Jump to content

Archived

This topic is now archived and is closed to further replies.

Master One

HELP: SSL-access by a separate folder

Recommended Posts

Yeah... Linux and Windows at the same time... OH and I got APPLE, Solaris, Novell and DOS running on it at the same time :) Don;t you love multitasking ?

 

 

 

 

 

 

 

Sorry.. just had to be a wise ash.

 

 

No guys.. 2 separate platforms.. 2 separate machines....

 

 

Enjoy!

 

Nitchimon


------------------------------------------

Nitchimon

 

Motto for today:

I went to school to become a wit. But I only made it half way.

Share this post


Link to post
Share on other sites

Yeah... Linux and Windows at the same time... OH and I got APPLE, Solaris, Novell and DOS running on it at the same time :) Don't you love multitasking ?

 

 

 

 

 

 

 

Sorry.. just had to be a wise ash.

 

 

No guys.. 2 separate platforms.. 2 separate machines....

 

 

Enjoy!

 

Nitchimon

 

 

EDITED:

Actually you "could" do something like that on one machine IF you are running Linux and a Windows emulator, something like WINE or whatever.... But I think you'd rather go swimming in quicksand instead :) enjoy!

 

weird I tried to edit the previous post and it said "I didn't have permission???" My apologies for a duplicated message....


------------------------------------------

Nitchimon

 

Motto for today:

I went to school to become a wit. But I only made it half way.

Share this post


Link to post
Share on other sites

I know exactly what you mean and there is not an easy solution. You could put everything...yes everything in the SSL folder. Make a auto refresh link from your web address to the ssl folder and that way everything will be found as required.

 

I know what you are thinking....what is the point in getting a domain name of your choice to find that in the real world you would have to use your SSL domain (not decided by you for your web address.

 

Pointless ...is n't it?!

 

But then again...what if you placed only those pages that need the SSL i.e. create_account.php etc in the ssl directory and made sure that the links for all the images etc point toward the normal URL. That way the page is found, the images are found and saints and angels preserve us it might just work.

 

A long way for a short cut but....I have the same problem with a web I'm making for someone and i'll let you know if I succeed.

 

That does n't mean stop searching for a solution because it's really not a solution, just a bit of Scottish trickery!!

 

I'll be back......

Share this post


Link to post
Share on other sites

Well there IS a way to overcome this.....

 

I've done it with a few web sites I've done for clients.

 

You create a 1 file program that calls ALL the files required. It might fool the SSL side into thinking that all of the files and all are actually located locally.

 

Maybe not, now that I think more about it, because all of the graphics will need to be called directly.

 

The redirect will work to suck in the needed programs, BUT the graphics are still going to be called either as local files or from the non-ssl side.

 

 

Yeah, the easiest now that I think more on this woudl be to ONLY have those files needed for the cart alone.

 

oh well.... lets keep thinking about this..... if nothign else, it'll help loosen the moths from the old 'noggin.

 

 

Enjoy!

 

 

Nitchimon


------------------------------------------

Nitchimon

 

Motto for today:

I went to school to become a wit. But I only made it half way.

Share this post


Link to post
Share on other sites

Hey all!

Ok, so i'm going to have the same problem as outlined by this thread!

SSL located on a physically different server.

This server however will have access to the db.

Therefore i need to work out what files have to be duplicated to the secure server catalog folder. :huh:

Has anyone done this, and can tell me what files need to be duplicated? ... OR

Is there a solution yet for this problem? :ph34r:

Share this post


Link to post
Share on other sites

I have a question regarding SSL

 

Our SSL is a shared SSL that uses a pointer, not another folder.

 

Everything seems to work except for any images that are in /includes/languages/foo/images/buttons

 

These images do not appear before or after the customer logs into their account.

 

the error I get is as follows:

 

Script Error

 

The requested URL caused an internal server error. This is usually due to a cgi script misconfiguration.

 

Any ideas??

 

Also, is there anyone out there that can help me find a way to make Multi-vendor shipping work with 2.2MS2??? I really need this contrib and I do not code :/

 

Khim~


Do not meddle in the affairs of Dragons, for you are crunchy and good with ketchup :-)

Share this post


Link to post
Share on other sites

I am having the same problem as Dave,

 

but i get a little more errors...

 

on the top of my site i get the error that the configure.php file is not secure yet i have all the settings as the instructions say.

I am using a Shared SSL and when i try and log on it asks me if i want to view non -secure items then i log on and click yet i get back to my default page and do not log on and not padlock or any sign or it being secure. if i say no i see th pad lock but no images..

Share this post


Link to post
Share on other sites

I don't know if this will help out "Master One" and some you other folks, but I found this little bit of interesting information in Bug Report 991 (which was determined to be bogus) If I understood it a little better, I think I'd know enough to solve my own problems.

 

http://www.oscommerce.com/community/bugs,991

 

dgw@qlogic.net @ 06/13/2003 08:21:40    If your SSL server is on a different physical machine that your nonSSL server you can only get this to work with mysql based sessions.

Share this post


Link to post
Share on other sites

I am running SSL via a shared certificate.

 

My checkout is fine (showing padlock and everything).

 

However, my admin is showing that I'm not using SSL; how do I fix this??

Share this post


Link to post
Share on other sites

I tried to read Bears solution, and everyones and it just doesn't work, all I get is 404s when it links to the https://

 

my osc stuff is here: usr/www/users/cii/osc/

my SSL is here: usr/wwws/users/cii

 

I set a link in the ssl directory of the entire osc directory.

 

However, now it correctly links to all the files, it just gives me a 403 forbidden error when trying to load them.

 

I'm assuming because symlinks probably are a security problem?

 

Anyways, any solutions?

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.flyerfaucet.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.flyerfaucet.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL',true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'https://www.flyerfaucet.com');

define('HTTPS_COOKIE_DOMAIN', 'https://www.flyerfaucet.com');

define('HTTP_COOKIE_PATH', '/osc/');

define('HTTPS_COOKIE_PATH', '/osc/');

define('DIR_WS_HTTP_CATALOG', '/osc/');

define('DIR_WS_HTTPS_CATALOG', '/osc/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/usr/www/users/cii/osc/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/'

Share this post


Link to post
Share on other sites

This is my first post so please be gentle. I found The Bear's reply slightly cryptic because I was unfamiliar with the issues, but he is correct. The ensuing discussions contain some intersting red herrings.

 

We've just enabled a site using hosting that has a cpanel interface (with access to generating keys and certificates etc). We were surprised to see an SSL directory created at the same level as public_html. THis directory contained the keys and certificates etc.

 

We had done away with the catalog directory and put everything under catalog directly under public_html). THis was to avoid having http://www.mydomain.com/catalog as we had no permissions to point the domain at /catalog.

 

What we discovered was the following:

DO NOT put any files in the /SSL directory.

find the root of your hosting area and simply add a /~rootname after the https:// domain.

i.e. if your hosting company has called your root "acme" then your define would look like this:

 

define('HTTPS_SERVER', 'https://www.mydomain.com/~acme');

 

That is all you need to do. However, if you've been lazy and added <img src="

 

Here is the relevant part of our configure.php (domain changed to protect the guilty)

 

  define('HTTP_SERVER', 'http://www.mydomain.com'); 
 define('HTTPS_SERVER', 'https://www.mydomain.com/~acme'); 
 define('ENABLE_SSL', true); 
 define('HTTP_COOKIE_DOMAIN', 'www.mydomain.com');
 define('HTTPS_COOKIE_DOMAIN', 'www.mydomain.com);
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '/');
 define('DIR_WS_HTTP_CATALOG', '/');
 define('DIR_WS_HTTPS_CATALOG', '/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

Share this post


Link to post
Share on other sites

Can anyone tell my why sessions are being lost when I go from Non SSL to SSL? Any suggestions?

 

define('HTTP_SERVER', 'http://domain.com/home/catalog/'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://sharedSSL.com/folder/'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', '');
 define('HTTPS_COOKIE_DOMAIN', '');
 define('HTTP_COOKIE_PATH', '');
 define('HTTPS_COOKIE_PATH', '');
 define('DIR_WS_HTTP_CATALOG', '');
 define('DIR_WS_HTTPS_CATALOG', '');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']));
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

Can anyone help me?

Share this post


Link to post
Share on other sites

Okay, this thread is a total screw up. Some advice for you guys.

 

1. Will those who know diddly about SSL please stop giving advice as though they were some kind of web guru - and screwing up other people's sites worse than they were before they proferred their 'advice'.

 

2. If The Bear gives you advice - hes' right and you're wrong. Either that or your web hosting company is doing things wrong, in which case move on, get a hosting company that knows what it's doing.

 

3. One common error on a shared ssl is to give your cookie domain correctly, and then to give the cookie domain for the shared ssl domain. Leave this blank - it ain't your domain!

 

4. Another common error is to give your cookie domain as http://www.yourdomain.com, instead of www.yourdomain.com

 

5. If you have one of those crazy setups where, even when you have paid out good money for a full ssl cert, you get an httpdcos and an httpsdocs folder, commisserations - crap system - find another hosting company. You'll always have problems with it.

 

6. If you have an ssl cert but the whole of your 'admin' folder is not secured, then in admin/includes/configure.php change all references to http://www.yourdomain.com to https://www.yourdomain.com (this is the https path for a full ssl cert).

 

7. When you are giving your website address in the configure.php files, stop sticking 'catalog' on the end of your domain name (even if your site is in a folder of the main domain). The correct place for this is in your absolute path settings.

 

8. On a full ssl cert your cookie domain is the same for both http and https, and that's www.yourdomain.com

 

9. If you have your site in a folder (e.g. catalog) then the path to your domain is http://www.yourdomain.com, and your path to 'catalog' is /catalog/, and if your 'admin' folder is actually called 'admin' then the path to 'admin' (in admin/includes/configure.php) is /catalog/admin/

 

10. Don't confuse this with your DIR_FS_CATALOG path,which will be something like /var/www/html/catalog/ (assuming you have your site in a folder called 'catalog'). Your web hosting company should give you this path, and they should even have it listed in a set of FAQ's. If your hst doesn't have FAQ's which list this, and you ask them and they can't tell you - find another hosting company!

 

11. Don't set ssl to 'true' in your config files when you don't have at least a shared ssl, and even if you have this set to false then it's advisable to leave the spaces for https paths blank. There's no point in putting in https://www.yourdomain.com when you don't have an ssl cert!

 

12. If you are using shared ssl don't set 'Force Cookie Use' to 'true', because it'll screw up your whole site.

 

Now - I suggest that this thread is way too long, and if you have a problem with ssl to start a thread of your own.

 

Here endeth the lesson for today!

 

Vger

Share this post


Link to post
Share on other sites

Finally someone with sense in this thread. I knew "The Bear" was correct but with so many people confusing me with their conflicting stories it threw me off. Thanks Vger, I added the cookie domain and everything worked great! Finally someone with sense.

Share this post


Link to post
Share on other sites

×