Jump to content

Archived

This topic is now archived and is closed to further replies.

prosat

problem with no padlock on ssl

Recommended Posts

That was quick!!!

 

Thanks for your response. I've done as you suggested, it had already been done during the setup. However it doesn't seem to work.

 

Whenever I click on checkout it attempts to load the checkout.php page from the secure server which is obviously empty.

 

Matt

Share this post


Link to post
Share on other sites
That was quick!!!

 

Thanks for your response. I've done as you suggested, it had already been done during the setup. However it doesn't seem to work.

 

Whenever I click on checkout it attempts to load the checkout.php page from the secure server which is obviously empty.

 

Matt

 

can you post your configure.php file (without your server information and password, etc.) and a link to your website and any other problem description. this way people can see and replicate your problem and come up with a better and faster solutions perhaps.

 

cheers.


Did you try? Did you fail? No matter! Try again. Fail again! But fail better!

Share this post


Link to post
Share on other sites

Hi,

 

I afraid I'm not happy to post the web address here as I don't want the search engines picking it up. This leaves me in somewhat of a predicament as without this information, you can't help me. :(

 

If someone could give me a brief explanation of what happens when ssl is activated I could try and work it out for myself. Just to recap:

 

With ssl activated and pointed to the shared ssl host, whenever a ssl required page (checkout, account) is selected, the user is connected to the ssl webspace showing a directory listing. Only shows cgi-bin as there's nothing else in there. The padlock appears ok, obviously but no secure webpage.

 

Any advice appreciated.

 

Matt

Share this post


Link to post
Share on other sites

Matt,

 

i appreciate if you don't want to put a link to your website! no worries. but posting your configure.php with domin name, server and database info take out won't be a problem?

 

have you read this: http://www.oscommerce.info/kb/osCommerce/D...plementations/4

 

typical oscommerce installation does not use cgi-bin. you may create a secure folder and put relevant files in there and call them, when in SSL mode, from this secure server/file. however there's no need for that.

 

when you activate the SSL in your setup the data in secure pages such as login will be encrypted, etc. if you can see the HTTPS in the location bar and the lock in the status bar your page is SSL enabled and secure.

 

i'm afraid i'm not an expert on the SSL issue so it's best to seek further help from others!

 

good luck.


Did you try? Did you fail? No matter! Try again. Fail again! But fail better!

Share this post


Link to post
Share on other sites

Thanks for the reply. Apparently my host has set up the shared ssl incorrectly. I'm still waiting for them to sort it out. I've decided to get my own ssl cert and am awaiting that also.

 

Thanks

Matt

Share this post


Link to post
Share on other sites

To anybody who might still be having a problem getting the padlock to show up, here is what worked for me.

 

I'm using STS and the problem was in my template. I had an absolute path to the css page and that's what caused the problem. (STS recommends using absolute paths). By changing it to a relative path, it fixed the problem right away. Apparently any absolute path is going to confuse the system.

 

Hope this helps somebody out there!

Janet

Share this post


Link to post
Share on other sites
Which "secure site folder"? My FTP doesn't show up any secure site folder.

 

The way our SSL works is that it simply maps a subdom (alias) of my main dom to a virtual directory on an SSL proxy server.

 

ie. http://secure.recordlounge.co.uk maps to https://sslrelay.com/secure.recordlounge.co.uk

 

But in FTP, there is no "secure" subdir like on btinternet, etc. It simply runs the entire site through this SSL proxy to secure it.

 

The problem we're having is that for some reason, when we changeover servers to sslrelay.com, the img src's all revert back to http, thereby leaving us with a bunch of mixed content and no padlock.

 

Please elaborate on what you meant? Thanks.

Share this post


Link to post
Share on other sites

my problem seems to be: on secure pages I get the pop up, secure & non secure. If you select no the lock shows up and nothing on my page is missing. If you select yes then the lock will not display. There is no difference between the site page selecting yes or no except with the lock. Now how do I get the lock to show all the time and get rid of that message box????? Please help, my site is up and running: www.2daysmarketplace.com

THANKS

Share this post


Link to post
Share on other sites
my problem seems to be:  on secure pages I get the pop up, secure & non secure. If you select no the lock shows up and nothing on my page is missing. If you select yes then the lock will not display. 

 

You've got two problems:

 

1) under a non ssl (http) your baseref is <base href="https://www.2daysmarketplace.com/catalog/">. This will cause problems in both http and https.

 

2) The first time I visited my browser told me the certificate issuer was unknown. This may not be a big deal.

 

To fix #1 try this first

 

In catalog/includes/application_top.php change

 

// set the type of request (secure or not)

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

to:

 

// set the type of request (secure or not)

//$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

 

After you've done that let us know and someone will check it for you again.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites
You've got two problems:

 

1) under a non ssl (http) your baseref is <base href="https://www.2daysmarketplace.com/catalog/">. This will cause problems in both http and https.

 

2) The first time I visited my browser told me the certificate issuer was unknown. This may not be a big deal.

 

To fix #1 try this first

 

In catalog/includes/application_top.php change

 

// set the type of request (secure or not)

  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

to:

 

// set the type of request (secure or not)

//$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

  $request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

 

After you've done that let us know and someone will check it for you again.

AlanR,

After trying your edit, I lost the pics. I guess that's from going to port 443.

 

I'll keep looking.

Share this post


Link to post
Share on other sites
AlanR,

After trying your edit, I lost the pics. I guess that's from going to port 443.

 

I'll keep looking.

 

That most likely means your server is one of those with a second folder for secure files.

 

Look through the other threads dealing with this.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites
That most likely means your server is one of those with a second folder for secure files.

 

Look through the other threads dealing with this.

 

Hi :)

I just now tried your code change. It did not seem to make any difference. I am still gettting the popup with the secure, non secure. If I select no I dont want to display the nosecure items, I dont see any difference in my site at all. All pics show up, so I dont know what the nosecure items are.

THanks

Share this post


Link to post
Share on other sites

Just to add my bit ive read through a lot of info on this, i am currently setting up a system on 1and1 with dedicated hosting, BUT i believe this will work for shared aswell.

 

By changing

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

to

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

 

This will fix the problem and the annoying popup message about transmitting non-secure data from a secure page etc. Which will stop most customers buying!

 

  $request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'SSL' : 'NONSSL';

 

Is a fix to a point but you many have the pop up message about transmitting non secure data etc as you are not checking if the server is meant to be secure but matching the host to the secure server, sort of a hack around it. Same as with checking the port number.

 

If you still have problems it might be worth checking if you can get the following to work

 

( !isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on' )

 

That is not the actual code to use bu shows you how to check if https is turned on another way.

 

Hope this fixes some problems.

Share this post


Link to post
Share on other sites

$request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'NONSSL' : 'SSL';

 

Vger

Share this post


Link to post
Share on other sites
Just to add my bit ive read through a lot of info on this, i am currently setting up a system on 1and1 with dedicated hosting, BUT i believe this will work for shared aswell.

 

By changing

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

to

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

 

This will fix the problem and the annoying popup message about transmitting non-secure data from a secure page etc. Which will stop most customers buying!

 

  $request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'SSL' : 'NONSSL';

 

Is a fix to a point but you many have the pop up message about transmitting non secure data etc as you are not checking if the server is meant to be secure but matching the host to the secure server, sort of a hack around it. Same as with checking the port number.

 

 

$request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

 

This works for dedicated ssl but not for shared. (and what a simple change)

 

$request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'SSL' : 'NONSSL';

 

This works OK for shared with one caveat, here's why

 

A 1&1 proxy looks like:

 

https://ssl.perfora.net/mydomain.com/catalog/login.php?

 

the eregi is an ignore case search which looks for the first string in the second.

 

so if you set your config file like this:

 

define('HTTP_SERVER', 'http://www.mydomain.com'); (note the www)

 

all will be well, the base href switches back and forth exactly as it should since the eregi can't find www.mydomain.com in the perfora.net proxy string and the test works.

 

If you set HTTP_SERVER like this:

 

define('HTTP_SERVER', 'http://mydomain.com');

 

your base href will always be:

 

<base href="https://ssl.perfora.net/mydomain.com/catalog/">

 

since the test will always find the first string in the second and all images and code will be pulled through the ssl link, slowing the site.

 

The single tradeoff is that when someone hits the site the first time coming in from

 

http://mydomain.com/catalog they'll load via ssl till they click a link within the store and subsequently all links will have the www

 

so use: define('HTTP_SERVER', 'http://www.mydomain.com');

 

I wrote a little script to examine the ports and ssl status under different conditions.

 

1&1 uses ssl on port 80 so the port 443 test won't work.

 

I spent a lot of time fooling around testing for other ssl parameters which I could use as a switch but got blank responses. At this stage I don't know enough about ssl protocol to figure out a better test but there's gotta be one because the browser knows, I just don't know how to make a good query.

 

I was just fooling around with a test store anyway and I ran out of time.

 

Bottom line?

 

This works for shared:

 

$request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'SSL' : 'NONSSL';

 

provided you set the HTTP_SERVER with the www. as I've shown above.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

I had this working before.. but am rebuilding a new site. Here's the deal:

 

I've changed it to:

 

$request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'NONSSL' : 'SSL';

 

This seems to work for the most part... when I had the SSL first I was getting no padlock. However when it's setup like this all images are broken, example:

 

http://%20https://ssl.perfora.net/..../x.gif

 

This only happens in IE.

 

Everything works perfectly in Firefox, example:

https://ssl.perfora.net/..../x.gif

 

I have no idea why it's doing that in IE and not firefox. Any ideas on how to fix this?

Share this post


Link to post
Share on other sites

ok.. i have no edit option, but apparently the IE problem was restricted to my computer only. I tried it on another PC and everything works perfectly. Weird stuff. Anyways, thanks for what I'm sure would have been good help. :P

 

$request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'NONSSL' : 'SSL';

 

This is working great now. Thanks for this thread. 1and1 was no help.

Share this post


Link to post
Share on other sites

Here's a better, more reliable fix for 1&1 which I posted more recently.

 

Replace:

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

with:

 

// $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

$request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL';

 

It solves a lot of problems the eregi solution had. I don't want future searchers to find this thread and not the best solution.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

I'll add this here too for the benefit of future solution seekers.

 

 

Create a little file, I named it myenv.php, with these lines:

 

<?php
  echo 'HTTP HOST: ' . "$HTTP_HOST";
  echo '<br>Server Port: ' . getenv('SERVER_PORT');
  echo '<br>SSL Status: ' . getenv('HTTPS');
  echo '<br>Fowarded Server: ' . getenv('HTTP_X_FORWARDED_SERVER');
  echo '<br>Fowarded Host: ' . getenv('HTTP_X_FORWARDED_HOST');
?>

 

If you put that somewhere on the server, probably root and run it like so:

 

https://ssl.shared.com/mydomain.com/myenv.php you'll be able to see how the server responds to these queries.

 

Some dedicated ssls respond with a '1' instead of 'on' to No. 3 for example.

 

Shared servers may respond differently to 4 & 5 but 1&1 gives the same response to both.

 

Once you know how the server answers these queries you can figure out the best solution for that pesky line 41 in application_top.php. It helped a fellow hosting with NetWork Solutions and someone else hosting with GoDaddy within the last couple days.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites
Here's a better, more reliable fix for 1&1 which I posted more recently.

 

Replace:

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

with:

 

// $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

$request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL';

 

It solves a lot of problems the eregi solution had. I don't want future searchers to find this thread and not the best solution.

 

That works... but i just tried IE on another PC and I am getting all the broken image links again.

 

http://%20https://ssl.perfora.net/..../x.gif

 

It's still normal in Firefox, but all the image links are broken in IE. Any thoughts?

Share this post


Link to post
Share on other sites
That works... but i just tried IE on another PC and I am getting all the broken image links again.

 

http://%20https://ssl.perfora.net/..../x.gif

 

It's still normal in Firefox, but all the image links are broken in IE.  Any thoughts?

 

That line can't be the result of the ssl settings. Not with this: http://%20https://

 

You've most likely got a path or domain setting wrong in your configure.php file.

 

Remember that these are domains not urls

 

define('HTTP_COOKIE_DOMAIN', 'mydomain.com');

define('HTTPS_COOKIE_DOMAIN', 'ssl.perfora.net/mydomain.com');

 

No http:// or https:// allowed in those lines.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

The reason it will work with some browsers and not with others is because the result of the work done in application top is the

 

<base href="http://mydomain.com/catalog/">

 

line found near the top of all pages.

 

Some browsers ignore that line and won't have problems. The ones that don't ignore that line will have problems if the domains or paths are wrong or the switch to ssl and back fails.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

This is really not the best thread for this but post your catalog/includes/configure.php file. It's a simple error.

 

(XXX through the db name and password.)


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites

×