SSL provides a secure connection between your web containers and your visitors' web browsers. You can easily improve the security of websites running inside your web containers by enabling SSL and thus allowing data to be transmitted securely.
You can read more information about SSL on the Transport Layer Security Wikipedia page.
Enabling SSL on one of your web containers is as easy as clicking a button, consider the following steps:
We have integrated our Cloud Container platform with LetsEncrypt, a free, automated and open certificate authority. This allows us to very quickly and easily request SSL certificates to be issued for your web containers with no additional cost.
You can read more about LetsEncrypt on their official website.
Yes, simply send through an email to us at support@sitehost.co.nz and we can either supply you with a brand new SSL certificate or if you already have a certificate we'll be happy to set this up for you.
For additional information on purchasing a SSL certificate from us, please see our SSL Certificate pricing page.
With Cloud Containers the traditional approach to redirection may not work, because all of the requests are served by a reverse proxy.
Instead, we recommend leveraging the X-Forwarded-Proto header; modify your web server configuration files as follows:
For containers running Apache webserver:
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]For example, with a default Apache based website container, the 000-default.conf file can be modified with these lines to force such redirection:
SetEnvIf X-Forwarded-Proto https HTTPS=on
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>You can find this file in your home directory, inside the configuration folder: config/apache2/sites-available/
Alternatively, the same instructions can be instead added to your base .htaccess file in your public directory.
For containers running Nginx add the following to server directive:
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://$host$request_uri? permanent;
}For example for a Nginx container the configuration will look something like the below:
server {
listen 80 default_server;
# Your other config here.
# and here...
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://$host$request_uri? permanent;
}
}For containers running our .NET Core + SDK 6 / 7 images, you'll need to configure the web server to allow proxy connections and set up URL rewriting. The following changes will need to be made to the file that will configure your web application. For our example, we'll be using an Umbraco project.
public void ConfigureServices(IServiceCollection services)
{
// Set up what configurations we need to make to the service
services.Configure<ForwardedHeadersOptions>(options =>
{
// Sets the expected Forward headers
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
// Both functions allows any local network or proxy to connect
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
// This adds the forwarded headers from above.
app.UseForwardedHeaders();
// Enforces HTTPS redirection
app.UseHttpsRedirection();
// Adds our own rewriter that uses the IISUrlRewrite.xml file
app.UseRewriter(new RewriteOptions().AddIISUrlRewrite(env.ContentRootFileProvider, "IISUrlRewrite.xml"));
}Next we'll need to create a new xml file that will have our rewriting rules. We'll call it IISUrlRewrite.xml for our example.
<?xml version="1.0" encoding="utf-8" ?>
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="^localhost(:[0-9]+)?$" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:0}" />
</rule>
</rules>
</rewrite>You can find out more about rewriting URLs from Microsoft's ASP.NET documentation.
After this, you'll want to include the file into your project via editing the .csproj file and adding the following lines.
<ItemGroup>
<Content Include="IISUrlRewrite.xml">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
</Content>
</ItemGroup>The containers must be rebooted for the change to take place: log into the SiteHost control panel, find the container you have modified the configuration of and press the Reboot button.
If your domain is using Cloudflare (orange cloud enabled), SSL certificate issuance can behave differently due to how Cloudflare proxies and encrypts traffic. While we handle most scenarios automatically, some Cloudflare configurations can prevent SSL verification from completing successfully.
This section explains what works, what doesn’t, and how to resolve common issues.
SSL issuance will succeed when using the following Cloudflare encryption modes:
These modes allow Let’s Encrypt to validate your domain successfully, even when Cloudflare is enabled.
For best security after SSL is issued, we recommend switching to Full (Strict) once verification has completed successfully.
Issue: If Cloudflare is set to Full (Strict) before an SSL certificate exists on your container, verification will fail.
Error shown:
Please check your Cloudflare Encryption Mode and set it to Flexible, or disable it to allow SSL verification to complete.
Fix:
Examples:
app.dev.example.comtest.stage.example.comKnown behaviour:
| Cloudflare Mode | Result |
|---|---|
| Flexible | ❌ May fail |
| Full | ❌ May fail |
| Full (Strict) | ❌ Will fail |
Error shown:
Cloudflare is known to interfere with SSL verification. Please check your Cloudflare settings or disable Cloudflare for the domain.
Why this happens: Cloudflare’s proxying and redirect behaviour can interfere with SSL verification on deeply nested subdomains.
Fix options:
www.example.com) where possibleCloudflare automatically enables IPv6 and may assign an IPv6 (AAAA) record to your domain.
Issue: If Cloudflare assigns an IPv6 address but your container does not support IPv6, SSL verification may fail.
Error shown:
Cloudflare has assigned an IPv6 record ([ip]) that does not point to the server. Please add an IPv6 address to your server and assign that to your domain.
Fix:
To avoid SSL issues when using Cloudflare:
Before enabling SSL
If SSL verification continues to fail while Cloudflare is enabled, temporarily disabling the Cloudflare proxy (gray cloud) for the affected domain or subdomain is the fastest way to confirm whether Cloudflare is the cause.