which helps you see what features someone attempted to change in the CMS per user account.
Next step: Automatic SSL Purchase/Renewal through NameCheap SSL API
By integrating this automation into Jetendo today, it will enable future automation, such as integration with namecheap.com's SSL API so that we can reduce the labor cost to near zero for SSL ordering and installation. The only step that can't be automated is clicking the approval link in the SSL renewal email. However, the rest of the steps could be automated, greatly reducing the cost of maintaining a large number of SSL Certificates over time.
With industry leading integration and automation, Jetendo is one of the most powerful web applications currently available as open source software.
Bookmark & Share
Popular tags on this blogPerformance |
Most Popular Articles
- Mass virtual hosting security tip when using a reverse proxy to connect to other servers
- Solution for MariaDB Field 'xxx' doesn't have a default value
- How to lock Windows immediately upon smart card removal
- Stop using sleep mode with Windows Bitlocker for better security. Learn how to use hibernate in Windows 8.
- Planning a system to visually create responsive data-driven web page layouts & widgets in the Jetendo CMS browser interface
- Is Google Public DNS actually better then your ISP?
- Pros and Cons of CFML vs PHP and other languages
- Run Windows Guest in CentOS 6 Linux Host using Virtualbox 4 via the command line