[[TranslatedPages]]
[[PageOutline]]

= Configure your web site to use https =

By default, your web site does not communicate with the world using an encrypted connection. When you connect, it uses the "http" protocol instead of the "https" protocol.

We strongly encourage all members to change this setting so all communications is encrypted. Even if you don't think it is necessary, consider that all information you send to the site, which may include usernames and passwords, are sent in the clear unless you are using https. 

Fortunately, the process of choosing to run an https enabled web site is fully handled in the members control panel:

 * Log in via https://members.mayfirst.org/cp.
 * Choose the "Web Configuration" section.
[[Image(https-configuration.png)]]
 * Edit your web configuration and remove any domains from the domain names section that are not properly working or have expired (if there are any).
 * Change Encryption from "http only" to "https enabled".
 * Click "Submit".


== What if I already have an https web site? ==

Some members already have their own https certificates and keys. If you click the Advanced button, you will see them listed.

If you want to switch from using your own https certificate and key to using our automatic and free Let's Encrypt certificate and key, simply delete the path to your certificate and key from the TLS Key path and TLS Cert path fields.

== How does it work? ==

Our control panel is integrated with a free services called [https://letsencrypt.org/ Let's Encrypt]. They provide automated 3 month certificates free of charge. We have a regular scheduled job that will automatically renew your certificates every three months to ensure they are kept up to date.

== Using https with CloudFlare ==

Some members have elected to use CloudFlare - a content distribution network/caching system - with their web sites, and have shared their experience using it here. Current CloudFlare documentation should always be referenced before making changes you do not understand. We can not directly support CloudFlare, but you may find these instructions to be helpful when using it in combination with the automatic https offered by the control panel. This is due to how these services may conflict with each other: LetsEncrypt attempts to issue updated certificates using a method called the "webroot" authentication method. This method places a specially named file in the `.well-known` folder in the root of your web site. Then the LetsEncrypt service looks for this file on your server (to validate the certificate request is legitimate), however CloudFlare may respond to request inaccurately, preventing certificate renewal from occurring. Adjusting configuration on CloudFlare to specifically prevent the service from interfering with or modifying these verification responses can corrrect this situation:

 * Log into your CloudFlare account and go to the Page Rules settings for your domain.
 * Add a page rule, ahead of any possible redirects (i.e. potentially just make this the very first rule).
 * Configure the rule as necessary. The important part, is that it ignores any requests for the `.well-known/` folder. For example: `*.workingdirectory.net/.well-known/*` for the URL, and the settings set the "Cache level" set to "Bypass".