Jump to content

Archived

This topic is now archived and is closed to further replies.

mondos

SSL missing in admin

Recommended Posts

Hi people!

 

I have installed ssl for catalog and for admin, and it is enabled in the configurations files, but in the admin section it happens as follows:

 

- In the main page of admin I have the "You are protected by a unknown secure SSL connection", so everything seems to work well, BUT

- when I click in any link I go always to a non ssl page

 

What is happening? I have SSL set to true in configure.php but it looks like the pages in the admin section don't "take" the https header or something like that.

 

My store is online and working and it is very important for me to have the security enabled.

 

Please can someone help me with this?

 

thanx thanx thanx

 

mondos

Share this post


Link to post
Share on other sites

Surely there must be a better way to solve the problem?

I have just encountered the same issue and would love to see a better solution than to modify the source code for something as routine as SSL.

Share this post


Link to post
Share on other sites

OKay, I fixed it by changing the HTTP server (not HTTPS) to https://myserver.com.

That secures the whole admin folder.

DOn't know if that's the smoothest solution, but other posts seems to indicate such is the case. If i'm wrong, somebody let me know. :)

Share this post


Link to post
Share on other sites
OKay, I fixed it by changing the HTTP server (not HTTPS) to https://myserver.com.

That secures the whole admin folder.

DOn't know if that's the smoothest solution, but other posts seems to indicate such is the case.  If i'm wrong, somebody let me know. :)

2.2 MS2 Installed from Plesk 7.5.1

 

I tried this and all links are now secure but I now get this error when I click on "Catagories/Products":

 

Warning: is_dir(): open_basedir restriction in effect. File(/home/httpd/vhosts/mydomain.com/httpdocs/shop/images/) is not within the allowed path(s): (/home/httpd/vhosts/mydomain.com/httpsdocs:/tmp) in /home/httpd/vhosts/mydomain.com/httpsdocs/shop/admin/categories.php on line 326

 

Error Error: Catalog images directory does not exist: /home/httpd/vhosts/mydomain.com/httpdocs/shop/images/

 

And just under the "Categories / Products" heading I get this:

 

Warning: file_exists(): open_basedir restriction in effect. File(/home/httpd/vhosts/mydomain.com/httpdocs/shop/images/travelcarr.gif) is not within the allowed path(s): (/home/httpd/vhosts/mydomain.com/httpsdocs:/tmp) in /home/httpd/vhosts/mydomain.com/httpsdocs/shop/admin/includes/functions/general.php on line 230

 

Has anyone experienced this? Any ideas on a fix?


Webz -------> @(-_-)@

Share this post


Link to post
Share on other sites

I am also having this problem, i saw below that someone said that they fixed it by fixing the link code in the admin/includes/functions/html_ouput.php , but there wasn't anymore info besides that. I want to have the admin area linked via https, and when i got to https://mysite.ssl.simplenet.com/admin/ the other links on the admin page are not linked via https, the are linked via http:

 

 

Can anyone provide some detailed instructions on how to fix this problem.

Thanks...

Share this post


Link to post
Share on other sites

i fixed the problem withe the following changes.

 

 

in admin/includes/local/configure.php

 

change

define('HTTP_SERVER', 'http://www.host.com');

to

define('HTTP_SERVER', 'https://www.host.com');

define('HTTPS_SERVER', 'https://www.host.com');

 

change

define('ENABLE_SSL', 0);

to

define('ENABLE_SSL', 1);

 

 

in admin/includes/configure.php

 

change

define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module

to

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

 

in catalog/includes/local/configure.php

 

change

define('HTTP_SERVER', 'http://www.host.com');

to

define('HTTP_SERVER', 'https://www.host.com');

define('HTTPS_SERVER', 'https://www.host.com');

 

change

define('ENABLE_SSL', 0);

to

define('ENABLE_SSL', 1);

 

 

in catalog/includes/configure.php

 

change

define('ENABLE_SSL', false); // secure webserver for checkout procedure?

to

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

 

 

hope this may help

Share this post


Link to post
Share on other sites
Hi people!

I have installed ssl for catalog and for admin, and it is enabled in the configurations files, but in the admin section it happens as follows:

- In the main page of admin I have the "You are protected by a unknown secure SSL connection", so everything seems to work well, BUT

- when I click in any link I go always to a non ssl page

What is happening? I have SSL set to true in configure.php but it looks like the pages in the admin section don't "take" the https header or something like that.

My store is online and working and it is very important for me to have the security enabled.

Please can someone help me with this?

thanx thanx thanx

mondos

 

As others have pointed out, the problem is partially in the tep_href_link() function in admin/includes/functions/html_ouput.php

 

Specificly, it takes 3 arguments, but many places in the code only provide 2. The 3rd argument ($connection) can be unset, or have the vales "SSL" or "NONSSL" and, as you'd expect, control the type of link generated. All well and good, except if an argument isn't specified, the function *defaults* to "NONSSL". *That* is what is causing the problem on the admin page. The main admin links all call this function with no third argument, so it defaults to generating unsecure links. I've fixed my copy with the following change that I hope the devs will see, and incorporate.

 

bash-2.03$ diff html_output.php html_output.php-FIXED
15c15,19
<   function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL') {
---
>
> // Original:
> //function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL') {
> // Fixed: -JMM
>   function tep_href_link($page = '', $parameters = '', $connection = 'UNSET') {
18a23,32
>
> // Begin modified code -JMM
>     if ($connection == 'UNSET') {
>        if (getenv('HTTPS') == 'on')  { // We are loading an SSL page
>           $connection = 'SSL';
>        } else {
>           $connection = 'NONSSL';
>        }
>     }

 

Thsi changes the default behavior, when no argument is passed, to be "whatever I was doing when I was called". This seems the most sane choice, while maintaining the coder's ability to "over-ride" that default explicitly.

 

Which brings me to the next problem. "NOSSL" is handed in as an argument in a bunch of places. These palces include the links down the left hand side of the various admin pages. All except "Tools". The problem here is that a store owner, going to their secured admin pages, will "fall out" of SSL by clicking on any of those left hand links even after my suggested above fix BECAUSE THE DEVS EXPLICITLY PASS "NONSSL" as an argument to the tep_href_link() function. I'm tempted to remove that for all of those admin links, since I can think of no reason to force those to be NONSSL, but I don't want to break something. Can someone please tell me why those were explicitly required to not be secure links?

 

For anyone else who wishes to fix this on their own sites, without throwing the whole store permanently under SSL, here are the files I've found that use the NONSSL token. All of these should be examined, and in conjunction with my fix above, removed if you want to keep the secure/non-secure status of which ever page you are currently on.

 

bash-2.03$ textsearch NONSSL | cut -f1 -d: | sort | uniq -c
  1 ./admin/cache.php
  1 ./admin/categories.php
  6 ./admin/includes/boxes/catalog.php
  1 ./admin/includes/boxes/configuration.php
  2 ./admin/includes/boxes/customers.php
  3 ./admin/includes/boxes/localization.php
  3 ./admin/includes/boxes/modules.php
  3 ./admin/includes/boxes/reports.php
  5 ./admin/includes/boxes/taxes.php
  2 ./admin/includes/classes/split_page_results.php
  7 ./admin/includes/functions/html_output.php
  3 ./admin/includes/header.php
 15 ./admin/products_attributes.php
  1 ./admin/reviews.php
  4 ./admin/specials.php
  2 ./admin/stats_customers.php
  2 ./admin/stats_products_purchased.php
  2 ./admin/stats_products_viewed.php
  1 ./admin/whos_online.php
  1 ./advanced_search.php
  3 ./advanced_search_result.php
  4 ./includes/application_top.php
  1 ./includes/boxes/manufacturers.php
  1 ./includes/boxes/search.php
  1 ./includes/boxes/tell_a_friend.php
  1 ./includes/functions/general.php
  4 ./includes/functions/html_output.php
  1 ./includes/modules/payment/psigate.php
  1 ./product_info.php
bash-2.03$

Share this post


Link to post
Share on other sites

Leslie - you have the right idea with the 'admin' folder, but you should not do the same with the 'catalog' folder. Putting all of your storefront behind ssl will slow down your whole site - as all pages have to be encrypted before being served up to the customer.

 

Jesse - I appreciate the time and trouble you went to on this problem - but the simplest fix is the best for newcomers to osCommerce. In admin/includes/configure.php change http://www.yourdomain.com to https://www.yourdomain.com. All sub-folders and pages in the 'admin' section are then run under ssl.

 

Vger

Share this post


Link to post
Share on other sites

OK, I'm having the same problem - only I don't have a configure.php file in the 'local' folder!

 

Oh Help :'(

 

Sara


Sara Fields

Share this post


Link to post
Share on other sites

It worked for me by just changing the followingin admin/local/config.php:

 

change

define('HTTP_SERVER', 'http://www.host.com');

to

define('HTTP_SERVER', 'https://www.host.com');

 

 

i fixed the problem withe the following changes.

in admin/includes/local/configure.php

 

change

  define('HTTP_SERVER', 'http://www.host.com');

to

  define('HTTP_SERVER', 'https://www.host.com');

  define('HTTPS_SERVER', 'https://www.host.com');

 

change

  define('ENABLE_SSL', 0);

to

  define('ENABLE_SSL', 1);

in admin/includes/configure.php

 

change

  define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module

to

  define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

in catalog/includes/local/configure.php

 

change

  define('HTTP_SERVER', 'http://www.host.com');

to

  define('HTTP_SERVER', 'https://www.host.com');

  define('HTTPS_SERVER', 'https://www.host.com');

 

change

  define('ENABLE_SSL', 0);

to

  define('ENABLE_SSL', 1);

in catalog/includes/configure.php

 

change

  define('ENABLE_SSL', false); // secure webserver for checkout procedure?

to

  define('ENABLE_SSL', true); // secure webserver for checkout procedure?

hope this may help

Share this post


Link to post
Share on other sites
Hi people!

I have installed ssl for catalog and for admin, and it is enabled in the configurations files, but in the admin section it happens as follows:

- In the main page of admin I have the "You are protected by a unknown secure SSL connection", so everything seems to work well, BUT

- when I click in any link I go always to a non ssl page

What is happening? I have SSL set to true in configure.php but it looks like the pages in the admin section don't "take" the https header or something like that.

My store is online and working and it is very important for me to have the security enabled.

Please can someone help me with this?

thanx thanx thanx

mondos

 

I think you need to check your https settings in the /admin/config file

Share this post


Link to post
Share on other sites

we need to have an understanding of what is what, the file is configure.php and it is located in the respective 'includes' directory.

the 'local' directory is for developing locally on your computer so you can do a full test of everything localy prior to sending to the internet without having to change your includes/configure.php files (just have to make sure you dont send the local/configure.php to the net)


John Oligario

 

Knowledge Base Contributions

Share this post


Link to post
Share on other sites

This is just a small issue...but...

 

I know my admin side is secure even though the lower left hand side of the main administration page still says it is not secure, even though I know it is due to change in configure.php and I am able to see padlock......

 

...but is this just a flaw, or is it possible to get osC main administration page to actually 'lock' the padlock and say it is protected?

 

temp1.jpg

Share this post


Link to post
Share on other sites
It worked for me by just changing the following in admin/local/config.php:

 

change

  define('HTTP_SERVER', 'http://www.host.com');

to

  define('HTTP_SERVER', 'https://www.host.com');

 

That seemed to work for me too, i don't mind having all my admin activities under SSL.

 

BUT: In the catalog pages, the images are not displayed any more.

 

N.B. I am using a ssl proxy with a SSL adress like "ssl.provider.com/catalog//mydomain" which is the SSL equivalent to "www.mydomain.com"

 

The catalog images get adresses "ssl.provider.com/images/myimage.jpg" ( the "mydomain" went just into the nirvanah. :( )

When in try to fiddle with the setting in define('DIR_FS_CATALOG_IMAGES',by adding "mydomain" i just get "image not available".

 

Has anyone got the same symptoms and even got a cure?

 

Thank you!

 

Michel

Share this post


Link to post
Share on other sites

ssl.provider.com/catalog//mydomain

 

Well, there's two slashes in there to start with. Make sure that your https server address is https://ssl.provider.com/yourdomain, and then your https path to catalog is /catalog/ Leave the https cookie domain blank.

 

Vger

Share this post


Link to post
Share on other sites
ssl.provider.com/catalog//mydomain

 

Well, there's two slashes in there to start with.  Make sure that your https server address is https://ssl.provider.com/yourdomain, and then your https path to catalog is /catalog/  Leave the https cookie domain blank.

 

Vger

 

Oh sorry, the double // was a typo.

 

i will try your hint with nothing as cookie server

 

Thanks

Share this post


Link to post
Share on other sites
Oh sorry, the double // was a typo.

 

i will try your hint with nothing as cookie server

 

Thanks

 

Ooops! There is no cookie server in configure.php of admin?

 

michel

Share this post


Link to post
Share on other sites

If you want to protect someone from getting to your admin section...put a password protect on that directory.

 

most web host have this option to where they will do it for you.

Share this post


Link to post
Share on other sites
2.2 MS2 Installed from Plesk 7.5.1

 

I tried this and all links are now secure but I now get this error when I click on "Catagories/Products":

 

Warning: is_dir(): open_basedir restriction in effect. File(/home/httpd/vhosts/mydomain.com/httpdocs/shop/images/) is not within the allowed path(s): (/home/httpd/vhosts/mydomain.com/httpsdocs:/tmp) in /home/httpd/vhosts/mydomain.com/httpsdocs/shop/admin/categories.php on line 326

 

Error Error: Catalog images directory does not exist: /home/httpd/vhosts/mydomain.com/httpdocs/shop/images/

 

And just under the "Categories / Products" heading I get this:

 

Warning: file_exists(): open_basedir restriction in effect. File(/home/httpd/vhosts/mydomain.com/httpdocs/shop/images/travelcarr.gif) is not within the allowed path(s): (/home/httpd/vhosts/mydomain.com/httpsdocs:/tmp) in /home/httpd/vhosts/mydomain.com/httpsdocs/shop/admin/includes/functions/general.php on line 230

 

Has anyone experienced this?  Any ideas on a fix?

 

I have the same issue. Unfortunately the default settings - at least in my Plesk setup - serve HTTP and HTTPS docs from 2 different directories. (httpdocs & httpsdocs). I can't see a solution except to change the value for the http server in the config files as suggested here. I'd love to hear a better one though...

Share this post


Link to post
Share on other sites

I've recently pruchased an SSL for my website, but after a week of ploughing through the OsC help files can't find anything that tells me actually what to do with it!

 

Can anyone kindly point me to any resources that take me step by step through the process of integrating an SSL into OsC. I need the Checkout secured, where people are going to be using credit & debit cards.

 

Thanks.

 

Mike :D

Share this post


Link to post
Share on other sites
Can anyone kindly point me to any resources that take me step by step through the process of integrating an SSL into OsC. I need the Checkout secured, where people are going to be using credit & debit cards.

 

You should check that with your provider, he will give you the instructions to install the certificate. Once installed you just have to adapt the configure.PHP files and fill in the HTTPS domain (which should be the same than your HTTP domain, and set SSL to "true"

 

Enjoy it, it is surely much easier than using shared SLL.

Share this post


Link to post
Share on other sites

If your hosting setup requires the use of an httpdocs folder and an httpsdocs folder then you need to duplicate all of the httpdocs files in the httpsdocs folder.

 

Vger

Share this post


Link to post
Share on other sites

×