justinswa Posted July 15, 2003 Share Posted July 15, 2003 ..you just have to look at the posts and the number of views for any thread with "shared ssl" in the subject... So,I just installed the 2.2 milestone, which claims to have full support for shared SSL. My domain is www.mydomain.com. This is where I want to run all my insecure catalog pages from and this is what I want the serach engines to index. My secure server has the URL www.secureispserver.com/www.mydomain.com. So I change my config files to show this so that I can have a secure checkout routine. After I make the changes I get "page not found". Of course I do because I haven't uploaded any files to the secure server, where they have to be to be secure. So I upload the files to the secure server. Seems there isn't a single folder that handles the checkout that I can upload - as everything calls EVERYTHING else I have to upload all the files in the catalog directory to the secure server. So now the secure server works fine - when people click the login or checkout files they go onto the mirrored files on the secure server - great. Next problem - the admin area has to be secured too - no point in having the checkout secure if you log on to pick up credit card details off an unsecured server. So I change the settings in my config files and upload all of the admin files to the secure server. This seems to work, but one BIG problem. If I try and change any catalog file through admin, the files it pulls up are the files on the secure server, not the ones on the unsecured server that people see when they view the catalog. This is because the config files asks for relative file paths (not URL's) for the catalog files :x :x :x :x :x :x The only way I can see 'round this is just to host the whole site on my shared SSL which isn't ideal as the domain I registered won't even be seen by the search engines. This doesn't really seem like "support" for shared SSL, more like "intense loathing" for shared SSL. PLEASE, while I still have hair, has anyone set up their site with shared SSL for the checkout and admin without this problem and if so how. So many people here will be so happy if you can tell us... :P Justin Link to comment Share on other sites More sharing options...
justinswa Posted July 15, 2003 Author Share Posted July 15, 2003 BTW, if you have this problem too, please reply to this thread, just to say "me too" so we can hopefully stop it flying off the board as there are billions of posings per second.... Link to comment Share on other sites More sharing options...
dvdvideo Posted July 16, 2003 Share Posted July 16, 2003 IMHO I don't see what the problem is with using .htaccess for protecting your admin area, hence you wont then have the problems you mention. Link to comment Share on other sites More sharing options...
ZAP Posted July 16, 2003 Share Posted July 16, 2003 Uh...right, but you still need an SSL connection for checking/processing orders. htaccess doesn't help you there. I guess that you could process orders via the admin area on your secure server and do everything else from your regular server, but that does seem a bit cumbersome. Link to comment Share on other sites More sharing options...
Mark1 Posted July 16, 2003 Share Posted July 16, 2003 I had the same problem you guys are describing a few months back. I solved the problem. I bought my own SSL certificate. 8) It cost me $69. OSC is free guys, you saved WAY more than $69.00 when you downloaded it. I saved DAYS of work. My webpage looks more reputable because the ssl certificate matches the site and for $69 bucks, I dont see how any merchant can justify looking "cheap" to their customers for not having their own certificate. Sometimes a few wisely spent dollars solves the problem. I realize not everyone thinks they can afford their own ssl certificate, but in my mind, I cant afford to not have my own. Mark Link to comment Share on other sites More sharing options...
Draxx Posted July 16, 2003 Share Posted July 16, 2003 I had the same problem you guys are describing a few months back. I solved the problem. I bought my own SSL certificate. 8) It cost me $69. OSC is free guys, you saved WAY more than $69.00 when you downloaded it. I saved DAYS of work. My webpage looks more reputable because the ssl certificate matches the site and for $69 bucks, I dont see how any merchant can justify looking "cheap" to their customers for not having their own certificate. Sometimes a few wisely spent dollars solves the problem. I realize not everyone thinks they can afford their own ssl certificate, but in my mind, I cant afford to not have my own. Mark I agree 100%. I baught a 3 year certificate for $179 with 10K warranty. All a user has to do is add the s. Nothing better than https://yoursite.com Link to comment Share on other sites More sharing options...
Mark1 Posted July 16, 2003 Share Posted July 16, 2003 I agree 100%. I baught a 3 year certificate for $179 with 10K warranty. All a user has to do is add the s. Nothing better thanhttps://yoursite.com how about https://SECURE.yoursite.com !! :lol: leaves little doubt in the customer's mind about security. :wink: It really is a small price to pay for your sanity. (not to mention your hair) Mark Link to comment Share on other sites More sharing options...
justinswa Posted July 16, 2003 Author Share Posted July 16, 2003 Uh...right, but you still need an SSL connection for checking/processing orders. htaccess doesn't help you there. I guess that you could process orders via the admin area on your secure server and do everything else from your regular server, but that does seem a bit cumbersome. This was my idea, but the problem is that if you change any files (language for example) on the secure admin, the versions on the secure site and not the unsecure site are changed and you can't fix this by changing config files. I have an idea though :shock: . I could keep the admin on the unsecured site and upload a .htaccess file to redirect calls to the file used to collect payments to the version of the file on the secure server. This way only the credit card collection and nothing else in admin is done on the secure server, so I don't have the problems with admin updating the wrong files. I know osc is free and a very good deal for us all, but it just seems that - for an ecommerce package - a little more thought could have been given to using shared SSL for checkout AND admin. If this works I will be VERY happy. If it doesn't I will either just put the whole site (bar the default page) on the shared SSL or give in and by a dedicated SSL (having already paid for the shared one :roll: I'll let you know if it works.... Justin Link to comment Share on other sites More sharing options...
TB Posted July 16, 2003 Share Posted July 16, 2003 how about https://SECURE.yoursite.com !! :lol: leaves little doubt in the customer's mind about security. :wink: If you use the https://secure.yoursite.com method, you still have to muck around copying files to that directory (unless you can put a redirection in place that uses your 'normal' files). I got a certificate for my site, and use https://www.turningbase.com It's easy as far as files are concerned, and I've also placed a logo in the header that only appears when you're on HTTPS. The contribution for putting the logo on your site is here: http://www.oscommerce.com/community/contributions,1297 Cheers, Tony "The price of success is perseverance. The price of failure comes much cheaper." Link to comment Share on other sites More sharing options...
dan_snik Posted July 16, 2003 Share Posted July 16, 2003 I have used Easyspace's (www.easyspace.com) shared SSL with their business hosting package, and I have no problems accessing the same set of pages via their SSL link. Only one set of pages need to be uploaded and maintained on the standard http://www.yoursite.com - and the pages also appear smoothly on the shared SSL https://secure24.easyspace.com/www.yoursite.com I agree that the url could look better, but the word 'secure' is in the url and it works with no problems on the osCommerce2.2ms2 version. Link to comment Share on other sites More sharing options...
chfields Posted July 16, 2003 Share Posted July 16, 2003 I use shared SSL on my site and only have 1 copy of files in the root. my secure URL is https://host73.ipowerweb.com/~username/what...hateverfile.php my non-secure is http://mrsfieldsgoodies.com. I get https during entire checkout and then when they go back it goes back to http. I have my admin password protected. I am running 2.2 MS1. I guess I should be very thankful that my SSL works so simply. There is one drawback, my host doesn't support individual SSL certificates. So if I want my own SSL I would have to change servers and move everything. :evil: Link to comment Share on other sites More sharing options...
Guest Posted July 16, 2003 Share Posted July 16, 2003 Samething here The site i am working on right now (only 1 set of files in root) http://thebear.qc.ca/index.php and shared ssl is https://www.sibername.biz/~thebear//create_account.php That's why i find it very strange when people say they have to upload 2 set of files! I guess it is the way that this Hosting provider installs is Shared ssl certificate! The_Bear Link to comment Share on other sites More sharing options...
justinswa Posted July 16, 2003 Author Share Posted July 16, 2003 I get https during entire checkout and then when they go back it goes back to http. I have my admin password protected A lot of people don't seem to realise - there's no point in securing the checkout if you then go in through an unsecured admin (even if this is password protected) to pick up credit card details. I've managed to secure the checkout procedure on my shared ssl without any real problem. It's securing the admin that's the problem because once you put this on a secure server it refuses to update the files on the unsecured server... still working on the redirection... Justin Link to comment Share on other sites More sharing options...
Mark1 Posted July 16, 2003 Share Posted July 16, 2003 Justin, I feel you are hitting your head against a brick wall here. If that is what you wish to do, be my guest :wink: . Let me assure you that with a properly installed private ssl certificate, the entire user side checkout process, any customer information accessed on the user side AND the entire admin side are protected by the ssl certificate AND password protected. I cant imagine your customer's information getting any more secure than that. Mark Link to comment Share on other sites More sharing options...
justinswa Posted July 16, 2003 Author Share Posted July 16, 2003 I have an idea though . I could keep the admin on the unsecured site and upload a .htaccess file to redirect calls to the file used to collect payments to the version of the file on the secure server. This way only the credit card collection and nothing else in admin is done on the secure server, so I don't have the problems with admin updating the wrong files. I :D :D :D t worked!! :D :D :D I uploaded a .htaccess file to redirect orders.php and customers.php to the secure server versions so that only this bit of admin is secure and the rest is on the unsecure server and you can use it to update the correct files on the unsecured server. One thing you have to watch 'though - once you use the orders link and go onto the secure server to collect payments, all of the other links on admin now point to the secured version, so if you then clinked on an admin link to make a change to a catalog file, it would change the wrong file, on the secure server. The way 'round this is either to remember to log off from the secure admin and then log back on to to unsecure admin before making changes, or do what I did and make another .htaccess file on the secure server to point ALL of the files in the secure catalog/admin top directory APART from the customer.php and orders.php files (otherwise you get a loop) BACK to the unsecured server. There's probably about 30 files, but you only have to do it once. WHAT A CARRY ON! Link to comment Share on other sites More sharing options...
ZAP Posted July 17, 2003 Share Posted July 17, 2003 Nah. I agree with Mark, Justin. Maintaining two sets of files is a pain in the butt and asking for trouble. It seems to me as if your host has basically just set up your SSL server wrong (I didn't think anyone did it that way anymore). I have shared SSL certificates on three different servers, and none of them work like that. They all redirect to my main www directory using https, and osC handles that just fine. If you can't get your host to set it up for you this way, then I would say you only have two reasonable options: 1. Get a new host 2. Purchase and install your own certificate Link to comment Share on other sites More sharing options...
justinswa Posted July 17, 2003 Author Share Posted July 17, 2003 OK, it does seem to me that the whole thing is unnecessarily complicated, but a lot of people have the same problem. This means that a lot of ISP's have their shared secure servers set up wrong or we're all setting up the config files in OSC wrong. I don't really understand this properly, but it seems to me, that for files to be secure, they MUST be stored on the secure server. OK, you could view them on the unsecured server THROUGH the secured server, but they're still there in the unsecured server and you COULD call them directly. Because every file relies on billions of other files in the includes directory, even if you just want the checkout routine on the secure server, you have to upload all or the files in the catalog directory to there for it to work. If you want to have your main catalog on the unsecured server, so these "proper" URL's can be indexed by search engines then you have to have all the catalog files on the unsecured server also. I can't see a way around this, but maybe this is just me not understanding the way shared ssl works?. The only way OSC could make things easier is by updating both sets of files simultaneously, which it doesn't do. They way I've got it set up now with my redirects, it WILL work, without me having to update duplicates. All files used by the catalog are on the unsecured server and if changes are made through admin, only these features will be updated. The only things that are used on the secure server and the checkout routines and the admin routines for customer details and credit card details. The only thing I might have to watch is if I add new modules I may need to put them on both servers. Anyway, I'm on to my ISP about the setup for the shared secure server, to see if I've got my setting right in my config files. I'll let you know if I discover anything (for all the dunses like me out there who can't work this out) :? Link to comment Share on other sites More sharing options...
Guest Posted July 17, 2003 Share Posted July 17, 2003 hey Justin I was thinking along the same line as you with the htaccess files,,, but i am not sure which one to edit and how to do it,, can ya share a lil info on what u did to it,,? thanks in advance Tom Link to comment Share on other sites More sharing options...
ZAP Posted July 17, 2003 Share Posted July 17, 2003 OK, you could view them on the unsecured server THROUGH the secured server, but they're still there in the unsecured server and you COULD call them directly. Aha! So you're saying that on your setup you CAN load files in your regular web directory with an SSL (https:) connection? If so, THAT'S ALL YOU NEED TO DO. In fact, that's what all us shared-SSL folks are doing. You seem to know plenty about .htaccess files, so maybe I'm stating something ridiculously obvious here, but securing the FILES is not what you need an SSL connection for. You need SSL to encrypt the information sent by the customer to your server, as well as to you when you log in as an admin. The info that you're protecting is stored in your MySQL database (not the php files), and most hosts set those up on a separate database server. To secure your admin area files, you should use .htaccess (on Apache anyway), but all the other files can be in a regular public web directory. If you set up osC to use your shared SSL certificate, it will make sure that all personal info is sent via SSL. If you CAN do this using your host, then that's what you should do. Link to comment Share on other sites More sharing options...
justinswa Posted July 17, 2003 Author Share Posted July 17, 2003 I have to admit that my head is now totally done in... I was thinking along the same line as you with the htaccess files,,, but i am not sure which one to edit and how to do it,, can ya share a lil info on what u did to it,,? thanks in advance On the unsecure server you need to include lines like this in a .htaccess file in the base public directory. Redirect /catalog/admin/orders.php https://sharedssl/www.mysecuredomain.com/ca...dmin/orders.php Redirect /catalog/admin/customers.php https://sharedssl/www.mysecuredomain.com/ca...n/customers.php This ensures that when you veiw the customer details through admin that the connection is secure. The next problem is that after you've used this link to veiw customer details / cc details, you are now on the secured version of admin, so all the other links in admin will be to this version and any changes that you make to catalog files here will be made to the secured ones, which you don't want. So, you either log out of the secure admin and log back on to the unsecure admin before making these changes, or you put in more redirects to send calls made to all of the other links in admin (apart from customers.php and orders.php) back to the unsecured version of admin. So the .htaccess file in the base public directory of the secured server would look something like this: Redirect /catalog/adminbackup.php http://www.mydomain.com/catalog/admin/backup.php Redirect /catalog/admin/banner_manager.php http://www.mydomain.com/catalog/admin/bann...ner_manager.php Redirect /www.mydomain.com/catalog/admin/banner_statistics.php ...etc for ALL the files except orders.php and customers.php. It's not at all pretty, but it works. One problem I have discovered though - The images directory. When you are using the secured version of admin, it calls on the secured images directory, so if you've added images (eg for new products) with the unsecured version of admin, to the unsecured images directory, these won't show up when you're in the secured version. I thought - well I'll just make another redirect to send all calls to the secured images directory to the unsecured images directory. This doesn't seem to work 'though - Redirect /www.mysecure.com/catalog/images/ http://www.mydomain.com/catalog/images/ doesn't point https://www.mysecuredomain.com/images/product.gif to https://www.mydomain.com/images/product.gif for some reason, but this may just be that I can't use these redirects in this way and I have to specify a particular file anybody know if there is another way to use the redirect to get 'round this? in which case I'll just have to give in and update the images on the secure server manually when I update the ones on the unsecure server, or set up a cron job to periodically copy them accross, but I'm not sure how to do that and it would be very unpretty. To secure your admin area files, you should use .htaccess (on Apache anyway), but all the other files can be in a regular public web directory. If you set up osC to use your shared SSL certificate, it will make sure that all personal info is sent via SSL. If you CAN do this using your host, then that's what you should do. I'm not convinced. If I look at credit card details with my admin files that aren't stored on the secure server, the browser is not secured - no padlock at the bottom - and in theory it is possible for a third party to see this as the info on the page is not encrypted - regardless of the way this info was sent from the database to the browser. I'm going to pull the rest of my hair out :evil: Link to comment Share on other sites More sharing options...
ZAP Posted July 17, 2003 Share Posted July 17, 2003 I'm not convinced. If I look at credit card details with my admin files that aren't stored on the secure server, the browser is not secured - no padlock at the bottom - and in theory it is possible for a third party to see this as the info on the page is not encrypted - regardless of the way this info was sent from the database to the browser. Then you either don't have osC set up to use your SSL connection properly or your host has set it up so that it doesn't work in the normal way. You will see a padlock whenever you are using SSL protocol (https: URLs), but that doesn't mean you need to store the files in a different location - you're just establishing a secure connection between you and the server. Where the files are is irrelevant. Have you tried setting osC up using the standard shared SSL settings and see if it works on your server? Either it will work (with one set of files) or it won't, but then you'll know. You would NOT get an unsecured admin area if you had osC set up to use your SSL connection and your host doesn't allow that - you would get a file not found error. Link to comment Share on other sites More sharing options...
coffman Posted July 18, 2003 Share Posted July 18, 2003 I have read through this entire thread and several others related to this topic. I am convinced that my shared ssl should be working. but it is not. Here is the relavent info from my configure.php define('HTTP_SERVER', 'http://suncreekmusic.com'); define('HTTPS_SERVER', 'https://secure11.worldaxxs.net/ssl.suncreekmusic.com'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', 'suncreekmusic.com'); define('HTTPS_COOKIE_DOMAIN', 'suncreekmusic.com'); define('HTTP_COOKIE_PATH', '/store/'); define('HTTPS_COOKIE_PATH', '/store/'); define('DIR_WS_HTTP_CATALOG', '/store/'); define('DIR_WS_HTTPS_CATALOG', '/store/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); I also tried using www.suncreekmusic.com and that did not help. When I go to my login page. I see no images, and many if not most of the urls in the document are of the form: href="/ssl.suncreekmusic.com" It's like OsC is slicing off the http://* piece. Help!!!! BTW: referencing my SSL url directly for other pages, seems to work fine. Thanks.. -MichaelC Link to comment Share on other sites More sharing options...
coffman Posted July 18, 2003 Share Posted July 18, 2003 I have read through this entire thread and several others related to this topic. I am convinced that my shared ssl should be working. but it is not. Here is the relavent info from my configure.php define('HTTP_SERVER', 'http://suncreekmusic.com'); define('HTTPS_SERVER', 'https://secure11.worldaxxs.net/ssl.suncreekmusic.com'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', 'suncreekmusic.com'); define('HTTPS_COOKIE_DOMAIN', 'suncreekmusic.com'); define('HTTP_COOKIE_PATH', '/store/'); define('HTTPS_COOKIE_PATH', '/store/'); define('DIR_WS_HTTP_CATALOG', '/store/'); define('DIR_WS_HTTPS_CATALOG', '/store/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); I also tried using www.suncreekmusic.com and that did not help. When I go to my login page. I see no images, and many if not most of the urls in the document are of the form: href="/ssl.suncreekmusic.com" It's like OsC is slicing off the http://* piece. Help!!!! BTW: referencing my SSL url directly for other pages, seems to work fine. Thanks.. Follow up. OK I thought I had tried www.suncreekmusic.com. But appearantly I did not. By adding www to the front of the web address, I get images. Why does the url get stripped when this is not present? Oh well. With the www added, when I try to login, it just kicks me back to the login page. How can I debug this. I would really appreciate the help. Thanks. -MichaelC Link to comment Share on other sites More sharing options...
justinswa Posted July 18, 2003 Author Share Posted July 18, 2003 You would NOT get an unsecured admin area if you had osC set up to use your SSL connection and your host doesn't allow that - you would get a file not found error. Yes, I DO get page not found when I try the normal ssl setup UNLESS I upload identical files to the secured server. You may view your admin files on your unsecured server through your secured server, but anybody could just cut out the part of the address at the begining that is for the secured server and view them directly on the unsecured server, right? ZAP, would you mind letting us see what you have in your config files? Changing stuff for security of course. Thanks. Back with the unpretty solution, it seems that symbolic links may be the way to go with the images directory... Justin Link to comment Share on other sites More sharing options...
ZAP Posted July 18, 2003 Share Posted July 18, 2003 Sorry if I seem hard-headed, but I still don't quite understand your situation. Yes, I DO get page not found when I try the normal ssl setup UNLESS I upload identical files to the secured server. You may view your admin files on your unsecured server through your secured server, but anybody could just cut out the part of the address at the begining that is for the secured server and view them directly on the unsecured server, right? I don't understand how the first two sentences there jive at all. What do you mean when you say that you can view your admin files on the unsecured server via the secure server? If you mean that you can use SSL protocol to view files in your main web directory, then that's exactly what you want to do. It really doesn't matter that someone could manually change the URL and load the page without SSL, does it? I don't see how that's a security risk in any way, since all the links on that page that are supposed to be secure still are. So for example if someone purposefully loaded the login or checkout pages without SSL, they still couldn't submit information insecurely, since all the forms and links would be secure. The purpose of SSL is not to protect your files from being viewed by hackers, but to encrypt communication between the client and server when using those files. My shared SSL setup is pretty straightforward. I am using a CVS snapshot from mid-June (pre MS2 but significantly different from MS1), so my configure.php is somewhat different from yours. The SSL setup should be the same, however. define('HTTP_SERVER', 'http://www.mydomain.com'); define('HTTPS_SERVER', 'https://secure.myhost.com/~xxx000'); define('ENABLE_SSL', true); define('DIR_WS_CATALOG', '/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_DOWNLOAD_PUBLIC', DIR_WS_CATALOG . 'pub/'); define('DIR_FS_DOCUMENT_ROOT', '/usr/home/web/users/xxx000/html'); define('DIR_FS_CATALOG', '/usr/home/web/users/xxx000/html/'); define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/'); define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/'); My admin configure.php is essentially the same but with my admin directory as root. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.