A whole ez3.2 site secured by SSL, how?

Author Message

christian stampf

Thursday 09 October 2003 10:24:38 am

i was wondering if anybody has experience with setting up a ez3.2 site that works only over SSL.

i mean not only the admin section, but also the front-end (or a section of the front-end).

i am currently running on a shared host, but might move to a dedicated server once development is successful.

thanks guys!

Tony Wood

Friday 10 October 2003 2:38:47 am

Hi,

We run sites in both SSL (CA root specific and normal). eZ works on both normal and SSL connections for both admin and front end. I don't think you will have any problems.

Tony

Tony Wood : twitter.com/tonywood
Vision with Technology
Experts in eZ Publish consulting & development

Power to the Editor!

Free eZ Training : http://www.VisionWT.com/training
eZ Future Podcast : http://www.VisionWT.com/eZ-Future

Vincent Saulnier

Friday 10 October 2003 6:21:42 am

How can we do to force SSL on a part of eZ like admin or user/login or a module in particular.

christian stampf

Friday 10 October 2003 9:11:04 am

that is exactly my question. how do you force SSL on the front-end. installing eZ in a SSL directory?

i would appreciate anybody telling me their experiences on how they did it. including tips on how to improve security.

- chris

Tony Wood

Friday 10 October 2003 10:49:17 am

To stop port 80, don't setup port 80 in httpd.conf

tony

Tony Wood : twitter.com/tonywood
Vision with Technology
Experts in eZ Publish consulting & development

Power to the Editor!

Free eZ Training : http://www.VisionWT.com/training
eZ Future Podcast : http://www.VisionWT.com/eZ-Future

Vincent Saulnier

Friday 10 October 2003 11:18:16 am

On my end, what I need is to secure only parts of the Site.

I want to force SSL on those parts and force not to use SSL on the other parts.

Anybody has an idea?

Vincent Saulnier

Tuesday 14 October 2003 6:49:47 am

On an other thread I read that it could be done in Apache with ModRewrite.

I'm sure somebody did this.

Please help!

J W

Wednesday 15 October 2003 1:11:01 am

On an non-ezPublish site i would add an redirect in the httpd-config from the non-secure version to the secure one.

There i created an virtualhost:

[code]

<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /path/to/www.domain.tld/
ServerName www.domain.tld
ErrorLog logs/error_log
CustomLog logs/access_log combined
RewriteEngine on
RewriteCond %{SERVER_POST} !^443$
RewriteRule ^/(.*)$ https://www.domain.tld/$1 [L,R]
</VirtualHost>

[/code]

Look at the RewriteEngine,RewriteCond and rewriteRule statement.
If someone wants to view the website through port 80, there will be an redirect to port 443, which is secure.

I didn't try this on an ezPublish installation, but i think it should be possible.

I hope this code helps... :)

Vincent Saulnier

Wednesday 15 October 2003 5:58:34 am

Thanks.

If I'm right, this code works if you want a whole domaine to be Forced SSL.

Do you know how to force only directories....
And to force back to Non-SSL for others directories?

J W

Wednesday 15 October 2003 6:10:50 am

You are right, this is for a complete domain.

I don't know how to do this for just an directory, but maybe you could do something like this:
(The following code is directly out of my head, i didn't tested it, so don't blame me if it doesn't work :-) )

[code]

<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /path/to/www.domain.tld/
ServerName www.domain.tld
ErrorLog logs/error_log
CustomLog logs/access_log combined
RewriteEngine on
RewriteCond %{SERVER_POST} !^443$
RewriteRule ^/directory_that_needs_to_be_secure/(.*)$ https://www.domain.tld/directory_that_needs_to_be_secure/$1 [L,R]
RewriteCond %{SERVER_POST} !^443$
RewriteRule ^/another_directory_that_needs_to_be_secure/(.*)$ https://www.domain.tld/another_directory_that_needs_to_be_secure/$1 [L,R]
</VirtualHost>

[/code]

To do the opposite (from secure to non-secure) you must alter the virtual host from the secure site.
There you must add the following lines:

[code]

<VirtualHost *:443>
ServerAdmin [email protected]
DocumentRoot /path/to/www.domain.tld/
ServerName www.domain.tld
ErrorLog logs/error_log
CustomLog logs/access_log combined
RewriteEngine on
RewriteCond %{SERVER_POST} !^80$
RewriteRule ^/directory_that_needs_not_to_be_secure/(.*)$ http://www.domain.tld/directory_that_needs_not_to_be_secure/$1 [L,R]
RewriteCond %{SERVER_POST} !^80$
RewriteRule ^/another_directory_that_needs_not_to_be_secure/(.*)$ http://www.domain.tld/another_directory_not_that_not_needs_to_be_secure/$1 [L,R]
</VirtualHost>

[/code]

More detailed information can be found on http://httpd.apache.org/docs/misc/rewriteguide.html.

Vincent Saulnier

Wednesday 15 October 2003 6:26:48 am

Thanks J W,

I'll try that....

Brendan Pike

Monday 24 May 2004 9:27:24 pm

Hi I used the same rewrite in this thread to secure my ezp3 site and it worked very well. However I just discovered a very strange bug where trying to download an excel file (.xls) always ges apache 404 (file not found) errors.

.doc files work no problem so why only .xls, can anyone help?

www.dbinformatics.com.au

We are always interested in hearing from experienced eZ PHP programmers and eZ template designers interested in contract work.

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.