Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

ssl problem, please help!


tarzan271

Recommended Posts

I have searched and read the posts here for days. I have almost given up. I am using a shared ssl cert. https://ssl.perfora.net/mydomain.com. I originally installed oscommerce without ssl support. I have now tried to activate it in the configure.php files in the /includes and admin/includes folders.

 

I think I have figured out how to include it in both configure.php files. When I test my site it says it is going to a secure connection and has the https server in the address bar, but the padlock is not enabled in IE or Firefox.

 

Also, when I log into /admin. I says I am not protected by a ssl in the lower left corner. I don't know if this means for the admin function or not not at all.

 

Any help you can give me would be greatlt appreciated.

 

/includes file:

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.mydomain.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://ssl.perfora.net/mydomain.com'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', 'true'); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', 'www.celticmooncda.com');

define('HTTPS_COOKIE_DOMAIN', 'https://ssl.perfora.net/mydomain.com');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/kunden/homepages/16/d122228357/htdocs/catalog/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

// define our database connection

define('DB_SERVER', 'db171.perfora.net'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', 'my username');

define('DB_SERVER_PASSWORD', 'my password');

define('DB_DATABASE', 'db122229134');

define('USE_PCONNECT', 'false'); // use persistent connections?

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

?>

 

 

/admin/includes file:

 

// Define the webserver and path parameters

// * DIR_FS_* = Filesystem directories (local/physical)

// * DIR_WS_* = Webserver directories (virtual/URL)

define('HTTP_SERVER', 'http://www.my domain.com'); // eg, http://localhost - should not be empty for productive servers

define('HTTP_CATALOG_SERVER', 'http://www.my domain.com');

define('HTTPS_CATALOG_SERVER', 'https://ssl.perfora.net/my domain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', '/kunden/homepages/16/d122228357/htdocs/catalog/'); // where the pages are located on the server

define('DIR_WS_ADMIN', '/catalog/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/kunden/homepages/16/d122228357/htdocs/catalog/admin/'); // absolute pate required

define('DIR_WS_CATALOG', '/catalog/'); // absolute path required

define('DIR_FS_CATALOG', '/kunden/homepages/16/d122228357/htdocs/catalog/'); // absolute path required

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

// define our database connection

define('DB_SERVER', 'db171.perfora.net'); // eg, localhost - should not be empty for productive servers

define('DB_SERVER_USERNAME', 'my user name');

define('DB_SERVER_PASSWORD', 'my password');

define('DB_DATABASE', 'db122229134');

define('USE_PCONNECT', 'false'); // use persisstent connections?

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

?>

 

Thanks for the help.

Link to comment
Share on other sites

You need to make a change in includes/application_top.php

 

around line 41

 

// set the type of request (secure or not)

// $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

$request_type = (eregi ($HTTP_HOST , HTTPS_SERVER)) ? 'SSL' : 'NONSSL';

 

I wrote a little blurb about it here:

 

http://www.oscommerce.com/forums/index.php?sho...ndpost&p=659077

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

I wouldn't waste any time worrying about running all of admin under ssl, it's counterproductive.

 

Apply this contribution which makes orders and customers run under ssl, it's a great solution.

 

http://www.oscommerce.com/community/contributions,2274

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

You need to make a change in includes/application_top.php

 

around line 41

 

// set the type of request (secure or not)

// $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

$request_type = (eregi ($HTTP_HOST , HTTPS_SERVER)) ? 'SSL' : 'NONSSL';

 

I wrote a little blurb about it here:

 

http://www.oscommerce.com/forums/index.php?sho...ndpost&p=659077

 

 

YOU ARE THE MAN!!! If you were here I would give you a big fat kiss! I am so giddy. After 3 days of trying to figure it out myself, you gave me the answer in minutes. At least I have learned a lot. THanks again for your help.

Link to comment
Share on other sites

Here's a better test for shared ssl on 1&1 servers.

 

Key words for search:

Shared SSL 1&1, Shared SSL 1and1, perfora.net, ssl.perfora.net, Padlock on 1&1, Padlock on 1and1

 

Around line 41 in catalog/includes/application_top.php

 

find:

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

change to:

 

//$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

$request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL';

 

All we're doing is checking the name of the ssl proxy server. If it's ssl.perfora.net then we want to switch to ssl. You'll get a solid padlock and <base href="http://www.mydomain.com/catalog/"> switches back and forth as it should.

 

This will probably work with another ssl proxy server as well provided you know its name.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

Make sure your ftp program is actually loading your changes, I racked ny brains out beforeI figured out that is was not overwriting the file I changed. I had to delete and then upload the changed one.

Link to comment
Share on other sites

And finally, if you don't want customers losing their session and having to repeatedly login, then change this:

 

define('HTTPS_COOKIE_DOMAIN', 'https://ssl.perfora.net/mydomain.com');

 

to this:

 

define('HTTPS_COOKIE_DOMAIN', 'ssl.perfora.net/mydomain.com');

 

Vger

Link to comment
Share on other sites

And finally, if you don't want customers losing their session and having to repeatedly login, then change this:

 

define('HTTPS_COOKIE_DOMAIN', 'https://ssl.perfora.net/mydomain.com');

 

to this:

 

define('HTTPS_COOKIE_DOMAIN', 'ssl.perfora.net/mydomain.com');

 

Vger

 

Yeah, I noticed that last night but forgot to mention it. He'll probably figure it out though, he spent three days fooling around already and got a lotta practice. :lol:

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

No disrespect to the poster - but I never assume that new users will figure things out.  It's safer that way!  :D

 

Vger

 

 

No disrespect taken. I am a noob and know little to nothing about how .php coding works. HTML is much simpler and, no I wouldn't have figured it out. So thanks for that info, I will change it today.

Link to comment
Share on other sites

Hi

I'm not that your ssl works even outside oscommerce, if you don't see the lock at the bottum, and you can't click and view your certificate, you have a problem with ssl configuration. try a simple html or php file and test your ssl in all the uses directories.

 

John

Link to comment
Share on other sites

The ssl cert is working fine now, padlock showing, no pop-ups warning about security.

 

One problem you do have is related to images which are being looked for at the ssl location, and so do not show up. It may be that an earlier piece of advice is not just directing the pages to the shared ssl but the images also. I refer to this piece of code.

 

$request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL';

 

Vger

Link to comment
Share on other sites

The ssl cert is working fine now, padlock showing, no pop-ups warning about security.

 

One problem you do have is related to images which are being looked for at the ssl location, and so do not show up.  It may be that an earlier piece of advice is not just directing the pages to the shared ssl but the images also.  I refer to this piece of code.

Vger

 

I'm running an identical set-up on a test server and all is fine. On his site I have no problems either, I see all images with or without ssl engaged.

 

There's very little difference between the first solution I provided and the second. It's all about getting the base ref to change on the switch from http to https and back.

 

The second test (the one you quote above) is better because it makes no difference how this:

 

define('HTTP_SERVER', 'http://www.mydomain.com');

 

is set. The eregi test (the first one I provided) is kind of a fudge which someone else came up with long ago. For it to work

 

define('HTTP_SERVER', 'http://www.mydomain.com');

 

must be set with the www. or the base ref will always be the ssl one. See:

 

http://www.oscommerce.com/forums/index.php?sho...77entry659077

 

The bottom line is always this:

 

<base href="https://ssl.perfora.net/celticmooncda.com/catalog/">

 

(near the top in any source view) If that switches correctly for all sections the ssl detection is working correctly.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

I'm running an identical set-up on a test server and all is fine. On his site I have no problems either, I see all images with or without ssl engaged.

 

There's very little difference between the first solution I provided and the second. It's all about getting the base ref to change on the switch from http to https and back.

 

The second test (the one you quote above) is better because it makes no difference how this:

 

define('HTTP_SERVER', 'http://www.mydomain.com');

 

is set. The eregi test  (the first one I provided) is kind of a fudge which someone else came up with long ago. For it to work

 

define('HTTP_SERVER', 'http://www.mydomain.com');

 

must be set with the www. or the base ref will always be the ssl one. See:

 

http://www.oscommerce.com/forums/index.php?sho...77entry659077

 

The bottom line is always this:

 

<base href="https://ssl.perfora.net/celticmooncda.com/catalog/">

 

(near the top in any source view) If that switches correctly for all sections the ssl detection is working correctly.

 

How did you know my site name? I am still in the testing stage with no critical info in my db, but I just was wondering how you figured it out.

 

Thanks again for all the help. I am getting ready to try the last security fix, so I might have more ??

Link to comment
Share on other sites

How did you know my site name? I am still in the testing stage with no critical info in my db, but I just was wondering how you figured it out.

 

Thanks again for all the help. I am getting ready to try the last security fix, so I might have more ??

 

It's in your first post, the cookie domain, you goofed and didn't delete it. B)

 

If you mean this:

 

//$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

$request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL';

 

This is the best fix, the other one works but it's too easy to goof it up. This one is solid.

 

Here's a little test script:

 

<?php
  echo 'HTTP HOST: ' . "$HTTP_HOST";
  echo '<br>Server Port: ' . getenv('SERVER_PORT');
  echo '<br>SSL Status: ' . getenv('HTTPS');
  echo '<br>Fowarded Server: ' . getenv('HTTP_X_FORWARDED_SERVER');
  echo '<br>Fowarded Host: ' . getenv('HTTP_X_FORWARDED_HOST');
?>

 

If you copy that into a file named something like myenv.php and drop it into a folder (most likely root, but anywhere) then run access it via normal http and then through the ssl.perfora.net proxy you can see what's going on.

 

like so:

 

https://ssl.perfora.net/celticmooncda.com/myenv.php

 

and

 

http://celticmooncda.com/myenv.php (try with and without the www)

 

You'll see that the ssl.perfora.net proxy provides no response for getenv('HTTPS') and it's port 80.

 

A dedicated 1&1 ssl link provides a '1' and port 443 like most ssl servers do. The ssl.perfora.net proxy is a pretty sophisticated system, it switches remote ports on every request and provides very little info, it'd be pretty tough to crack.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

In hindsight I guess I should explain the problem with using this. (I did in a previous thread but for future readers it'll all be together.)

 

$request_type = (eregi ($HTTP_HOST , HTTPS_SERVER)) ? 'SSL' : 'NONSSL';

 

This is a simple regular expression which looks for the string supplied by $HTTP_HOST in the HTTPS_SERVER string which is defined in your config file.

 

The problem comes when you set:

 

define('HTTP_SERVER', 'http://mydomain.com');

define('HTTPS_SERVER', 'https://ssl.perfora.net/mydomain.com');

 

or

 

define('HTTP_SERVER', 'http://www.mydomain.com');

define('HTTPS_SERVER', 'https://ssl.perfora.net/www.mydomain.com');

 

The eregi test will always be true in both cases since the string which results from the $HTTP_HOST inquiry will always be found in the HTTPS_SERVER string. The result will be that

 

the base href will always be

 

<base href="https://ssl.perfora.net/mydomain.com/catalog/">

 

*or*

 

<base href="https://ssl.perfora.net/www.mydomain.com/catalog/">

 

with the result being that your images and code will always be pulled through the ssl proxy, slowing the site.

 

The only way to make the eregi test work is to leave off the www in one place or the other.

 

like so:

 

define('HTTP_SERVER', 'http://www.mydomain.com');

define('HTTPS_SERVER', 'https://ssl.perfora.net/mydomain.com');

 

*or*

 

define('HTTP_SERVER', 'http://mydomain.com');

define('HTTPS_SERVER', 'https://ssl.perfora.net/www.mydomain.com');

 

I've known for a long time that people goofed this up so today I looked for a more solid fix.

 

and this is it:

 

//$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

$request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL';

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...