eZ Community » Forums » Install & configuration » A whole ez3.2 site secured by SSL, how?
expandshrink

A whole ez3.2 site secured by SSL, how?

A whole ez3.2 site secured by SSL, how?

Thursday 09 October 2003 7:24:38 pm - 11 replies

i was wondering if anybody has experience with setting up a ez3.2 site that works only over SSL.

i mean not only the admin section, but also the front-end (or a section of the front-end).

i am currently running on a shared host, but might move to a dedicated server once development is successful.

thanks guys!

Modified on Friday 10 October 2003 6:05:46 am by christian stampf

Friday 10 October 2003 11:38:47 am

Hi,

We run sites in both SSL (CA root specific and normal). eZ works on both normal and SSL connections for both admin and front end. I don't think you will have any problems.

Tony

Friday 10 October 2003 3:21:42 pm

How can we do to force SSL on a part of eZ like admin or user/login or a module in particular.

Friday 10 October 2003 6:11:04 pm

that is exactly my question. how do you force SSL on the front-end. installing eZ in a SSL directory?

i would appreciate anybody telling me their experiences on how they did it. including tips on how to improve security.

- chris

Friday 10 October 2003 7:49:17 pm

To stop port 80, don't setup port 80 in httpd.conf

tony

Friday 10 October 2003 8:18:16 pm

On my end, what I need is to secure only parts of the Site.

I want to force SSL on those parts and force not to use SSL on the other parts.

Anybody has an idea?

Tuesday 14 October 2003 3:49:47 pm

On an other thread I read that it could be done in Apache with ModRewrite.

I'm sure somebody did this.

Please help!

Wednesday 15 October 2003 10:11:01 am

On an non-ezPublish site i would add an redirect in the httpd-config from the non-secure version to the secure one.

There i created an virtualhost:

[code]

<VirtualHost *:80>
ServerAdmin webmaster@domain.tld
DocumentRoot /path/to/www.domain.tld/
ServerName www.domain.tld
ErrorLog logs/error_log
CustomLog logs/access_log combined
RewriteEngine on
RewriteCond %{SERVER_POST} !^443$
RewriteRule ^/(.*)$ https://www.domain.tld/$1 [L,R]
</VirtualHost>

[/code]

Look at the RewriteEngine,RewriteCond and rewriteRule statement.
If someone wants to view the website through port 80, there will be an redirect to port 443, which is secure.

I didn't try this on an ezPublish installation, but i think it should be possible.

I hope this code helps... happy.gif Emoticon

Modified on Wednesday 15 October 2003 11:12:31 am by J W

Wednesday 15 October 2003 2:58:34 pm

Thanks.

If I'm right, this code works if you want a whole domaine to be Forced SSL.

Do you know how to force only directories....
And to force back to Non-SSL for others directories?

Wednesday 15 October 2003 3:10:50 pm

You are right, this is for a complete domain.

I don't know how to do this for just an directory, but maybe you could do something like this:
(The following code is directly out of my head, i didn't tested it, so don't blame me if it doesn't work happy.gif Emoticon )

[code]

<VirtualHost *:80>
ServerAdmin webmaster@domain.tld
DocumentRoot /path/to/www.domain.tld/
ServerName www.domain.tld
ErrorLog logs/error_log
CustomLog logs/access_log combined
RewriteEngine on
RewriteCond %{SERVER_POST} !^443$
RewriteRule ^/directory_that_needs_to_be_secure/(.*)$ https://www.domain.tld/directory_that_needs_to_be_secure/$1 [L,R]
RewriteCond %{SERVER_POST} !^443$
RewriteRule ^/another_directory_that_needs_to_be_secure/(.*)$ https://www.domain.tld/another_directory_that_needs_to_be_secure/$1 [L,R]
</VirtualHost>

[/code]

To do the opposite (from secure to non-secure) you must alter the virtual host from the secure site.
There you must add the following lines:

[code]

<VirtualHost *:443>
ServerAdmin webmaster@domain.tld
DocumentRoot /path/to/www.domain.tld/
ServerName www.domain.tld
ErrorLog logs/error_log
CustomLog logs/access_log combined
RewriteEngine on
RewriteCond %{SERVER_POST} !^80$
RewriteRule ^/directory_that_needs_not_to_be_secure/(.*)$ http://www.domain.tld/directory_that_needs_not_to_be_secure/$1 [L,R]
RewriteCond %{SERVER_POST} !^80$
RewriteRule ^/another_directory_that_needs_not_to_be_secure/(.*)$ http://www.domain.tld/another_directory_not_that_not_needs_to_be_secure/$1 [L,R]
</VirtualHost>

[/code]

More detailed information can be found on http://httpd.apache.org/docs/misc/rewriteguide.html.

Wednesday 15 October 2003 3:26:48 pm

Thanks J W,

I'll try that....

Tuesday 25 May 2004 6:27:24 am

Hi I used the same rewrite in this thread to secure my ezp3 site and it worked very well. However I just discovered a very strange bug where trying to download an excel file (.xls) always ges apache 404 (file not found) errors.

.doc files work no problem so why only .xls, can anyone help?

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from