Jump to content

Archived

This topic is now archived and is closed to further replies.

mondos

SSL missing in admin

Recommended Posts

This is just a small issue...but...

 

I know my admin side is secure even though the lower left hand side of the main administration page still says it is not secure, even though I know it is due to change in configure.php and I am able to see padlock......

 

...but is this just a flaw, or is it possible to get osC main administration page to actually 'lock' the padlock and say it is protected?

 

temp1.jpg

 

Can anyone answer this one???

 

Pete

Share this post


Link to post
Share on other sites

Hi. Tried the method advised by Rhea, it works. But I have further question.

 

here is my config

 

HTTP server directory, /home/httpd/vhosts/www.domain.com/httpdocs/

HTTPS server directory, /home/httpd/vhosts/www.domain.com/httpsdocs/

 

In the admin/includes/configure.php file, I have

 

define('HTTP_SERVER', 'https://www.domain.com');

define('DIR_FS_ADMIN', '/home/httpd/vhosts/www.domain.com/httpsdocs/adm

in/');

 

===

Notice that, I have to point HTTP_SERVER to my SSL server to get SSL support on the admin web site.

 

And then, when I login my admin web site use SSL, the tool -> backup database page do not support backup if my file system path is the /.../httpdocs, but only /.../httpsdocs.

 

So I go back and change DIR_FS_ADMIN. Seems everything works fine, but I am not sure if it is correct and what is the meaning behind. And I have the same issue with cache directory.

 

Please comment.

Share this post


Link to post
Share on other sites
OK, I'm having the same problem - only I don't have a configure.php file in the 'local' folder!

 

Oh Help :'(

 

Sara

 

I've just had a SSL Cert installed and it's playing havoc. I've tried the things mentioned, but I to do not have a config.php file in the includes/local/ directories of either admin or catalog. There is however a readme file that states there needs to be a config.php file and a file called .cvsignore.

 

So do we have to create a new config.php file in these directories? Anyone have any ideas - did I miss something at the installation for them not be be there?

Share this post


Link to post
Share on other sites

Hi, You should not have a configure.php file in the local folder. If you have one, delete it.

 

When you say you have had ssl installed - what exactly do you mean? Did you have a full ssl certificate purchased and installed for you? If so, did your hosting company reboot the server afterwards for the installation to be completed?

 

Are you trying to use a shared ssl cert.? If so, do you have the correct pathway as laid down by your hosting company for the use of it?

 

Vger

I've just had a SSL Cert installed and it's playing havoc. I've tried the things mentioned, but I to do not have a config.php file in the includes/local/ directories of either admin or catalog. There is however a readme file that states there needs to be a config.php file and a file called .cvsignore.

 

So do we have to create a new config.php file in these directories? Anyone have any ideas - did I miss something at the installation for them not be be there?

Share this post


Link to post
Share on other sites

If your site is on a shared server then set Cache to 'false'. Otherwise you are likely to find other websites 'categories' listed in the left hand column of your website - when those websites also use osCommerce on the same server and work from a common 'tmp' folder.

 

Vger

Hi. Tried the method advised by Rhea, it works. But I have further question.

 

here is my config

 

HTTP server directory, /home/httpd/vhosts/www.domain.com/httpdocs/

HTTPS server directory, /home/httpd/vhosts/www.domain.com/httpsdocs/

 

In the admin/includes/configure.php file, I have

 

define('HTTP_SERVER', 'https://www.domain.com');

define('DIR_FS_ADMIN', '/home/httpd/vhosts/www.domain.com/httpsdocs/adm

in/');

 

===

Notice that, I have to point HTTP_SERVER to my SSL server to get SSL support on the admin web site.

 

And then, when I login my admin web site use SSL, the tool -> backup database page do not support backup if my file system path is the /.../httpdocs, but only /.../httpsdocs.

 

So I go back and change DIR_FS_ADMIN. Seems everything works fine, but I am not sure if it is correct and what is the meaning behind. And I have the same issue with cache directory.

 

Please comment.

Share this post


Link to post
Share on other sites

In admin/includes/configure.php you should change the http_server address to the https address also. Then the message you see will change to 'You are protected by an unknown ssl connection'. It says this even when a full ssl cert is installed.

 

Vger

Can anyone answer this one???

 

Pete

Share this post


Link to post
Share on other sites
Hi,  You should not have a configure.php file in the local folder.  If you have one, delete it.

 

When you say you have had ssl installed - what exactly do you mean?  Did you have a full ssl certificate purchased and installed for you?  If so, did your hosting company reboot the server afterwards for the installation to be completed?

 

Are you trying to use a shared ssl cert.?  If so, do you have the correct pathway as laid down by your hosting company for the use of it?

 

Vger

 

Yes I purchased a full SSL certificate from the hosting company and they installed it for me, I don't know if they rebooted the server or not, and the Certificate isn't shared.

 

I've also tried to go into the configure.php files in both admin/includes and catalog/includes and put in the define('HTTPS_SERVER',......) to my https server. Its just my domain name with the extra 's'. And that seem to work, but then at check out it says page cannot be displayed and in the address bar the / is missing from after the inital .co.uk, which I though was weird. If I take out the https address out of both of the configure.php files that doesn't happen again. Also if I directly run my website under the https address it changes to default text and removes all the pictures.

Share this post


Link to post
Share on other sites
post your configure.php without the connection info to the database

 

This is the admin/includes/configure.php

 

<?php

/*

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.nailartcentral.co.uk'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.nailartcentral.co.uk');

define('HTTPS_CATALOG_SERVER', 'https://www.nailartcentral.co.uk');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/home/nailart/public_html/catalog/'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/catalog/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/home/nailart/public_html/catalog/admin/'); // absolute pate required

define('DIR_WS_CATALOG', '/catalog/'); // absolute path required

define('DIR_FS_CATALOG', '/home/nailart/public_html/catalog/'); // absolute path required

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

 

 

 

And this is the catalog/includes/configure.php

 

<?php

/*

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.nailartcentral.co.uk'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.nailartcentral.co.uk'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.nailartcentral.co.uk');

define('HTTPS_COOKIE_DOMAIN', '');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/home/nailart/public_html/catalog/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

 

 

 

Thanks

 

Laura

Share this post


Link to post
Share on other sites

OK, I seem to have fixed the catalog/includes issues - I'd left some stuff out - I need to pay more attention!!

 

But I still cannot get the admin area secure, the code is as in the above post, if I connect to the admin area with a https://www address it conects to the main page and says I am protected by a secure connection, although there after it gos back to the http://www address.

 

Thank you for your help,

 

Laura

Share this post


Link to post
Share on other sites
OK, I seem to have fixed the catalog/includes issues - I'd left some stuff out - I need to pay more attention!!

 

But I still cannot get the admin area secure, the code is as in the above post, if I connect to the admin area with a https://www address it conects to the main page and says I am protected by a secure connection, although there after it gos back to the http://www address.

 

Thank you for your help,

 

Laura

 

 

Solved that one now to, things are always easier if you have a coffee break!!

Share this post


Link to post
Share on other sites
OK, I seem to have fixed the catalog/includes issues - I'd left some stuff out - I need to pay more attention!!

 

But I still cannot get the admin area secure, the code is as in the above post, if I connect to the admin area with a https://www address it conects to the main page and says I am protected by a secure connection, although there after it gos back to the http://www address.

 

Thank you for your help,

 

Laura

 

Solved that one now to, things are always easier if you have a coffee break!!

 

 

Hi,

I am having the same issues that you were having and it seems I have a similar setup. I believe my SSL certificate is succesfully installed, but I don't know if the hosting company has rebooted the server.

 

When I hit the "checkout" button, it redirects to the https:// site (as it should), but I get a Page Not Found error: "The requested URL /checkout_shipping.php was not found on this server."

 

I also have two directories: httpdocs and httpsdocs. I am copying all the files to the httpsdocs folder to mirror the httpdocs.

 

My questing is, how did you fix your problems? I'm new at this, so as much info as possible is greatly appreciated.

 

Here is my include/configure.php:

<?php
/*
 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce

 Released under the GNU General Public License
*/

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
 define('HTTP_SERVER', 'http://www.metalwarehouse.com'); 
 define('HTTPS_SERVER', 'https://www.metalwarehouse.com/'); 
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'www.metalwarehouse.com');
 define('HTTPS_COOKIE_DOMAIN', 'www.metalwarehouse.com/');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '');
 define('DIR_WS_HTTP_CATALOG', '/');
 define('DIR_WS_HTTPS_CATALOG', '');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', '/home/httpd/vhosts/metalwarehouse.com/httpdocs/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

// define our database connection
 define('DB_SERVER', 'localhost'); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', "');
 define('DB_SERVER_PASSWORD', '');
 define('DB_DATABASE', '');
 define('USE_PCONNECT', 'false'); // use persistent connections?
 define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'
?>

 

Here is my admin/includes/configure.php:

<?php
/*
 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce

 Released under the GNU General Public License
*/

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
 define('HTTP_SERVER', 'http://www.metalwarehouse.com'); // eg, http://localhost - should not be empty for productive servers
 define('HTTP_CATALOG_SERVER', 'http://www.metalwarehouse.com');
 define('HTTPS_CATALOG_SERVER', 'https://www.metalwarehouse.com/');
 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module
 define('DIR_FS_DOCUMENT_ROOT', '/home/httpd/vhosts/metalwarehouse.com/httpdocs/'); // where the pages are located on the server
 define('DIR_WS_ADMIN', '/admin/'); // absolute path required
 define('DIR_FS_ADMIN', '/home/httpd/vhosts/metalwarehouse.com/httpdocs/admin/'); // absolute pate required
 define('DIR_WS_CATALOG', '/'); // absolute path required
 define('DIR_FS_CATALOG', '/home/httpd/vhosts/metalwarehouse.com/httpdocs/'); // absolute path required
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
 define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
 define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
 define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

// define our database connection
 define('DB_SERVER', 'localhost'); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', ''); //LEFT OUT 
 define('DB_SERVER_PASSWORD', ''); //LEFT OUT
 define('DB_DATABASE', '');
 define('USE_PCONNECT', 'false'); // use persisstent connections?
 define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'
?>

 

I would really appreciate any help on this...Thanks in advance!

Share this post


Link to post
Share on other sites

Why would anyone need SSL on their Admin pages?


Rik Rasmussen

Share this post


Link to post
Share on other sites

includes/configure.php - changes

 

define('HTTPS_COOKIE_PATH', '/');

define('DIR_WS_HTTPS_CATALOG', '/');

 

admin/includes/configure.php - changes ( to secure all admin behind ssl)

 

define('HTTP_SERVER', 'https://www.metalwarehouse.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'https://www.metalwarehouse.com');

define('HTTPS_CATALOG_SERVER', 'https://www.metalwarehouse.com');

define('DIR_FS_DOCUMENT_ROOT', '/home/httpd/vhosts/metalwarehouse.com/httpsdocs/');

define('DIR_FS_ADMIN', '/home/httpd/vhosts/metalwarehouse.com/httpsdocs/admin/'); // absolute pate required

 

 

Vger

Share this post


Link to post
Share on other sites

SSL provides 128 bit encryption of the admin pages and the information drawn into them from the database. Renaming the admin folder is good, password protecting it is good - but the password crackers used by hackers will get through basic passwords within a few minutes. The SSL encryption is one of the major safeguards. It is also used when passing data between various parts of the 'admin' folder.

 

Vger

 

Vger

Why would anyone need SSL on their Admin pages?

Share this post


Link to post
Share on other sites

I changed the admin directory name and put all the admin behind ssl using your notes above.

 

Seems to work fine.

 

Thanks Vger


Rik Rasmussen

Share this post


Link to post
Share on other sites

You can also try this (may not work - depends on server). Place this in a .htaccess file in your newly renamed 'admin' folder and no one will be able to reach your 'admin' via any connection other than https.

 

SSLRequireSSL

ErrorDocument 403 https://www.yourdomain.com/admin/ (obviously substitute 'admin' for new name of folder)

 

Vger

Share this post


Link to post
Share on other sites

Thanks, worked perfect!

 

I should be locked up pretty well now.

 

Thanks Vger


Rik Rasmussen

Share this post


Link to post
Share on other sites
Thanks, worked perfect!

 

I should be locked up pretty well now.

 

Thanks Vger

 

 

I followed the instructions provided and the SSL works well. But there is still a serious security issue. I intentionally click on cancel when i am asked to enter the user name and password on the admin page, i am able to go all the way to the file page and modify the code.

 

It is dangerous! is there any way to prevent this?

Thanks

Share this post


Link to post
Share on other sites

Vger or other gurus,

 

I followed your instructions and got my renamed admin secure.

The problem now is that my product pictures doen't show when I am in Admin view.

 

I have Ipower as host with shared SSL.

 

The pictures are located but show only frame with an X. (folder /images/)

 

Any clues someone?

 

Regards Crazypilot

Share this post


Link to post
Share on other sites

Yes, sorry, but this can be a side-effect of completely locking down the 'admin' on a shared server. Whether it happens or not depends upon how your shared ssl pathways are set up. It does no harm, just annoying.

 

Vger

Share this post


Link to post
Share on other sites
Yes, sorry, but this can be a side-effect of completely locking down the 'admin' on a shared server.  Whether it happens or not depends upon how your shared ssl pathways are set up.  It does no harm, just annoying.

 

Vger

 

 

Ok, seems I solved the "not showing pictures" problem when using shared SSL.

 

As I noted that the picture paths were not SSL, I made following changes in admin/includes/configure.php

 

All based on following shared https address: https://host196.ipowerweb.com/~xxxxxxxxx

 

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . '~xxxxxxxx/images/'); // to get product pictures

 

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . '~xxxxxxxx/includes/languages/'); //to get button pictures

 

Change are in bold.

 

I haven't had time to test run everything, but it seems to work.

 

regards Cp

Share this post


Link to post
Share on other sites

Anyway, i have edited /admin/includes/configure.php as follows:

----------------------------------

define('HTTP_SERVER', 'https://myserver_name.com');

define('HTTP_CATALOG_SERVER', 'https://myserver_name.com');

define('HTTPS_CATALOG_SERVER', 'https://myserver_name.com');

define('ENABLE_SSL_CATALOG', 'true');

-----------------------------------

 

The other config file: /catalog/includes/configure.php remains intacted because i have alreday set up ssl for catalog site before.

 

It works perfectly, except for the front page said "Unknown secured SSL connection".

Because my stupid boss asked me to do so.  Just too ridiculous :D

Share this post


Link to post
Share on other sites

Hello

 

/catalog/includes/

not sure if this was mentioned but I also had to change

 

/catalog/includes/configure.php

 

define('DIR_WS_HTTPS_CATALOG', ' ');

 

to

 

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

 

using a shared ssl which wasnt displaying images. Which seemed to fix my problem using the info on this post.

 

I made so many other changes using trial and error that I cant remember what else I did - A combination of the above posts i suppose.

 

Cheers anyway everyone for the info.

 

One more thing, I have my whole site now running under a shared ssl, which is a temp solution. What speed difference do you think we are talking on average this will make to the site?

 

Best Regards

James

Share this post


Link to post
Share on other sites

×