SSL encryption

The freistilbox edge routers decrypt incoming SSL requests right when they reach our managed hosting platform. This practice is called “SSL offloading” and has several advantages:

  • Since the freistilbox application boxes do not need to spend computing capacity on SSL, they have more resources available to run your web application.
  • Content caching works for encrypted and unencrypted requests. This saves even more capacity on the application boxes and avoids that you have to resort to “mixed mode” for fast asset delivery.

Using free TLS certificates from Let’s Encrypt

Our new generation of edge routers not only speeds up your content delivery by way of 10 Gbit/s uplinks and HTTP/2, they also allow you to secure your web traffic free of charge with TLS certificates from Let’s Encrypt. See our Let’s Encrypt documentation for details.

Using Custom TLS certificates

Since it exclusively provides domain-validated certificates, Let’s Encrypt can only cover basic web security needs. If your security requirements ask for an owner-validated certificate or you’d like to use a wildcard certificate to secure a growing list of subdomains (“*.example.com”), we can provide you with a variety of individual TLS certificates. You can find all the details and order forms on our SSL pricing page.

How to handle secure requests in your application

Because SSL requests are decrypted by our edge routers before they reach one of your application boxes, your web application will always receive plain HTTP requests. In order to be able to tell which requests originally came in encrypted, our edge routers mark them with the HTTP header X-Forwarded-Proto: https.
When our application boxes see this HTTP header, they set an environment variable named HTTPS to the value on.

In your application, you can test this variable to see if a request came over an encrypted connection.

In PHP:

if ($_SERVER['HTTPS'] == "on")

This variable is set by PHP for received SSL requests, too, so existing applications, plugins and modules should work out of the box with our configuration.

There is a catch with testing for SSL in an .htaccess file. While Apache’s mod_rewrite has a built-in condition named HTTPS, its result is true only if the request actually reached the box in its encrypted form – which will never be the case for the reasons explained above. Therefore, you have to check the environment variable of the same name instead.

This will not work:

RewriteCond %{HTTPS} on

This will work:

RewriteCond %{ENV:HTTPS} on

We recommend you cover all bases by checking both conditions:

RewriteCond %{HTTPS} on [OR]
RewriteCond %{ENV:HTTPS} on

Redirecting all insecure requests to HTTPS

To force HTTPS for all requests, use the following snippet in .htaccess:

RewriteCond %{HTTPS} !on
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]