Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL Encryption


bgallegos

Recommended Posts

Hello,

 

I have looked around the boards about SSL and it seems that I have my configure files setup correctly according to the other threads. As of right now, my secure pages show a lock with a slash through it and say that some parts of the webpage are unencrypted.

 

I do not have any images that are being obtained outside of my domain. There are links on the page that go to http:// pages instead of https:// pages, but they are all on my domain.

 

I am also using GoDaddy, so in my configure.php DB_SERVER is not set to localhost but to their server information. I don't know if this makes a difference at all.

 

When I go to the main admin page it says that I am not protected by a secure SSL connection.

 

I was wondering what steps I should go through in order to make sure that I get secure webpages.

 

Thanks

Link to comment
Share on other sites

Hi bgallegos,

 

I have exactly the same problem. I have no images or any links on any other server. I have a red padlock with a slash in it. I used Firefox and double clicked on the padlock and it showed me another window, in that window, I can see under media I have all my images coming from http://www.my-domain.co.uk and not httpS://www.my-domain.co.uk. The S being the only difference.

 

This has to be a config error on our behalf, I am sure, as we both have our images on our local servers, and just like you, my database is on another server.

 

Would be good if we can get some help.

 

My Admin area says I am "NOT protected by SSL". If I manually change it to https: everything shows ok, but the writing still says "NOT protected by SSL". When I click a link, it goes back to http: and not https:.

 

HELP ! PLEASE !

 

(ps my site is www.nansons-essex.co.uk if you want to see if it is exactly the same as your error).

Link to comment
Share on other sites

HAHA !

 

I solved it, or rather another very nice person has already listed how to solve it !

 

Basically, my server responded with "1" and not "on " to line 41 in application_top.php ! How stupid is that ? :-"

 

Quoted text here and will link to the post too.

 

I guess I better add this tip here, it's the logical place after all.

 

This is for people who are having trouble getting ssl to work, especially shared ssl. The way I've written it is oriented towards a 1&1 server but its use is general and applies to all servers. It's all about setting line 41 in application_top.php for those cases where the standard query does not work.

 

This is line 41:

 

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

Now that's a very narrow test and lots of servers won't respond with on (or at all) to that. So the trick is to find out how the server does respond.

 

Create a little file, I named it myenv.php, with these lines:

 

CODE

<?php

echo 'HTTP HOST: ' . "$HTTP_HOST";

echo '<br>Server Port: ' . getenv('SERVER_PORT');

echo '<br>SSL Status: ' . getenv('HTTPS');

echo '<br>Fowarded Server: ' . getenv('HTTP_X_FORWARDED_SERVER');

echo '<br>Fowarded Host: ' . getenv('HTTP_X_FORWARDED_HOST');

echo '<br>Fowarded By: ' . getenv('HTTP_X_FORWARDED_BY');

?>

 

 

If you put that somewhere on the server, probably root and run it like so:

 

https://ssl.shared.com/mydomain.com/myenv.php you'll be able to see how the server responds to these queries. You'll need to change this to fit your situation but you get the idea.

 

Some dedicated ssls respond with a 1 instead of on to No. 3 for example.

 

Shared servers may respond differently to 4 & 5 but 1&1 gives the same response to both.

 

Once you know how the server answers these queries you can figure out the best solution for line 41 in application_top.php.

 

If, for example, you have a dedicated ssl and query 3 returns a 1 then you simply change line 41 to:

 

$request_type = (getenv('HTTPS') == '1') ? 'SSL' : 'NONSSL';

 

Frequently on shared servers you'll get no response at all to getenv('HTTPS'). This is where the other responses are useful (and most people have problems).

 

For example shared 1&1 returns ssl.perfora.net to queries 4 and 5. So setting line 41 line as below does the trick (I'm commenting out the original line for reference).

 

// $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

$request_type = (getenv('HTTP_X_FORWARDED_HOST') == 'ssl.perfora.net') ? 'SSL' : 'NONSSL';

 

Here's another case:

 

The standard ssl port for dedicated ssl is 443 (the standard http port is 80). I've seen dedicated ssl which returns no response for getenv('HTTPS') but does return a 443. In this case you can set line 41, testing for port 443, like so:

 

$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

 

The best way to use the script is to run it in both http and https environments and look at the differences in the responses. You want to pick a response which is unique to ssl (your https connection), it's no use to pick something which stays the same in both modes, you want to pick something to make a switch.

Link to comment
Share on other sites

HAHA !

 

I solved it, or rather another very nice person has already listed how to solve it !

 

Basically, my server responded with "1" and not "on " to line 41 in application_top.php ! How stupid is that ? :-"

 

Quoted text here and will link to the post too.

 

 

 

If you get : error page can not be found https://yoursharedhost/~yoursharedserver/myenv.php

 

As this ig how i got it.

Link to comment
Share on other sites

  • 3 weeks later...
HAHA !

 

I solved it, or rather another very nice person has already listed how to solve it !

 

Basically, my server responded with "1" and not "on " to line 41 in application_top.php ! How stupid is that ? :-"

 

Quoted text here and will link to the post too.

 

My host is GoDaddy.com

 

I tried the myenv.php test

I was not getting any value in response to the getenv('HTTPS')

I added one line to the bottom of myenv.php

 

; all coded as suggested in previous post

phpinfo(INFO_ALL);

?>

 

My server does not have an environment variable named HTTPS

I used the suggested syntax

 

// set the type of request (secure or not)

$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';

 

This suggestion solved the issue where https ..pages did not display the padlock icon

The message "You are not protected by a secure SSL connection" still persists on the admin page even after I set changed the setting in /admin/includes/configure.php to

 

define('HTTP_CATALOG_SERVER', '<b>https://www.mysite.com</b>');

define('HTTPS_CATALOG_SERVER', 'https://www.mysite.COM');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

After looking at the above settings I realize that this probably applies to the catalog pages only and not the admin. I guess I can live with the "You are not protected.." message on the admin page for now.

 

I am a raging novice so don't get the impression I know what I'm talking about.

Thanks to all for providing suggestions. I greatly appreciate the help.

 

Dauggie

Link to comment
Share on other sites

i tried running this on my IIS server but received no output other than the html... any ideas because the system is running in ssl but I am trying to debug it because I cant install any modules. Shows the correct path as to where the modules would be located but they are not showing up in the list to be able to install...

 

Any ideas?

Link to comment
Share on other sites

I doctored up my admin config in this post http://www.oscommerce.com/forums/index.php?showtopic=218299 for windows servers...

 

As for the lock check out my contribution I made last night fixing the admin.php file to work with both apache and IIS and recognizes both 1 and on for ssl being on.

 

I would only update this file if you get a message that your not secured... or the bits arent showing up and you are actually on a https site and your browser does show you as secured.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...