SSL encryption

We decrypt incoming SSL requests at the edge of our hosting infrastructure. From there on, we only need to process plain HTTP requests. This practice is called SSL offloading and has several advantages:

  • freistilbox instances do not need to spend computing capacity on SSL, so more resources are available to your web application.
  • Content caching works for all requests. This saves even more capacity on the freistilbox instances and avoids that you need to use mixed mode for fast delivery.

How to order your certificate

You can see our prices and order/renew your SSL certificate on our SSL pricing page.

Recognizing secure requests

Because SSL requests are decrypted by our Edge Routers before they reach one of your application boxes, your web application will always receive plain HTTP requests only. In order to be able to tell which requests originally came in encrypted, the Edge Router marks these with the HTTP header X-Forwarded-Proto, setting its value to https. Our application boxes then parse this HTTP header and set an environment variable named HTTPS to the value on.

In your application, you can simply test this variable to see if a request had been encrypted by its sender.

In PHP:

if ($_SERVER['HTTPS'] == "on")

This variable is set by PHP for received SSL requests, too, so existing applications, plugins and modules should work out of the box with our configuration.

There is a catch with testing for SSL in an .htaccess file: While Apache’s mod_rewrite has a built-in condition named HTTPS, its result is true only if the request actually reached the box in its encrypted form – which will never be the case due to our architecture. Therefore, you have to check the environment variable of the same name instead:

This will not work:

RewriteCond %{HTTPS} on

This will work:

RewriteCond %{ENV:HTTPS} on

We recommend you cover all bases by checking both conditions:

RewriteCond %{HTTPS} on [OR]
RewriteCond %{ENV:HTTPS} on

Redirecting all unsecure requests to HTTPS

To force HTTPS for all requests, you can use the following snippet in .htaccess:

RewriteCond %{HTTPS} !on
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Related articles