Jump to content

Archived

This topic is now archived and is closed to further replies.

Simplyeasier

The SSL In OsCommerce Guide For The Innocent

Recommended Posts

Having problems when I secure my Admin via SSL...it works but in certain areas it will log me off and I have to log back in (I have the Administration Access Level Accounts 2.0 contribution installed). For example, when I am on the customer page and try to search for a customer, it logs me out of my admin session.

 

Let's assume my website url is: www.abccompany.com

and i have a shared SSL certficate: https://id100.securedata.net/abccompany

 

Here are my current settings:

 

define('HTTP_SERVER', 'https://id100.securedata.net/abccompany'); 
define('HTTP_CATALOG_SERVER', 'https://id100.securedata.net/abccompany');
define('HTTPS_CATALOG_SERVER', 'https://id100.securedata.net/abccompany');
define('ENABLE_SSL_CATALOG', 'true'); 
define('DIR_FS_DOCUMENT_ROOT', '/www/abccompany/'); ?
define('DIR_WS_ADMIN', '/admin/'); // absolute path required
define('DIR_FS_ADMIN', '/www/abccompany/admin/'); 
define('DIR_WS_CATALOG', '/'); 
define('DIR_FS_CATALOG', '/www/abccompany/');

 

and suggestions would be much appreciated. Thanks!

 

I get a 404 page unavailable when I try to log into the url you have posted

 

Charles


A kite flies highest AGAINST the wind !

 

"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, a lover in one hand, martini in the other, body thoroughly used up, totally worn out and screaming ~ WOO HOO!! What a ride!"

Share this post


Link to post
Share on other sites
Post both your configure.php files for review - I think your cookie paths are wrong .

 

Charles

 

admin/includes/configure.php

 

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
 define('HTTP_SERVER', 'http://ezpregnancytest.com'); // eg, http://localhost - should not be empty for productive servers
 define('HTTP_CATALOG_SERVER', 'http://ezpregnancytest.com');
 define('HTTPS_CATALOG_SERVER', 'https://www.ezpregnancytest.com');
 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module
 define('DIR_FS_DOCUMENT_ROOT', '/home/ezpreg/public_html/'); // where the pages are located on the server

 

includes/configure.php

 

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
 define('HTTP_SERVER', 'http://ezpregnancytest.com'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://www.ezpregnancytest.com'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', false); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'ezpregnancytest.com');
 define('HTTPS_COOKIE_DOMAIN', 'ezpregnancytest.com');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '/');

Share this post


Link to post
Share on other sites

Thanks for the guide, it's very informative. I have a question though:

 

After you setup the ssl certificate and configure the oscommerce config files, do you need to put a copy of the "/catalog/" folder in your private_html directory? It seems like a lot of wasted space if you have to keep two sets of product photos, one in the public_html and one in the private_html.

Share this post


Link to post
Share on other sites

Justin

 

Assumptions

 

1) Your shop is in root

2) You cert has been issued to mydomain.com WITHOUT the www.

 

The SSL relevant part of your includes/configure.php shld look something like

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.mydomain.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://mydomain.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.mydomain.com');

define('HTTPS_COOKIE_DOMAIN', 'mydomain.com');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTP_CATALOG', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

 

The SSL relevant part of your admin/includes/configure.php shld look somethin like

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.forherlingerie.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.forherlingerie.com');

define('HTTPS_CATALOG_SERVER', 'https://forherlingerie.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

Charles


A kite flies highest AGAINST the wind !

 

"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, a lover in one hand, martini in the other, body thoroughly used up, totally worn out and screaming ~ WOO HOO!! What a ride!"

Share this post


Link to post
Share on other sites

Hi,

 

I'm very new to OS Commerce, so forgive me if this is a truly stupid question.

 

I have a site working with no SSL, and have now taken a section on a shared SSL server, I have changed the config file and at checkout the browser jumps to this location, but I can't find for the life of me what files I need to upload to the secure server, I assume it's all the checkout files, but then I need a load of includes as well, is there a list of required files that I should put there?

 

Or am I asking a stupid question??

 

Thanks in advance.

 

Steve

 

What is (or Isn't) SSL ?

 

SSL stands for Secure Sockets Layer. This is technology derived in part from the military that encrypts data transfers across the internet. There are several flavours of SSL but the most prevalent one today is 128 bit encryption, but watch out 256 bit encryption is on it's way !

 

For an e-trader, SSL encryption protects your customers transaction details as they are passed back and forth between their browser and your server \ domain. The data encryption happens at one end using a key and is deciphered at the other end using an equivalent key. The permutations for how data can be encrypted are astronomical making it virtually theft and interference proof during transit.

 

SSL DOES NOT PROTECT your server from attacks, nor your admin or catalog from malicious hacks. In order to protect your server and files you need to use facilities such as firewalls, virus checkers, Apache and IIS user and password protection for directories and files.

 

Why Do I Need SSL ?

 

You need SSL if you are selling to the public for two very good reasons.

 

1) Your customers expect it - As surfers become more sophisticated they look at your site and want to make sure their details will be safe should they order products. SSL seals are part - but a big part - in that re-assurance process. If the choice between two sites comes down to which offers transaction security - do you want to be the site that misses out ?

 

2) Even if you have unsophisticated customers who do not look for SSL encryption before they buy - if the data they send you is intercepted and misused - you could land up being in heavy lawsuits for amongst many other things negligence. This is a small possibility - but do you want to take the risk ?

 

How Does SSL Work With OsCommerce ?

 

The workings of SSL with osCommerce are quite straightforward.

Once your SSL is installed - see sections below, you set the configuration paths for https:// in catalog/includes/configure.php and admin/includes/configure.php, enable SSL and the code takes care of the rest.

 

If you look through the code you will see example after example of statements that refer to SSL where osC is making a decision based on request type as to whether to display the secured or non secured pages.

 

In short neither you nor your customers has to type in https:// into the address line to get to secure pages. osCommerce will identify from the configuration if SSL is installed and direct browsers to the correct page depending on what the browser is doing on your site.

 

How Do I Get SSL ?

 

1) Surf and find a Certificate issuer you feel happy with where you buy your SSL cerificate for a period of time 1 year, 2 year etc etc)

 

Things to look out for are

 

a) They own or have a trusted root in most browsers.

 

All browsers come pre-installed with so called Trusted roots.

 

These prevent Joe Shmoe and his cousin Joe Bloggs from issuing worthless certificates that cannot do the encrypting to unsuspecting buyers.

 

To see trusted roots if you use IE go to Internet Options under tools and select the content tab where you will see in the middle section all the trusted root certs installed on IE and their issuers.

 

b ) If they don't have a trusted root in most browsers make sure they have a cert known as a chaining cert that links whatever they sell to you with a trusted root.

 

What is the difference -

 

Trusted root sellers are EXPENSIVE and very well recognised brands.

 

Chaining certs are affordable - They are still 128 bit encryption hence no less secure - but the brands are less well known.

 

2) Get your host to raise a CSR (Certificate Signing request) - To do this the host will need certain information from you, especially if they are not also your registrar. Such info will be your domains registered admistrator. This info will be required by the SSL issuer. Along with the CSR they also generate a key that will be used to encrypt and decipher data transmissions from your server \ domain. -

 

Things to look out for are

 

Your certificate will encrypt data in a very precise way - if the cert is issued to www.yourdomain.com it will NOT encrypt transfers between yourdomain.com and browsers and vice versa.

 

So make sure you instruct your host to get the CSR raised with the correct AND full name of the domain you want to be encrypted.

 

I normally use the domain name without the www. qualifier because servers for a number of reasons can strip the www. off, but I have yet to see a server add it on without a deliberate redirect.

 

3) Send the CSR to your cert issuer who will vet the details and write to the administrator noted when the CSR was raised.

 

4) Assuming you are the administrator of your domain - you will have to acknowledge the mail from the issuer and OK the SSL.

 

5) The issuer will raise a SSL cert and send it to you. If you are using a chaining issuer they will also send a chain certificate.

 

6) Send these to your host who will install as follows :

a) The SSL cert will be installed in a directory on your server along with the chaining certificate if applicable.

b ) They will also instal the key they generated in step 2 above.

c) They will then add certain statements known as directives to your Apache configure files. These tell Apache that the site has SSL encryption certification.

 

Making SSL Work With The Catalog and Admin

 

In order to make SSL work with osCommerce you need to set the correct configuration paths in

 

a) catalog/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

  define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers

  define('HTTPS_SERVER', 'https://yourdomain.com'); // eg, https://localhost - should not be empty for productive servers

  define('ENABLE_SSL', true); // secure webserver for checkout procedure?

  define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');

  define('HTTPS_COOKIE_DOMAIN', 'yourdomain.com');

  define('HTTP_COOKIE_PATH', '/catalog/');

  define('HTTPS_COOKIE_PATH', '/catalog/');

  define('DIR_WS_HTTP_CATALOG', '/catalog/');

  define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

b ) admin/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

  define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers

  define('HTTP_CATALOG_SERVER', 'http://www.yourdomain.com');

  define('HTTPS_CATALOG_SERVER', 'https://yourdomain.com');

  define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

* Note the assumptions above - The certificate was issued WITHOUT the www. qualifier and this shop is installed in Catalog directory ONE level below root.

 

In normal working - these changes above will result in a small padlock being shown in the bottom right of your browser status bar when you navigate to a secure page AND your address line will show the https:// URL instead of http://

 

Trouble Shooting

 

1) Security Alert

 

The alert box says info you exchange with this site cannot be viewed or changed by others. However there is a problem with the sites security certificate.

 

The box has 3 levels of alert

 

a) The certificate is from a trusted certifying authority - Green tick for good or Red cross for bad will show

b ) The security certificate date is valid - Green tick for good or Red cross for bad will show

c) The name on the security certificate is invalid or does not match the name of the site - Green tick for good or Red cross for bad will show

 

If the problem is a) then you need to take account of How Do I Get SSL point 1 above !

If the problem is B ) you need to extend the certificates validity - refer to the issuer.

If the problem is c) Your certificate has probably been issued with or without the www. and you have used the other spellng in your configure files. Make sure the cert name as issued is used in the configure.php files. (See How Do I Get SSL point 2 above)

 

2) This page has both secure and insecure items

 

This alert appears if the secured page the browser is trying to show has objects or references that point to non secured domains.

 

So for instance if you had a graphical image of credit cards as processed by your gateway and say you were hotlinking to the images with a piece of code such as <img src="http://mycreditcardprocessor.com.....> That image is not on your encrypted domain hence the alert would show.

 

Often this problem will appear from one or more of three sources

 

a) Where you are hotlinking images for your products from the wholesalers server

b ) objects in your footer

c) objects in your boxes in the columns

 

3) Page 404 (unavailable)

 

If you set your site up and during instal you choose SSL security WITHOUT having done the stuff in here you may get 404's when you try to access secured pages.

 

Wrapping Up

 

1) Self issued certificates

 

Some people have dedicated servers and even on some shared server you can raise a self issued SSL certification. This does  everything as above except the certificate root does not exist in browsers. Therefore your site may be secure (although I do not profess to know if self certificates offer 128 bit encryption), BUT your site visitors will ALWAYS get the alert in Trouble Shooting point 1.

 

Even though the alert says the site is safe, this is perhaps worse than not having a certificate as it alerts people to the fact that there is a problem with the certificate - and people do not like problems !!!

 

2) Shared SSL certificates

 

Talk to your host for the path you need to apply in your configure.php paths

 

Charles

Share this post


Link to post
Share on other sites

Hello,

 

I just had my SSL installed. I modified both configure.php on catalog as well as admin per instructed. The catalog side works perfectly, but the admin side doesn't seem to work properly. Whenever I logon to admin, the URL doesn't switch to https and I don't see the pad lock appear on the lower right corner of my browser. However, the lower left corner of the admin menu displayed: "You are protected by a 256-bit secure SSL connection". Am I doing any thing wrong here?

 

Below is my configure.php under \admin\

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.myserver.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.myserver.com');

define('HTTPS_CATALOG_SERVER', 'https://www.myserver.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/home/public_html/'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/home/public_html/admin/'); // absolute pate required

define('DIR_WS_CATALOG', '/'); // absolute path required

define('DIR_FS_CATALOG', '/home/public_html/'); // absolute path required

define('DIR_WS_IMAGES', 'images/');

Share this post


Link to post
Share on other sites
Hello,

 

I just had my SSL installed.  I modified both configure.php on catalog as well as admin per instructed.  The catalog side works perfectly, but the admin side doesn't seem to work properly.  Whenever I logon to admin, the URL doesn't switch to https and I don't see the pad lock appear on the lower right corner of my browser.  However, the lower left corner of the admin menu displayed: "You are protected by a 256-bit secure SSL connection".  Am I doing any thing wrong here?

 

Below is my configure.php under \admin\

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

  define('HTTP_SERVER', 'http://www.myserver.com'); // eg, http://localhost - should not be empty for productive servers

  define('HTTP_CATALOG_SERVER', 'http://www.myserver.com');

  define('HTTPS_CATALOG_SERVER', 'https://www.myserver.com');

  define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

  define('DIR_FS_DOCUMENT_ROOT', '/home/public_html/'); // where the pages are located on the server

  define('DIR_WS_ADMIN', '/admin/'); // absolute path required

  define('DIR_FS_ADMIN', '/home/public_html/admin/'); // absolute pate required

  define('DIR_WS_CATALOG', '/'); // absolute path required

  define('DIR_FS_CATALOG', '/home/public_html/'); // absolute path required

  define('DIR_WS_IMAGES', 'images/');

 

 

Well, it turned out that the line

define('HTTP_SERVER', 'http://www.myserver.com'); // eg,

has to be

define('HTTP_SERVER', 'https://www.myserver.com'); // eg,

in order for the admin catalog to be secured.

Share this post


Link to post
Share on other sites

I actually have several questions, here is some base information:

 

I have all my info and catalog stored on a server that my friend owns and then a dummy url that redirects to this server.

The server I am on is not shared, if anyone else wants some room then they just get a folder on it. I have the root index.

My server's IP is Dynamic and can not be upgraded to Static.

All my payments will either be BidPay, MO, or Paypal, so the SSL is only protecting name and address data.

 

1.Do I need to purchase 2 seperate SSL certs, one for each URL?

 

2.I have heard that only the top 10 or so major cert providers actually work fully, because all browsers have their root files installed. These seem to all be extremely expensive. Which cert provider do you suggest? I am willing to spend money, just not more than $100 a year.

 

3. Can I even get the gauranteed fewest warning popups with a Dynamic IP?

 

Do any of my questions make sense? I have spent a few days researching and I apologize if any of this sounds choppy. I am sure that i will think of more questions later.

 

Thanks =)

Share this post


Link to post
Share on other sites
I actually have several questions, here is some base information:

 

I have all my info and catalog stored on a server that my friend owns and then a dummy url that redirects to this server.

The server I am on is not shared, if anyone else wants some room then they just get a folder on it. I have the root index.

My server's IP is Dynamic and can not be upgraded to Static.

All my payments will either be BidPay, MO, or Paypal, so the SSL is only protecting name and address data.

 

1.Do I need to purchase 2 seperate SSL certs, one for each URL?

 

2.I have heard that only the top 10 or so major cert providers actually work fully, because all browsers have their root files installed. These seem to all be extremely expensive. Which cert provider do you suggest? I am willing to spend money, just not more than $100 a year.

 

3. Can I even get the gauranteed fewest warning popups with a Dynamic IP?

 

Do any of my questions make sense? I have spent a few days researching and I apologize if any of this sounds choppy. I am sure that i will think of more questions later.

 

Thanks =)

 

1 ) Yes if the two are totally different domains - certs will encrypt single domains only (wildcard certs will also encrypt sub domains)

 

2) You have heard wrong - there are many chained cert issuers who work seamlessly with osC I am not allowed to post commercial stuff here - PM me if you want then name of the issuer I use

 

3) You need a static IP address on a shared server - on a dedicated server if you only have one hosted domain you can have a dynamic IP for that domain and SSL will work - after the first one all other domains hosted on the server will require their own static IP address

 

Questions for you

 

1) why are you hosting on one server and re-directing to a dedicated - why not do it all on the dedicated server ?

2) Your dedicated server provider should be able to sell you a static IP address - most will offer a number of static addresses as part of the bundle

 

Charles


A kite flies highest AGAINST the wind !

 

"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, a lover in one hand, martini in the other, body thoroughly used up, totally worn out and screaming ~ WOO HOO!! What a ride!"

Share this post


Link to post
Share on other sites
1 ) Yes if the two are totally different domains - certs will encrypt single domains only (wildcard certs will also encrypt sub domains)

 

2) You have heard wrong - there are many chained cert issuers who work seamlessly with osC I am not allowed to post commercial stuff here - PM me if you want then name of the issuer I use

 

3) You need a static IP address on a shared server - on a dedicated server if you only have one hosted domain you can have a dynamic IP for that domain and SSL will work - after the first one all other domains hosted on the server will require their own static IP address

 

Questions for you

 

1) why are you hosting on one server and re-directing to a dedicated - why not do it all on the dedicated server ?

2) Your dedicated server provider should be able to sell you a static IP address - most will offer a number of static addresses as part of the bundle

 

Charles

 

 

 

Thank you SO much, this information helped alot! Both of your questions are going to be answered in a PM rather than here. It's a semi-long story and I don't want to share it with the whole board.

Niki

Share this post


Link to post
Share on other sites

So I have to purchase an ssl certificate, install it on my hosting server then change the ssl code to "true" correct?

 

 

Thanks in advance

osfalcon

 

 

What is (or Isn't) SSL ?

 

SSL stands for Secure Sockets Layer. This is technology derived in part from the military that encrypts data transfers across the internet. There are several flavours of SSL but the most prevalent one today is 128 bit encryption, but watch out 256 bit encryption is on it's way !

 

For an e-trader, SSL encryption protects your customers transaction details as they are passed back and forth between their browser and your server \ domain. The data encryption happens at one end using a key and is deciphered at the other end using an equivalent key. The permutations for how data can be encrypted are astronomical making it virtually theft and interference proof during transit.

 

SSL DOES NOT PROTECT your server from attacks, nor your admin or catalog from malicious hacks. In order to protect your server and files you need to use facilities such as firewalls, virus checkers, Apache and IIS user and password protection for directories and files.

 

Why Do I Need SSL ?

 

You need SSL if you are selling to the public for two very good reasons.

 

1) Your customers expect it - As surfers become more sophisticated they look at your site and want to make sure their details will be safe should they order products. SSL seals are part - but a big part - in that re-assurance process. If the choice between two sites comes down to which offers transaction security - do you want to be the site that misses out ?

 

2) Even if you have unsophisticated customers who do not look for SSL encryption before they buy - if the data they send you is intercepted and misused - you could land up being in heavy lawsuits for amongst many other things negligence. This is a small possibility - but do you want to take the risk ?

 

How Does SSL Work With OsCommerce ?

 

The workings of SSL with osCommerce are quite straightforward.

Once your SSL is installed - see sections below, you set the configuration paths for https:// in catalog/includes/configure.php and admin/includes/configure.php, enable SSL and the code takes care of the rest.

 

If you look through the code you will see example after example of statements that refer to SSL where osC is making a decision based on request type as to whether to display the secured or non secured pages.

 

In short neither you nor your customers has to type in https:// into the address line to get to secure pages. osCommerce will identify from the configuration if SSL is installed and direct browsers to the correct page depending on what the browser is doing on your site.

 

How Do I Get SSL ?

 

1) Surf and find a Certificate issuer you feel happy with where you buy your SSL cerificate for a period of time 1 year, 2 year etc etc)

 

Things to look out for are

 

a) They own or have a trusted root in most browsers.

 

All browsers come pre-installed with so called Trusted roots.

 

These prevent Joe Shmoe and his cousin Joe Bloggs from issuing worthless certificates that cannot do the encrypting to unsuspecting buyers.

 

To see trusted roots if you use IE go to Internet Options under tools and select the content tab where you will see in the middle section all the trusted root certs installed on IE and their issuers.

 

b ) If they don't have a trusted root in most browsers make sure they have a cert known as a chaining cert that links whatever they sell to you with a trusted root.

 

What is the difference -

 

Trusted root sellers are EXPENSIVE and very well recognised brands.

 

Chaining certs are affordable - They are still 128 bit encryption hence no less secure - but the brands are less well known.

 

2) Get your host to raise a CSR (Certificate Signing request) - To do this the host will need certain information from you, especially if they are not also your registrar. Such info will be your domains registered admistrator. This info will be required by the SSL issuer. Along with the CSR they also generate a key that will be used to encrypt and decipher data transmissions from your server \ domain. -

 

Things to look out for are

 

Your certificate will encrypt data in a very precise way - if the cert is issued to www.yourdomain.com it will NOT encrypt transfers between yourdomain.com and browsers and vice versa.

 

So make sure you instruct your host to get the CSR raised with the correct AND full name of the domain you want to be encrypted.

 

I normally use the domain name without the www. qualifier because servers for a number of reasons can strip the www. off, but I have yet to see a server add it on without a deliberate redirect.

 

3) Send the CSR to your cert issuer who will vet the details and write to the administrator noted when the CSR was raised.

 

4) Assuming you are the administrator of your domain - you will have to acknowledge the mail from the issuer and OK the SSL.

 

5) The issuer will raise a SSL cert and send it to you. If you are using a chaining issuer they will also send a chain certificate.

 

6) Send these to your host who will install as follows :

a) The SSL cert will be installed in a directory on your server along with the chaining certificate if applicable.

b ) They will also instal the key they generated in step 2 above.

c) They will then add certain statements known as directives to your Apache configure files. These tell Apache that the site has SSL encryption certification.

 

Making SSL Work With The Catalog and Admin

 

In order to make SSL work with osCommerce you need to set the correct configuration paths in

 

a) catalog/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

  define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers

  define('HTTPS_SERVER', 'https://yourdomain.com'); // eg, https://localhost - should not be empty for productive servers

  define('ENABLE_SSL', true); // secure webserver for checkout procedure?

  define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');

  define('HTTPS_COOKIE_DOMAIN', 'yourdomain.com');

  define('HTTP_COOKIE_PATH', '/catalog/');

  define('HTTPS_COOKIE_PATH', '/catalog/');

  define('DIR_WS_HTTP_CATALOG', '/catalog/');

  define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

b ) admin/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

  define('HTTP_SERVER', 'http://www.yourdomain.com'); // eg, http://localhost - should not be empty for productive servers

  define('HTTP_CATALOG_SERVER', 'http://www.yourdomain.com');

  define('HTTPS_CATALOG_SERVER', 'https://yourdomain.com');

  define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

* Note the assumptions above - The certificate was issued WITHOUT the www. qualifier and this shop is installed in Catalog directory ONE level below root.

 

In normal working - these changes above will result in a small padlock being shown in the bottom right of your browser status bar when you navigate to a secure page AND your address line will show the https:// URL instead of http://

 

Trouble Shooting

 

1) Security Alert

 

The alert box says info you exchange with this site cannot be viewed or changed by others. However there is a problem with the sites security certificate.

 

The box has 3 levels of alert

 

a) The certificate is from a trusted certifying authority - Green tick for good or Red cross for bad will show

b ) The security certificate date is valid - Green tick for good or Red cross for bad will show

c) The name on the security certificate is invalid or does not match the name of the site - Green tick for good or Red cross for bad will show

 

If the problem is a) then you need to take account of How Do I Get SSL point 1 above !

If the problem is B ) you need to extend the certificates validity - refer to the issuer.

If the problem is c) Your certificate has probably been issued with or without the www. and you have used the other spellng in your configure files. Make sure the cert name as issued is used in the configure.php files. (See How Do I Get SSL point 2 above)

 

2) This page has both secure and insecure items

 

This alert appears if the secured page the browser is trying to show has objects or references that point to non secured domains.

 

So for instance if you had a graphical image of credit cards as processed by your gateway and say you were hotlinking to the images with a piece of code such as <img src="http://mycreditcardprocessor.com.....> That image is not on your encrypted domain hence the alert would show.

 

Often this problem will appear from one or more of three sources

 

a) Where you are hotlinking images for your products from the wholesalers server

b ) objects in your footer

c) objects in your boxes in the columns

 

3) Page 404 (unavailable)

 

If you set your site up and during instal you choose SSL security WITHOUT having done the stuff in here you may get 404's when you try to access secured pages.

 

Wrapping Up

 

1) Self issued certificates

 

Some people have dedicated servers and even on some shared server you can raise a self issued SSL certification. This does  everything as above except the certificate root does not exist in browsers. Therefore your site may be secure (although I do not profess to know if self certificates offer 128 bit encryption), BUT your site visitors will ALWAYS get the alert in Trouble Shooting point 1.

 

Even though the alert says the site is safe, this is perhaps worse than not having a certificate as it alerts people to the fact that there is a problem with the certificate - and people do not like problems !!!

 

2) Shared SSL certificates

 

Talk to your host for the path you need to apply in your configure.php paths

 

Charles

Share this post


Link to post
Share on other sites

So I have to purchase an ssl certificate, install it on my hosting server then change the ssl code to "true" correct?

 

 

Thanks in advance

osfalcon

Share this post


Link to post
Share on other sites

Hi there,

 

I've got 2 sites in progress, and both sites are having the same problem with SSL.

 

The catalog is working fine, with all the account parts secure. HOWEVER, the admin is not. All the https settings seem to be correct... any thoughts?

 

catalog/admin/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://funaticalcomau.ozstaging.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://funaticalcomau.ozstaging.com');

define('HTTPS_CATALOG_SERVER', 'https://secure16.ozhosting.com/funatical/');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

catalog/includes/configure.php

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://funaticalcomau.ozstaging.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://secure16.ozhosting.com/funatical/'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'funaticalcomau.ozstaging.com');

define('HTTPS_COOKIE_DOMAIN', 'funaticalcomau.ozstaging.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

Cheers,

Tim

Share this post


Link to post
Share on other sites

change the top http server ssetting

 

define('HTTP_SERVER', 'http://funaticalcomau.ozstaging.com');

to

define('HTTP_SERVER', 'https://secure16.ozhosting.com/funatical');


John Oligario

 

Knowledge Base Contributions

Share this post


Link to post
Share on other sites
change the top http server ssetting

 

define('HTTP_SERVER', 'http://funaticalcomau.ozstaging.com');

to

define('HTTP_SERVER', 'https://secure16.ozhosting.com/funatical');

 

Did that - no change... catalog/admin/includes/configure.php now reads;

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://funaticalcomau.ozstaging.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'https://secure16.ozhosting.com/funatical');

define('HTTPS_CATALOG_SERVER', 'https://secure16.ozhosting.com/funatical/');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

Share this post


Link to post
Share on other sites

define('HTTP_SERVER', 'http://funaticalcomau.ozstaging.com'); // eg, http://localhost - should not be empty for productive servers

 

It's the first line that you need to change ^ the https server not the second http line

Share this post


Link to post
Share on other sites

I guess I better add this tip here, it's the logical place after all.

 

This is for people who are having trouble getting ssl to work, especially shared ssl. The way I've written it is oriented towards a 1&1 server but its use is general and applies to all servers. It's all about setting line 41 in application_top.php for those cases where the standard query does not work.

 

This is line 41:

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

Now that's a very narrow test and lots of servers won't respond with on (or at all) to that. So the trick is to find out how the server does respond.

 

Create a little file, I named it myenv.php, with these lines:

 

<?php
 echo 'HTTP HOST: ' . "$HTTP_HOST";
 echo '<br>Server Port: ' . getenv('SERVER_PORT');
 echo '<br>SSL Status: ' . getenv('HTTPS');
 echo '<br>Fowarded Server: ' . getenv('HTTP_X_FORWARDED_SERVER');
 echo '<br>Fowarded Host: ' . getenv('HTTP_X_FORWARDED_HOST');
 echo '<br>Fowarded By: ' . getenv('HTTP_X_FORWARDED_BY');
?>

 

If you put that somewhere on the server, probably root and run it like so:

 

https://ssl.shared.com/mydomain.com/myenv.php you'll be able to see how the server responds to these queries. You'll need to change this to fit your situation but you get the idea.

 

Some dedicated ssls respond with a 1 instead of on to No. 3 for example.

 

Shared servers may respond differently to 4 & 5 but 1&1 gives the same response to both.

 

Once you know how the server answers these queries you can figure out the best solution for line 41 in application_top.php.

 

If, for example, you have a dedicated ssl and query 3 returns a 1 then you simply change line 41 to:

 

$request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

 

Frequently on shared servers you'll get no response at all to getenv('HTTPS'). This is where the other responses are useful (and most people have problems).

 

For example shared 1&1 returns ssl.perfora.net to queries 4 and 5. So setting line 41 line as below does the trick (I'm commenting out the original line for reference).

 

// $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

$request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL';

 

Here's another case:

 

The standard ssl port for dedicated ssl is 443 (the standard http port is 80). I've seen dedicated ssl which returns no response for getenv('HTTPS') but does return a 443. In this case you can set line 41, testing for port 443, like so:

 

$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

 

The best way to use the script is to run it in both http and https environments and look at the differences in the responses. You want to pick a response which is unique to ssl (your https connection), it's no use to pick something which stays the same in both modes, you want to pick something to make a switch.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

I guess I should add one more thing. I'm so used to it that I forget that others might not know.

 

How do you know if your ssl is switching on and off as it should? Simple, in source view, near the top of every page you'll see in your browser you'll find this line:

 

In http (no ssl engaged, regular pages)

 

<base href="http://www.somedomain.com/catalog/"> (assuming you're using the catalog folder)

 

In https (ssl engaged - my account, checkout, etc.)

 

<base href="https://www.somedomain.com/catalog/">

 

or for shared ssl something like this:

 

<base href="https://ssl.myhost.com/somedomain/catalog/">

 

That's it. That's what line 41 is all about, it sets that line. So when you find a broken padlock or the images aren't loading that's the first place you need to look. The goal is to get that switching back and forth as you change from http to https and back.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

This post From Alanr Should be stickied.

I have searched for hours to find the solution to my no padlock problem.

I had my site showing https but no lock icon.

 

I used the test script myenv.php

determined ssl was using port 443 changed line 41 and bingo everything works great on my godaddy hosting.

 

Thanks for this great post

Share this post


Link to post
Share on other sites

Hi there,

Glad to see this topic active and hoping for help, much appreciated. I'm pretty sure my problem is very minor - incorrect paths or something like that. I installed SSL (I'm on a shared server), and it installed fine and now tells me that my SSL url is (actual names omitted) https://myhost.net/my-domain

I logged in to my ftp account and there's a folder called SSL above the WWWROOT (I'm on a Windows server apparently.) Thus I'm presuming that my SSL url, https://myhost.net/my-domain points to this folder SSL. The thing is, however, my Catalog (for OSCommerce)directory is under WWWROOT.

So to sum that all up, OSCommerce is under www.mydomain.com/Catalog/index.php BUT I think logically SSL is under www.mydomain.com/../SSL, because it's above the www root right?

I don't get how this is going to work, since my https:// url seems to point to a totally different place above the root. Do I need to install OSCommerce twice in the two different locations?

 

My config.php looks like this:

 

// Define the webserver and path parameters

// * DIR_FS_* = C:\Domains\mydomain.org.uk\wwwroot\catalog\

// * DIR_WS_* = http://www.mydomain.org.uk/catalog/

define('HTTP_SERVER', ''); // eg, http://localhost - should not be empty for productive servers (LEFT THIS EMPTY as it screws up the directory structure)

define('HTTPS_SERVER', ' '); // eg, https://localhost - should not be empty for productive servers (LEFT THIS EMPTY as it screws up the directory structure)

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.mydomain.com);

define('HTTPS_COOKIE_DOMAIN', 'mydomain.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', 'http://mydomain.com/catalog/');

define('DIR_WS_HTTPS_CATALOG', 'https://myhost.net/mydomain/catalog/');

 

..for this last line, I even tried:

('DIR_WS_HTTPS_CATALOG', 'https://myhost.net/mydomain/../wwwroot/catalog/'); , but this just seems to point to myhost.net/wwwroot/catalog .. which is incorrect.

 

I don't get it. Please do bear with me as I am relatively new and have searched extensively both on the forums and on the web. Any help MUCH appreciated. Thanks very much. Cheers! :)

Share this post


Link to post
Share on other sites
Hi there,

          Glad to see this topic active and hoping for help, much appreciated. I'm pretty sure my problem is very minor - incorrect paths or something like that. I installed SSL (I'm on a shared server), and it installed fine and now tells me that my SSL url is (actual names omitted)

 

Please re-post your problem in the installation and configuration forum

 

See: http://forums.oscommerce.com/index.php?showtopic=30722


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

There is another change some people should look into if they're using 1&1 or another service with a proxy server which requires the use of the

 

(getenv('HTTP_X_FORWARDED_HOST')

 

or

 

(getenv('HTTP_X_FORWARDED_BY')

 

tests.

 

See this thread for details:

 

http://forums.oscommerce.com/index.php?showtopic=165296


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

Boy did you cross reference this puppy.

 

I might add that I replaced every instance of

getenv('HTTPS') == 'on'

 

with

 

getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net'

 

I have been struggling to get my login page to work and cleaned up a lot in the process.

 

-did I "OVERKILL" it?

 

You can navigate just fine, but can't login http://thermalband.com/kewler/catalog/

 

SSL is enabled now

 

I can "get" logged in (when I switch SSL state back and forth), and navigate just fine on my ssl area which is

 

https://ssl.perfora.net/thermalband.com/kewler/catalog/

 

but I can't login

 

dunno, what I did wrong.

 

Kevin

 

 

There is another change some people should look into if they're using 1&1 or another service with a proxy server which requires the use of the

 

(getenv('HTTP_X_FORWARDED_HOST')

 

or

 

(getenv('HTTP_X_FORWARDED_BY')

 

tests.

 

See this thread for details:

 

http://forums.oscommerce.com/index.php?showtopic=165296

Share this post


Link to post
Share on other sites

Hi

 

A client installed his SSL from godaddy. He uses Linkpoint CC processor. It was working. He asked us to turn on SSL and we did. We changed the config file and the linkpoint URLs and it no longer works.

 

I ran the env.php code from the catalog and got

 

HTTP HOST: xaxe.com

Server Port: 80

SSL Status:

Fowarded Server:

Fowarded Host:

Fowarded By:

 

which all looks particularly "blank" to me and not what was expected.

 

Any takers?

 

 

thanks


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

×