I mentioned a few days ago using osTicket, we have been using it for a while. We also have to make it public facing so our customers can use it, and so we can use it from outside of the office. The problem is that since we are using our AD credentials to login there is a major security concern since by default, osTicket is not encrypted. We opted to use SSL encryption on our ticket system.
No big deal right? Well, we also want to make it so users don’t have to remember to type in the httpS part in the address. We want them to be able to type support.companydomain.com and have it automagically go to our ticket system. Likewise, on the admin page we want to make it so that when you go to support.companydomain.com/admin it automagically gets SSL encryption too. One way to do it is to drop an index.html file in with a redirect, that works ok too, but what if you want to ensure that if the S in httpS is removed, users still get forced to use SSL without any errors? Well in this case I used a little PHP magic.
I created a file called encrypt.php with the following code:
<?
function secure_page()
{
if ( !isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) !== 'on' )
{
header ('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}
}
secure_page();
?>
On any pages where I wanted to ensure SSL, I added the following line:
require('encrypt.php');
Similarly, in our old ticket system (Which we are upgrading today now that Ubuntu 10.04 is out!) we added a custom reCaptcha on the ticket request page. Since we weren't hosting the reCaptcha ourselves we couldn’t encrypt it with our SSL cert, and users would get prompted if they wanted to display the unsecure items. That confused people, so we wanted to make sure that page was not encrypted with SSL.
To do that, we did the same as above except this time we created a file called decrypt.php with the following code:
<?
function unsecure_page()
{
if ( isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) == 'on' )
{
header ('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}
}
unsecure_page();
?>
And once again on that page we added the following line:
require('decrypt.php');
Done, now on all the pages we want to be encrypted, it is encrypted, and on the pages we don’t want to encrypt it isn’t. Luckily in the new version of osTicket captcha is built in, so I can encrypt all pages without issue.
In both cases, since we wrote those files we can include them on any page we want, including on our phpMyAdmin page! Boom!
Do you use this method to force SSL on your LAMP servers? If not, what do you do? Let us know in the comments.