Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL, .htaccess and other.


Voland

Recommended Posts

QUOTE(Vger @ Feb 28 2005, 04:42 PM)

In admin/includes/configure.php you should change the http_server address to the https address also.  Then the message you see will change to 'You are protected by an unknown ssl connection'.  It says this even when a full ssl cert is installed.

 

Vger

 

I have https on both CATALOG_SERVER lines and on the SERVER line in my admin/includes/configure.php. It works fine - I get https in the address bar and the yellow padlock in the status bar in IE6 - while browsing all the admin pages. However, on my admin -> Administration page (first page) in the left bototm corner I still get "You are not protected by a secure SSL connection" with the unlocked padlock icon. I dont know how much I should be concerned about that.

 

admin/includes/configure.php.

define('HTTP_SERVER', 'https://www.myshop.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTP_CATALOG_SERVER', 'https://www.myshop.com');
define('HTTPS_CATALOG_SERVER', 'https://www.myshop.com');
define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

 

 

My second question is about the SSL in the catalog. As soon as the visitor starts the checkout process the adress bar refelcts the SSL layer as should (https) all through teh chekc out process, no weird errors thank G-d. BUt there is NO yellow padlock in the status bar. Is that normal?

 

catalog/includes/configure.php.

define('HTTP_SERVER', 'http://www.myshop.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://www.myshop.com'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'www.myshop.com');
define('HTTPS_COOKIE_DOMAIN', 'www.myshop.com');
define('HTTP_COOKIE_PATH', '/catalog/');
define('HTTPS_COOKIE_PATH', '/catalog/');
define('DIR_WS_HTTP_CATALOG', '/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

My shop is not live yet, I actually had installed osC just this morning, and am trying to set it up to be ready to accept some real inventory. Took me a big part of the day to get the .htaccess password protection for my admin area right. That is due to the all hated godaddy hosting. I guess i stick with them for the 24/hr phone support, and ofcourse the price. Maybe its a bad idea anyway ... I used an .htpasswd generator that i found on the web, there were tons of them available so i just chose the one that looked good. My confusion is that if every time it generates a different encrypted charecter combination for teh same password, how does the password reslove into that specific combination entered into the .htpasswd file? I donno, maybe its out of the scope of what im suposed to understand at this point, i was just curious.

 

Also when i rename my admin folder... what files hold references to the admin folder so i can update them (.htaccess is one, I know since I made it myself :rolleyes:)

People dont change, people realize.

Link to comment
Share on other sites

I have https on both CATALOG_SERVER lines and on the SERVER line in my admin/includes/configure.php. It works fine - I get https in the address bar and the yellow padlock in the status bar in IE6 - while browsing all the admin pages. However, on my admin -> Administration page (first page) in the left bototm corner I still get "You are not protected by a secure SSL connection" with the unlocked padlock icon. I dont know how much I should be concerned about that.

 

admin/includes/configure.php.

define('HTTP_SERVER', 'https://www.myshop.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTP_CATALOG_SERVER', 'https://www.myshop.com');
define('HTTPS_CATALOG_SERVER', 'https://www.myshop.com');
define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

My second question is about the SSL in the catalog. As soon as the visitor starts the checkout process the adress bar refelcts the SSL layer as should (https) all through teh chekc out process, no weird errors thank G-d. BUt there is NO yellow padlock in the status bar. Is that normal?

 

catalog/includes/configure.php.

define('HTTP_SERVER', 'http://www.myshop.com'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://www.myshop.com'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'www.myshop.com');
define('HTTPS_COOKIE_DOMAIN', 'www.myshop.com');
define('HTTP_COOKIE_PATH', '/catalog/');
define('HTTPS_COOKIE_PATH', '/catalog/');
define('DIR_WS_HTTP_CATALOG', '/catalog/');
define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

My shop is not live yet, I actually had installed osC just this morning, and am trying to set it up to be ready to accept some real inventory. Took me a big part of the day to get the .htaccess password protection for my admin area right. That is due to the all hated godaddy hosting. I guess i stick with them for the 24/hr phone support, and ofcourse the price. Maybe its a bad idea anyway ... I used an .htpasswd generator that i found on the web, there were tons of them available so i just chose the one that looked good. My confusion is that if every time it generates a different encrypted charecter combination for teh same password, how does the password reslove into that specific combination entered into the .htpasswd file? I donno, maybe its out of the scope of what im suposed to understand at this point, i was just curious.

 

Also when i rename my admin folder... what files hold references to the admin folder so i can update them (.htaccess is one, I know since I made it myself  :rolleyes:)

The reason for generating different codes for the same password is what is called the "Seed characters", this seed will change everytime you generate code from the password. The seed characters are the known as the first two characters in the encoded password and determine the outcome of the password decryption. For further reference take a look at the PHP documentation.

With your admin folder being password protected, I would not go through the trouble of renaming that directory just make sure you have a "good" password, I just rename the install directory

Link to comment
Share on other sites

It's still a good idea to rename your 'admin' folder to something unique. Hackers use quite sophisticated password crackers, but they're no use if they can't find your 'admin' folder.

 

Once you've renamed it you'll need to alter the two references in admin/includes/configure.php from /admin/ to /newname/

 

Vger

Link to comment
Share on other sites

Once you've renamed it you'll need to alter the two references in admin/includes/configure.php from /admin/ to /newname/

Vger

 

You mean these 2 right?

 

define('DIR_WS_ADMIN', '/catalog/admin/'); // absolute path required 
define('DIR_FS_ADMIN', '/home/content/u/s/e/username/html/catalog/admin/');

 

SO what about my 2 issues with SSL? Can someone help please?

People dont change, people realize.

Link to comment
Share on other sites

Yes, I mean those two.

 

For the first of your ssl questions, the answer depends upon whether your site is on an Apache server and how up to date it and MySQL is. If it is up to date (within a year or so) then you can try this in a .htaccess file in your 'admin' folder.

 

SSLRequireSSL

ErrorDocument 403 https://www.yourdomain.com/youradminfolder/

 

This will force any connection to the 'admin' folder to be https and your padlock will then say 'You are protected by an unknown ssl connection'

 

As for your second question - yes there should be a yellow padlock in the bottom address bar - so there's something not right if it's not appearing there.

 

Your configure.php file for the shop front looks to be okay, but can you make sure that enable_ssl is set to true in that file?

 

Vger

Link to comment
Share on other sites

... If it is up to date (within a year or so) then you can try this in? a .htaccess file in your 'admin' folder.

 

SSLRequireSSL

ErrorDocument 403 https://www.yourdomain.com/youradminfolder/

 

This will force any connection to the 'admin' folder to be https and your padlock will then say 'You are protected by an unknown ssl connection'

Wait, add just the SSLRequireSSL line?

Or the ErrorDocument 403 https://www.yourdomain.com/youradminfolder/ also?

 

As for your second question - yes there should be a yellow padlock in the bottom address bar - so there's something not right if it's not appearing there.

 

Your configure.php file for the shop front looks to be okay, but can you make sure that enable_ssl is set to true in that file?

 

Vger

Yes, of course it is set to "true". Bellow is the whole file. I'll PM you the link to the store, if you dont mind, so you could see for yourself how it works.

 

<?php
/*
?osCommerce, Open Source E-Commerce Solutions
?http://www.oscommerce.com

?Copyright (c) 2003 osCommerce

?Released under the GNU General Public License
*/

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
?define('HTTP_SERVER', 'http://www.mysite.com'); // eg, http://localhost - should not be empty for productive servers
?define('HTTPS_SERVER', 'https://www.mysite.com'); // eg, https://localhost - should not be empty for productive servers
?define('ENABLE_SSL', true); // secure webserver for checkout procedure?
?define('HTTP_COOKIE_DOMAIN', 'www.mysite.com');
?define('HTTPS_COOKIE_DOMAIN', 'www.mysite.com');
?define('HTTP_COOKIE_PATH', '/catalog/');
?define('HTTPS_COOKIE_PATH', '/catalog/');
?define('DIR_WS_HTTP_CATALOG', '/catalog/');
?define('DIR_WS_HTTPS_CATALOG', '/catalog/');
?define('DIR_WS_IMAGES', 'images/');
?define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
?define('DIR_WS_INCLUDES', 'includes/');
?define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
?define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
?define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
?define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
?define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

?define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
?define('DIR_FS_CATALOG', '/home/content/u/s/e/username/html/catalog/');
?define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
?define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

// define our database connection
?define('DB_SERVER', 'mysql51.dbserver.net'); // eg, localhost - should not be empty for productive servers
?define('DB_SERVER_USERNAME', 'username');
?define('DB_SERVER_PASSWORD', 'password');
?define('DB_DATABASE', 'dbname');
?define('USE_PCONNECT', 'false'); // use persistent connections?
?define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'
?>

People dont change, people realize.

Link to comment
Share on other sites

A little update:

 

in my AOL browser, the SSL padlock is present during checkout proccess.

 

Then perhaps it's my IE ... although it displayes the SSL padlock in my admin area.

 

Another observation:

 

in IE during log in or during checkout, the yellow padlock actually flashes (and disapears). Every time a page is chnaged during checkout the padlock flashes, but doesnt stay in place. And https is o fcourse present at all times during log in and checkout.

People dont change, people realize.

Link to comment
Share on other sites

Just a though about the SSL issue... If your with godaddy and you just added the SSL to your account with in the last 3 days... it is not completely setup yet... it will take three days for them to migrate you account to dedicated IP and install the cert... Even if the tell you the cert is installed if your account still shows modifications in progress trust me it not done yet...

 

you started you project one day after i started mine and mine still is not completed yet.

Link to comment
Share on other sites

Just a though about? the SSL issue... If your with godaddy and you just added the SSL to your account with in the last 3 days... it is not completely setup yet... it will take three days for them to migrate you account to dedicated IP and install the cert... Even if the tell you the cert is installed if your account still shows modifications in progress trust me it not done yet...

 

you started you project one day after i started mine and mine still is not completed yet.

 

Thanks for the concern, but yes I am aware... my static IP took not a minute less then 72 hours to be in effect. Plus the SSL works fine in my admin area. I ve been working on this problem with one of the people form this forum all evening yesterday - checked permissions, checked both cinfugure.php files, changed some code, then changed it back - nothing worked - still get no padlock in IE, although it is present in AOL browser, and of course in all cases i get https. Also other browsers I was told, present weird behavior and Opera does not display a padlock either.

 

I was sugested that osC is just not 100% compatibe with godaddy. I am on a quest for another hosting provider - ultimatly that advertize osC as part of tehir hosting pacage, that way one can be sure that it will work you know.

 

Nontheless, I spoke recently with a person who claimed they sucesfully installed and confugured osC on godaddy, even with a few contributions. So who knows. Let me know if you run into simmilar problem, or any problem for that matter, with godaddy.

 

:)

People dont change, people realize.

Link to comment
Share on other sites

Hi,

i think i know the answer to the SSL. I was reading on the GoDaddy certificate pages that if there are any images or file not under the SSL certificate you have to place the files into the ssl file. its in FAQ's.

Link to comment
Share on other sites

  • 1 month later...
The reason for generating different codes for the same password is what is called the "Seed characters", this seed will change everytime you generate code from the password. The seed characters are the known as the first two characters in the encoded password and determine the outcome of the password decryption. For further reference take a look at the PHP documentation.

With your admin folder being password protected, I would not go through the trouble of renaming that directory just make sure you have a "good" password, I just rename the install directory

 

Can yo post a copy of the htaccess file?

Link to comment
Share on other sites

make sure that you aren't grabbing anything from a domain other than the secured domain. For example:

 

- you are referencing a javascript file located at www.javascriptcentral.com

- you have a flash file on the page, and it is pulling flash resources from http://www.macromedia.com/go/getflashplayer

- your designer accidentally has a style sheet linking something like this FILE://C:/local/www/mycss.css

- you are linking to an image outside your domain (altho this will normally give a popup warning)

 

also remember SSL works for www OR yourdomain.com, not both unless you get 2 certs.

Link to comment
Share on other sites

Hi,

i think i know the answer to the SSL. I was reading on the GoDaddy certificate pages that if there are any images or file not under the SSL certificate you have to place the files into the ssl file. its in FAQ's.

 

In referrence to the C-Panel on GoDaddy, I sent them a request to see if they can provide a solution for osc and other users that like the C-Panel Control. I will post their reply as soon as I get one from them.

 

I am an user of oscommerce website. Through the osc there is an admin folder that need to be secured other than by secretly namingthe admin folder or using an htaccess file. Many user on the osc forum are worried that there is a vulnerability to use GoDaddy as a host provider. Please review the forum on GoDaddy.

 

http://www.oscommerce.com/forums/index.php?act...ighlite=godaddy

 

What I am asking is can GoDaddy add a C-Panel function to help better protect our web pages and continue to use GoDaddy as a hosting provider. There are many users of osc that would remain users of GoDaddy if you where to do this. Not only would this be more business for GoDaddy, but also for your many Resellers that would benefit as well. This is one of the options that I was looking for to become a reseller with GoDaddy. The C-Panel would offer many more choices to the users that use CGI,ASP,PHP,FTP functions.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...