charles Posted December 20, 2003 Posted December 20, 2003 I'm a little confused on this admin security thing. When I installed the cart I selected SSL. SSL in configure is set to 'true'. Now, when a user logs in the padlock appears and the entire site is secure. So far so good. Now in Admin configure, SSL is also set to 'true' also but I do not get a padlock when I open it up. I understand that for me I have 3 options. One is to manually set htaccess to require username and password. The second is a contibution for securing admin. The third is my server offers an Ensim administrator control panel. Currently through Ensim I have the Admin folder protected and must enter a username and password to access the page but I do not get a padlock. I am advised by Admin that I am not protected by a secure SSL connection. Once I log in I have free access throughout the admin site. Using the same browser window, if I navigate outside of the admin site I can navigate back in again without having to log in over again, but a new browser window must log in separately. .htaccess exists in the admin folder with the same info which I use for logging in. Is this sufficient to protect admin? What has to trigger the padlock to secure the site? Is it necessary with the Ensim security in place? Am I protected by SSL even though OSC thinks I am not? Thanks, Charles We stand in ignorance only for questions not asked. Plug up the leaks in your knowledge base and open up a flood of understanding.
Guest Posted December 20, 2003 Posted December 20, 2003 In admin/includes/configure.php, change your HTTP_SERVER to use an https address. Hth, Matt
charles Posted December 20, 2003 Author Posted December 20, 2003 Matt, I changed define('HTTP_SERVER', 'http://www.naturespirit.com'); // eg, http://localhost - should not be empty for productive servers to read define('HTTP_SERVER', 'https://bpweb.bpweb.com/naturespirit.com'); // eg, http://localhost - should not be empty for productive servers but Admin still does not SSL lock. Any other suggestions? Charles We stand in ignorance only for questions not asked. Plug up the leaks in your knowledge base and open up a flood of understanding.
charles Posted December 20, 2003 Author Posted December 20, 2003 Actually, here is what happens. It turns out that when I change define('HTTP_SERVER', 'http://www.naturespirit.com'); // eg, http://localhost - should not be empty for productive servers to a secure address /define('HTTP_SERVER', 'https://bpweb.bpweb.com/naturespirit.com'); // eg, http://localhost - should not be empty for productive servers Here is what happens: When I log on to 'https://bpweb.bpweb.com/naturespirit.com/admin/' I get the htaccess login window and the entire site is SSL locked. When I log on to http://www.naturespirit.com/admin/ I get the htaccess login window but the main admin page is not SSL locked. If I navigate to another page in admin,say' configuration',I again get the htaccess login window and the site is then SSL locked. If I then use the browser to go back to the main admin page it is then SSL locked. However, in both of these cases I loose at least the language icons in Admin. I have not checked to see what other images are broken. So changing the HTTP SERVER to HTTPS is not a good way to solve the problem. So, I'm still looking for a solution. Anyone? We stand in ignorance only for questions not asked. Plug up the leaks in your knowledge base and open up a flood of understanding.
Guest Posted December 20, 2003 Posted December 20, 2003 It is still the only way. You just need to keep moving forward and solve the problems as you reach them. The images problem is probably caused by an error in DIR_WS_CATALOG_IMAGES. The flags problem is probably caused by an error in DIR_WS_CATALOG_LANGUAGES. Alternately, you might be able to fix this by changing your HTTP_CATALOG_SERVER to match the HTTP_SERVER. Hth, Matt
charles Posted December 21, 2003 Author Posted December 21, 2003 No, changing Catalog Server did not work What I've been able to determine is that when I use the browser to: log on directly to the HTTPS url, if HTTP Server is set to HTTP address then first page is LOCKED but all other admin pages are NOT LOCKED and language icons WORK. log on directly to the HTTPS url, if HTTP Server is set to HTTPS address then first page is LOCKED and all other admin pages are LOCKED too and language icons DO NOT WORK. log on directly to the HTTP url, if HTTP Server is set to HTTP address then first page is NOT LOCKED and all other admin pages are NOT LOCKED too and language icons WORK. log on directly to the HTTP url, if HTTP Server is set to HTTPS address then first page is NOT LOCKED and all other admin pages are LOCKED and language icons DO NOT WORK. So, no matter whether I log on to the SSL or non SSL url, whenever the HTTP Server is set to an HTTPS address, the language icons are always broken. When I right click on the broken language icon and select properties, the path reads: https://bpweb.bpweb.com/OSC_Catalog/include...images/icon.gif So, somewhere along the way, osCommerce drops 'naturespirit.com' from the HTTPS address 'bpweb.bpweb.com/naturespirit.com' causing the icons to break. All HTTPS addresses in both catalog and admin 'configure.php' files are correct and complete. Does anyone have any suggestions? Does this appear to be a server side problem involving redirects? Thanks, Charles We stand in ignorance only for questions not asked. Plug up the leaks in your knowledge base and open up a flood of understanding.
charles Posted December 21, 2003 Author Posted December 21, 2003 Oh yes, and it is only those images and icons located in catalog appearing in admin which are broken. Charles We stand in ignorance only for questions not asked. Plug up the leaks in your knowledge base and open up a flood of understanding.
Guest Posted December 21, 2003 Posted December 21, 2003 Check that your DIR_FS paths are correct for running admin through your secure server. Matti
charles Posted December 21, 2003 Author Posted December 21, 2003 Well, they are set per your previous suggestion: http://www.oscommerce.com/forums/index.php?sho...ndpost&p=275695 and Admin has been running beautifully. I even solved the Cache Control problem. But, now, when trying to implement SSL the catalog based images break. I've tried adjusting the DIR_FS paths to https addresses but it broke admin again so I had to go back to the original suggested paths. I can't understand why half of the https address dissappears. Possibly some coding in the file which brings the icons and images in? The one problem I have with php is that since it is dynamic I have trouble figuring out exactly which file generated the viewable code. Charles We stand in ignorance only for questions not asked. Plug up the leaks in your knowledge base and open up a flood of understanding.
charles Posted December 21, 2003 Author Posted December 21, 2003 HAH! :lol: Who was that masked man? Matti Ressler take another bow! Thanks again Matti. Actually, you were close, but it was your suggestion that led me to the answer. It wasn't the DIR_FS but the DIR_WS defines. I tried altering the FS codes again, but again they did not work. Then I started to think, /naturespirit.com/ is being truncated from the Secure Server address. Hmmm... What if, (since the Secure Server services so many sites), 'bpweb.bpweb.com' was the actual Secure Server address and my domain name 'naturespirit.com' was considered just another path folder. After all, it drops the 'www' in the Secure Server address. So, in the code define('HTTP_SERVER', 'https://bpweb.bpweb.com/naturespirit.com'); // eg, http://localhost - should not be empty for productive servers define('HTTP_CATALOG_SERVER', 'http://www.naturespirit.com'); define('HTTPS_CATALOG_SERVER', 'https://bpweb.bpweb.com/naturespirit.com'); define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module define('DIR_FS_DOCUMENT_ROOT', '/home/virtual/site41/fst/var/www/html'); // where the pages are located on the server define('DIR_WS_ADMIN', '/OSC_Admin/'); // absolute path required define('DIR_FS_ADMIN', '/home/virtual/site41/fst/var/www/html/OSC_Admin/'); // absolute pate required define('DIR_WS_CATALOG', '/OSC_Catalog/'); // absolute path required define('DIR_FS_CATALOG', '/home/virtual/site41/fst/var/www/html/OSC_Catalog/'); // absolute path required I changed define('DIR_WS_CATALOG', '/OSC_Catalog/'); // absolute path required to define('DIR_WS_CATALOG', '/naturespirit.com/OSC_Catalog/'); // absolute path required and got all of my catalog resident images back! Build that man a retirement villa on a billabong out back! Thanks again Matti. Best regards, Charles We stand in ignorance only for questions not asked. Plug up the leaks in your knowledge base and open up a flood of understanding.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.