Need help getting started with SSL/HTTPS/security issues

[timbeckham]

I've been extensively modifying MS1, without implementing SSL/HTTPS capabilities, just so I could get the layout, graphics and products up first, without having to worry about security issues. I'm now ready to get my SSL certificate, apply for my merchant account and do whatever needs to be done to address security on my site. My problem is I don't have a good overall picture of how I will need to modify my site to implement SSL/HTTPS.

 

I've read in several places in this forum about separate folders for secure files and non-secure files. I do not really understand why separate directories are necessary or which files have to be in which directories. The installation information in Wiki briefly addresses how to implement SSL/HTTPS in a new installation, but it does not really address how to modify files and directories for existing, heavily modified sites. I'm afraid I'll hopelessly screw something up, unless I get a good grasp of the theory and how to configure things properly.

 

Is there a simple way to set up security that can be described here, or do I have to make an in-depth study of the matter to do it right? If I must, I will do the study, so if that is the case, does anyone have a good reference for the topic?

 

Tim Beckham

[Guest]

If your Hosting provider installs the ssl certificat correctly, the only thing you should have to do is: change your path in both admin and catalog/includes/configure.php and to define your 'enable sll' to true

 

HTH

The_Bear

[timbeckham]

The_Bear,

It sounds like you are saying I just keep all my files where they are now and change my configure.php files to reflect availability of https. Is that correct? If so, then why do so many of the messages here deal with situations where there are special directories for scripts that deal with secure messages? I'm really very ill-informed on this issue, and I do appreciate your effort to get me pointed down the right track.

Tim B.

[chfields]

Tim,

What the bear says is correct, all you need to do is change your configure files to point to your Https: and your set.

As far as why so many others need more than 1 folder I don't have a clue, I have to asume because hteir host has not set up their SSL certificate properly. I have all my files in one folder and my SSL(shared) works perfectly.

[timbeckham]

chfields,

Your response is a great relief. Finally, something is simple!! (Now all it has to do is work right.)

 

Thanks to you and The Bear for help, and thanks to the OSC team for such great work on this project!!

Tim B.

[DrumrLC]

Do any files need to be moved to the https folder?

 

I am under the impression that catalog_payment.php needs to be moved.

 

Is that correct?

[Guest]

If so, then why do so many of the messages here deal with situations where there are special directories for scripts that deal with secure messages?

Some setups use two different directories (possibly on separate servers) to handle the http and https requests. This is inherently a more difficult setup than having both point to the same directory and almost inevitably leads to problems.

 

Even when it is the same directory, sometimes ISPs configure their web servers to handle http and https requests differently. This may or may not be true in your case. The best thing is to try the easy way and if it doesn't work, it would normally give an open_basedir, etc. error message that would need to be handled.

 

In other words, your host can have everything set up for you so it is simple. Or they can make it difficult. Since this is host dependent, we can't tell you which way your host will be until *after* you try it. Then, it will either work or it will give errors. If it gives errors, then try looking at those other threads to see if any of them have the same error so that you can use their solution.

 

Hth,

Matt

[MountainMan]

Matt,

 

I was hoping you could point me in the right direction regarding instructions to pass along to my web host on how make the changes necesary to share the http/https directories. I have read many references to this, but found nothing definitive.

 

Steve

[Guest]

If they are on the same server, you can simply set the VirtualHost or whatever to point to the same directory for both. Alternately, you can use a symlink to point the https directory to the location for http. I'm not sure that I can give a more specific suggestion without knowing more of the details of the setup. Where are the current directories located? How is the web server configured (manually in httpd.conf, using apacheconf, etc.)? How do you determine what request goes to what website? It's very host specific.

 

Hth,

Matt