A whole ez3.2 site secured by SSL, how?

Friday 10 October 2003 2:38:47 am

Hi,

We run sites in both SSL (CA root specific and normal). eZ works on both normal and SSL connections for both admin and front end. I don't think you will have any problems.

Tony

Tony Wood : twitter.com/tonywood
Vision with Technology
Experts in eZ Publish consulting & development

Power to the Editor!

Free eZ Training : http://www.VisionWT.com/training
eZ Future Podcast : http://www.VisionWT.com/eZ-Future

Friday 10 October 2003 9:11:04 am

that is exactly my question. how do you force SSL on the front-end. installing eZ in a SSL directory?

i would appreciate anybody telling me their experiences on how they did it. including tips on how to improve security.

- chris

Friday 10 October 2003 11:18:16 am

On my end, what I need is to secure only parts of the Site.

I want to force SSL on those parts and force not to use SSL on the other parts.

Anybody has an idea?

Wednesday 15 October 2003 1:11:01 am

On an non-ezPublish site i would add an redirect in the httpd-config from the non-secure version to the secure one.

There i created an virtualhost:

[code]

<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /path/to/www.domain.tld/
ServerName www.domain.tld
ErrorLog logs/error_log
CustomLog logs/access_log combined
RewriteEngine on
RewriteCond %{SERVER_POST} !^443$
RewriteRule ^/(.*)$ https://www.domain.tld/$1 [L,R]
</VirtualHost>

[/code]

Look at the RewriteEngine,RewriteCond and rewriteRule statement.
If someone wants to view the website through port 80, there will be an redirect to port 443, which is secure.

I didn't try this on an ezPublish installation, but i think it should be possible.

I hope this code helps... :)

Wednesday 15 October 2003 6:10:50 am

You are right, this is for a complete domain.

I don't know how to do this for just an directory, but maybe you could do something like this:
(The following code is directly out of my head, i didn't tested it, so don't blame me if it doesn't work :-) )

[code]

<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /path/to/www.domain.tld/
ServerName www.domain.tld
ErrorLog logs/error_log
CustomLog logs/access_log combined
RewriteEngine on
RewriteCond %{SERVER_POST} !^443$
RewriteRule ^/directory_that_needs_to_be_secure/(.*)$ https://www.domain.tld/directory_that_needs_to_be_secure/$1 [L,R]
RewriteCond %{SERVER_POST} !^443$
RewriteRule ^/another_directory_that_needs_to_be_secure/(.*)$ https://www.domain.tld/another_directory_that_needs_to_be_secure/$1 [L,R]
</VirtualHost>

[/code]

To do the opposite (from secure to non-secure) you must alter the virtual host from the secure site.
There you must add the following lines:

[code]

<VirtualHost *:443>
ServerAdmin [email protected]
DocumentRoot /path/to/www.domain.tld/
ServerName www.domain.tld
ErrorLog logs/error_log
CustomLog logs/access_log combined
RewriteEngine on
RewriteCond %{SERVER_POST} !^80$
RewriteRule ^/directory_that_needs_not_to_be_secure/(.*)$ http://www.domain.tld/directory_that_needs_not_to_be_secure/$1 [L,R]
RewriteCond %{SERVER_POST} !^80$
RewriteRule ^/another_directory_that_needs_not_to_be_secure/(.*)$ http://www.domain.tld/another_directory_not_that_not_needs_to_be_secure/$1 [L,R]
</VirtualHost>

[/code]

More detailed information can be found on http://httpd.apache.org/docs/misc/rewriteguide.html.

Monday 24 May 2004 9:27:24 pm

Hi I used the same rewrite in this thread to secure my ezp3 site and it worked very well. However I just discovered a very strange bug where trying to download an excel file (.xls) always ges apache 404 (file not found) errors.

.doc files work no problem so why only .xls, can anyone help?

www.dbinformatics.com.au

We are always interested in hearing from experienced eZ PHP programmers and eZ template designers interested in contract work.