tarzan271 Posted July 25, 2005 Share Posted July 25, 2005 I have searched and read the posts here for days. I have almost given up. I am using a shared ssl cert. https://ssl.perfora.net/mydomain.com. I originally installed oscommerce without ssl support. I have now tried to activate it in the configure.php files in the /includes and admin/includes folders. I think I have figured out how to include it in both configure.php files. When I test my site it says it is going to a secure connection and has the https server in the address bar, but the padlock is not enabled in IE or Firefox. Also, when I log into /admin. I says I am not protected by a ssl in the lower left corner. I don't know if this means for the admin function or not not at all. Any help you can give me would be greatlt appreciated. /includes file: // Define the webserver and path parameters // * DIR_FS_* = Filesystem directories (local/physical) // * DIR_WS_* = Webserver directories (virtual/URL) define('HTTP_SERVER', 'http://www.mydomain.com'); // eg, http://localhost - should not be empty for productive servers define('HTTPS_SERVER', 'https://ssl.perfora.net/mydomain.com'); // eg, https://localhost - should not be empty for productive servers define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'www.celticmooncda.com'); define('HTTPS_COOKIE_DOMAIN', 'https://ssl.perfora.net/mydomain.com'); define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', '/catalog/'); define('DIR_WS_HTTP_CATALOG', '/catalog/'); define('DIR_WS_HTTPS_CATALOG', '/catalog/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/'); define('DIR_FS_CATALOG', '/kunden/homepages/16/d122228357/htdocs/catalog/'); define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/'); define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/'); // define our database connection define('DB_SERVER', 'db171.perfora.net'); // eg, localhost - should not be empty for productive servers define('DB_SERVER_USERNAME', 'my username'); define('DB_SERVER_PASSWORD', 'my password'); define('DB_DATABASE', 'db122229134'); define('USE_PCONNECT', 'false'); // use persistent connections? define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' ?> /admin/includes file: // Define the webserver and path parameters // * DIR_FS_* = Filesystem directories (local/physical) // * DIR_WS_* = Webserver directories (virtual/URL) define('HTTP_SERVER', 'http://www.my domain.com'); // eg, http://localhost - should not be empty for productive servers define('HTTP_CATALOG_SERVER', 'http://www.my domain.com'); define('HTTPS_CATALOG_SERVER', 'https://ssl.perfora.net/my domain.com'); define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module define('DIR_FS_DOCUMENT_ROOT', '/kunden/homepages/16/d122228357/htdocs/catalog/'); // where the pages are located on the server define('DIR_WS_ADMIN', '/catalog/admin/'); // absolute path required define('DIR_FS_ADMIN', '/kunden/homepages/16/d122228357/htdocs/catalog/admin/'); // absolute pate required define('DIR_WS_CATALOG', '/catalog/'); // absolute path required define('DIR_FS_CATALOG', '/kunden/homepages/16/d122228357/htdocs/catalog/'); // absolute path required define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/'); define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/'); define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/'); // define our database connection define('DB_SERVER', 'db171.perfora.net'); // eg, localhost - should not be empty for productive servers define('DB_SERVER_USERNAME', 'my user name'); define('DB_SERVER_PASSWORD', 'my password'); define('DB_DATABASE', 'db122229134'); define('USE_PCONNECT', 'false'); // use persisstent connections? define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' ?> Thanks for the help. Link to comment Share on other sites More sharing options...
AlanR Posted July 25, 2005 Share Posted July 25, 2005 You need to make a change in includes/application_top.php around line 41 // set the type of request (secure or not) // $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; $request_type = (eregi ($HTTP_HOST , HTTPS_SERVER)) ? 'SSL' : 'NONSSL'; I wrote a little blurb about it here: http://www.oscommerce.com/forums/index.php?sho...ndpost&p=659077 Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
AlanR Posted July 25, 2005 Share Posted July 25, 2005 I wouldn't waste any time worrying about running all of admin under ssl, it's counterproductive. Apply this contribution which makes orders and customers run under ssl, it's a great solution. http://www.oscommerce.com/community/contributions,2274 Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
tarzan271 Posted July 25, 2005 Author Share Posted July 25, 2005 You need to make a change in includes/application_top.php around line 41 // set the type of request (secure or not) // $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; $request_type = (eregi ($HTTP_HOST , HTTPS_SERVER)) ? 'SSL' : 'NONSSL'; I wrote a little blurb about it here: http://www.oscommerce.com/forums/index.php?sho...ndpost&p=659077 <{POST_SNAPBACK}> YOU ARE THE MAN!!! If you were here I would give you a big fat kiss! I am so giddy. After 3 days of trying to figure it out myself, you gave me the answer in minutes. At least I have learned a lot. THanks again for your help. Link to comment Share on other sites More sharing options...
AlanR Posted July 25, 2005 Share Posted July 25, 2005 Here's a better test for shared ssl on 1&1 servers. Key words for search: Shared SSL 1&1, Shared SSL 1and1, perfora.net, ssl.perfora.net, Padlock on 1&1, Padlock on 1and1 Around line 41 in catalog/includes/application_top.php find: $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; change to: //$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; $request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL'; All we're doing is checking the name of the ssl proxy server. If it's ssl.perfora.net then we want to switch to ssl. You'll get a solid padlock and <base href="http://www.mydomain.com/catalog/"> switches back and forth as it should. This will probably work with another ssl proxy server as well provided you know its name. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
heretoo Posted July 25, 2005 Share Posted July 25, 2005 Make sure your ftp program is actually loading your changes, I racked ny brains out beforeI figured out that is was not overwriting the file I changed. I had to delete and then upload the changed one. Link to comment Share on other sites More sharing options...
♥Vger Posted July 25, 2005 Share Posted July 25, 2005 And finally, if you don't want customers losing their session and having to repeatedly login, then change this: define('HTTPS_COOKIE_DOMAIN', 'https://ssl.perfora.net/mydomain.com'); to this: define('HTTPS_COOKIE_DOMAIN', 'ssl.perfora.net/mydomain.com'); Vger Link to comment Share on other sites More sharing options...
AlanR Posted July 25, 2005 Share Posted July 25, 2005 And finally, if you don't want customers losing their session and having to repeatedly login, then change this: define('HTTPS_COOKIE_DOMAIN', 'https://ssl.perfora.net/mydomain.com'); to this: define('HTTPS_COOKIE_DOMAIN', 'ssl.perfora.net/mydomain.com'); Vger <{POST_SNAPBACK}> Yeah, I noticed that last night but forgot to mention it. He'll probably figure it out though, he spent three days fooling around already and got a lotta practice. :lol: Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
♥Vger Posted July 25, 2005 Share Posted July 25, 2005 He'll probably figure it out though No disrespect to the poster - but I never assume that new users will figure things out. It's safer that way! :D Vger Link to comment Share on other sites More sharing options...
tarzan271 Posted July 25, 2005 Author Share Posted July 25, 2005 No disrespect to the poster - but I never assume that new users will figure things out. It's safer that way! :D Vger <{POST_SNAPBACK}> No disrespect taken. I am a noob and know little to nothing about how .php coding works. HTML is much simpler and, no I wouldn't have figured it out. So thanks for that info, I will change it today. Link to comment Share on other sites More sharing options...
johnwinther Posted July 25, 2005 Share Posted July 25, 2005 Hi I'm not that your ssl works even outside oscommerce, if you don't see the lock at the bottum, and you can't click and view your certificate, you have a problem with ssl configuration. try a simple html or php file and test your ssl in all the uses directories. John Link to comment Share on other sites More sharing options...
♥Vger Posted July 25, 2005 Share Posted July 25, 2005 The ssl cert is working fine now, padlock showing, no pop-ups warning about security. One problem you do have is related to images which are being looked for at the ssl location, and so do not show up. It may be that an earlier piece of advice is not just directing the pages to the shared ssl but the images also. I refer to this piece of code. $request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL'; Vger Link to comment Share on other sites More sharing options...
AlanR Posted July 25, 2005 Share Posted July 25, 2005 The ssl cert is working fine now, padlock showing, no pop-ups warning about security. One problem you do have is related to images which are being looked for at the ssl location, and so do not show up. It may be that an earlier piece of advice is not just directing the pages to the shared ssl but the images also. I refer to this piece of code. Vger <{POST_SNAPBACK}> I'm running an identical set-up on a test server and all is fine. On his site I have no problems either, I see all images with or without ssl engaged. There's very little difference between the first solution I provided and the second. It's all about getting the base ref to change on the switch from http to https and back. The second test (the one you quote above) is better because it makes no difference how this: define('HTTP_SERVER', 'http://www.mydomain.com'); is set. The eregi test (the first one I provided) is kind of a fudge which someone else came up with long ago. For it to work define('HTTP_SERVER', 'http://www.mydomain.com'); must be set with the www. or the base ref will always be the ssl one. See: http://www.oscommerce.com/forums/index.php?sho...77entry659077 The bottom line is always this: <base href="https://ssl.perfora.net/celticmooncda.com/catalog/"> (near the top in any source view) If that switches correctly for all sections the ssl detection is working correctly. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
tarzan271 Posted July 26, 2005 Author Share Posted July 26, 2005 I'm running an identical set-up on a test server and all is fine. On his site I have no problems either, I see all images with or without ssl engaged. There's very little difference between the first solution I provided and the second. It's all about getting the base ref to change on the switch from http to https and back. The second test (the one you quote above) is better because it makes no difference how this: define('HTTP_SERVER', 'http://www.mydomain.com'); is set. The eregi test (the first one I provided) is kind of a fudge which someone else came up with long ago. For it to work define('HTTP_SERVER', 'http://www.mydomain.com'); must be set with the www. or the base ref will always be the ssl one. See: http://www.oscommerce.com/forums/index.php?sho...77entry659077 The bottom line is always this: <base href="https://ssl.perfora.net/celticmooncda.com/catalog/"> (near the top in any source view) If that switches correctly for all sections the ssl detection is working correctly. <{POST_SNAPBACK}> How did you know my site name? I am still in the testing stage with no critical info in my db, but I just was wondering how you figured it out. Thanks again for all the help. I am getting ready to try the last security fix, so I might have more ?? Link to comment Share on other sites More sharing options...
AlanR Posted July 26, 2005 Share Posted July 26, 2005 How did you know my site name? I am still in the testing stage with no critical info in my db, but I just was wondering how you figured it out. Thanks again for all the help. I am getting ready to try the last security fix, so I might have more ?? <{POST_SNAPBACK}> It's in your first post, the cookie domain, you goofed and didn't delete it. B) If you mean this: //$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; $request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL'; This is the best fix, the other one works but it's too easy to goof it up. This one is solid. Here's a little test script: <?php echo 'HTTP HOST: ' . "$HTTP_HOST"; echo '<br>Server Port: ' . getenv('SERVER_PORT'); echo '<br>SSL Status: ' . getenv('HTTPS'); echo '<br>Fowarded Server: ' . getenv('HTTP_X_FORWARDED_SERVER'); echo '<br>Fowarded Host: ' . getenv('HTTP_X_FORWARDED_HOST'); ?> If you copy that into a file named something like myenv.php and drop it into a folder (most likely root, but anywhere) then run access it via normal http and then through the ssl.perfora.net proxy you can see what's going on. like so: https://ssl.perfora.net/celticmooncda.com/myenv.php and http://celticmooncda.com/myenv.php (try with and without the www) You'll see that the ssl.perfora.net proxy provides no response for getenv('HTTPS') and it's port 80. A dedicated 1&1 ssl link provides a '1' and port 443 like most ssl servers do. The ssl.perfora.net proxy is a pretty sophisticated system, it switches remote ports on every request and provides very little info, it'd be pretty tough to crack. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
AlanR Posted July 26, 2005 Share Posted July 26, 2005 In hindsight I guess I should explain the problem with using this. (I did in a previous thread but for future readers it'll all be together.) $request_type = (eregi ($HTTP_HOST , HTTPS_SERVER)) ? 'SSL' : 'NONSSL'; This is a simple regular expression which looks for the string supplied by $HTTP_HOST in the HTTPS_SERVER string which is defined in your config file. The problem comes when you set: define('HTTP_SERVER', 'http://mydomain.com'); define('HTTPS_SERVER', 'https://ssl.perfora.net/mydomain.com'); or define('HTTP_SERVER', 'http://www.mydomain.com'); define('HTTPS_SERVER', 'https://ssl.perfora.net/www.mydomain.com'); The eregi test will always be true in both cases since the string which results from the $HTTP_HOST inquiry will always be found in the HTTPS_SERVER string. The result will be that the base href will always be <base href="https://ssl.perfora.net/mydomain.com/catalog/"> *or* <base href="https://ssl.perfora.net/www.mydomain.com/catalog/"> with the result being that your images and code will always be pulled through the ssl proxy, slowing the site. The only way to make the eregi test work is to leave off the www in one place or the other. like so: define('HTTP_SERVER', 'http://www.mydomain.com'); define('HTTPS_SERVER', 'https://ssl.perfora.net/mydomain.com'); *or* define('HTTP_SERVER', 'http://mydomain.com'); define('HTTPS_SERVER', 'https://ssl.perfora.net/www.mydomain.com'); I've known for a long time that people goofed this up so today I looked for a more solid fix. and this is it: //$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; $request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL'; Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.