Encrypting data is necessary for protecting information, but the process of adding a Secure Socket Layer (SSL) can sometimes be a pain. Pagoda Box makes the process simple through a few easy steps. After reading this guide, you will understand how to:
- Enable SSL for your app
Free Piggy Back SSL
What is a Piggy Back SSL and how do I use it?
Pagoda Box's Piggy Back SSL allows you to use Pagoda Box's SSL as your own. It's ideal for development environments that need data encryption. Every app automatically has access to the Piggy Back SSL for free. No setup required. All you need to do is use the https protocol instead of http. Piggy Back SSL is only available for Pagoda Box subdomains: https://your-app.pagodabox.com, not custom domains.
3rd Party and Self-Signed SSL
Whenever you add a Self-Signed or Third Party SSL to a DNS alias, a unique IP is generated for that alias. If you have already edited the A-Record of that DNS Alias to point to the IP given before adding SSL, it is highly recommended that you turn your Time to Live (TTL) down through your DNS provider 48-72 hours before adding SSL. This will prevent any downtime caused by DNS propagation. Once your A-Record is pointed to your unique IP, feel free to turn you TTL back up.
Both Self-Signed and Third Party SSL certificates can be used on custom domains. To get started, go to the DNS/SSL tab in your App Dashboard and click on the "Add an SSL Certificate" Button.
At this point, you can choose to either create a new SSL or transfer an existing SSL.
When creating a new SSL Certificate, fill out the necessary information in the form. This information is used to create your SSL certificate. Once completed, click "Save and Continue."
Wildcard SSL Certificates
Wildcard SSL Certificates are simple to use on Pagoda Box. When providing the information necessary to generate Certificate Request, be sure to include an asterisk in place of the subdomain in the domain you provide (*.myapp.com).
Next, select whether you would like to use a 3rd Party SSL Certificate or a Self-Signed Certificate.
3rd Party SSL
Third Party SSL certificates are obtained from SSL providers or certificate authorities such as Verisign, Digicert, or Thawte (these are just a few examples). After selecting the 3rd Party option and clicking "Next Step," Pagoda Box will generate a certificate request that you'll need to submit to your SSL provider.
After submitting the Certificate Request, your SSL provider will give you a Signed Certificate and a Certificate Authority. Once you receive those, click "Next" to move onto the next step. Simply paste the Certificate and the Certificate Authority into the corresponding fields in the SSL creation form and click "Finish and Activate." Your SSL will be created and you'll be able to assign the SSL Certificate to the appropriate DNS alias(es).
A Self-Signed SSL certificate allows you to use the https protocol and encrypt data, but because it is "self-signed," users will be warned that the certificate is not recognized by a Certificate Authority. These work great for APIs and development environments but are not recommended for production environments.
To use a Self-Signed SSL certificate, simply select the Self-Signed option and click "Save and Finish." Your SSL certificate will automatically be generated and you'll be able to assign the SSL Certificate to the appropriate DNS alias(es).
Transferring an Existing SSL
All you’ll need to transfer an existing ssl is the SSL key, certificate, and certificate authority. Paste each of those into the corresponding fields in the SSL creation process, click “Finish and Activate,” and your SSL will be added on Pagoda Box.
Assigning SSLs to DNS Aliases
After an SSL certificate has been created, depending one what type of certificate (normal vs wildcard) it can be assigned to one or multiple DNS aliases. If you haven't added a DNS alias yet, check out the Using Custom Domains guide.
To assign an SSL to a DNS Alias, simply select the appropriate SSL certificate from the dropdown of available certificates next to the DNS alias. Click the save button at the bottom of your browser window and, after a short transaction, your SSL certificate will be installed and your DNS alias will be assigned a dedicated IP.
Wildcard SSL Certificates
A single Wildcard SSL certificate can be assigned to multiple explicit DNS aliases (blog.myapp.com, api.myapp.com, etc.) or a single implicit alias (myapp.com). When applied to an implicit alias, the SSL certificate will be applied to any subdomain of that alias, although your Wildcart certificate may not be valid for all subdomains. This depends on your SSL Provider.
Point Your A-Record to Your Unique IP
The last step to getting everything up an running is changing your A-Record to point to your new, dedicated IP. Once the DNS change propagates, you'll be able to encrypt data through the https protocol.
Turn Your TTL Down
Turning your DNS Time to Live (TTL) down 48-72 hours before adding SSL will prevent any downtime caused by DNS propagation. Once the transition is made, turn your TTL back up, and you should be good to go.
Redirect to https
Once you've added SSL, it's very likely that you'll want to direct all visitors to the https/secure version of your domain. Because apps on Pagoda Box sit behind a load-balancing routing mesh, https redirects in .htaccess must be handled a little differently. You'll need to use the X-Forwarded-Proto header. Below is and example: