SSL in Admin

[Motive]

Im on osCMax 2.0.25

I have updated my admin/includes/configure file like so:

PHP Code:

define('HTTP_SERVER', 'https://store.oemaxle.com');
  define('HTTP_CATALOG_SERVER', 'https://store.oemaxle.com');
  define('HTTPS_CATALOG_SERVER', 'https://store.oemaxle.com');
  define('ENABLE_SSL_CATALOG', 'true'); 


but when I go to the admin panel I am not redirected to SSL. Also, if I manually type https:// and log into the admin panel my browser (firefox and ie) shows me locked but the admin panel says im not.

Any thoughts?

[GPMaina]

I've run into exactly the same thing. I have followed Ridexbuilder's instructions in the osCMax Wiki and I see only one variable from what you wrote:

From Ridexbuilder:

define('HTTP_SERVER', 'https://yoursite.com');
define('HTTP_CATALOG_SERVER', 'http://yoursite.com');
define('HTTPS_CATALOG_SERVER', 'https://yoursite.com');
define('ENABLE_SSL_CATALOG', 'true');

You will note that the second define: HTTP_CATALOG_SERVER does NOT have the https in his instructions...

Anyway, I too followed the Wiki instructions, and although the browser returns an https:// address and the "Security Report" ( IE-8 & Firefox) indicates that this is a "Trusted Site" and is Encrypted/Verified... but the osCMax Admin page still says it is not SSL protected.

Could it be that the browser information is correct and that for some reason the Admin page simply is not recognizing that it is in https?

[ridexbuilder]

but the admin panel says im not.

SSL lock may not show for shared SSL.
Domain Verified (basic dedicated) SSL should show "You are protected by a unknown secure SSL connection.".
I can confirm that in 2.0.25 (an SVN version), the following works fine:

Code:

  define('HTTP_SERVER', 'https://yourdomain.com');
  define('HTTP_CATALOG_SERVER', 'http://yourdomain.com');
  define('HTTPS_CATALOG_SERVER', 'https://yourdomain.com');
  define('ENABLE_SSL_CATALOG', 'true');

[GPMaina]

I am guessing that the problem may be that I am still using oscMax v2.0.4 - but am planning to completely redo my site as soon as v2.5 is stabalized, since I don't want to completely restart twice. (I want to start from the ground up this time.)

Anyway, I do have the Admin SSL/https: working, albeit with the browser indicating Verified SSL even though the admin page says otherwise.

The problem I have run into is that the Backup Download function crashes when the admin module is set to https:// but works just fine when I reverse the procedure to work in non-https://.

Any idea what else has to be reconfigured to allow the database backup to download properly? (PS - it still backups to the Server just fine.)

The error message I get when attempting a Backup Download is:
"Internet Explorer cannot download backup.php from mydomain.com.
Internet Explorer was not able to open this Internet site. THe requested site is either unavailable or cannot be found."

...which is odd since I'm already logged into the site when I get this message and since it does work in non-https:


Thanks...
GEORGE

[ridexbuilder]

The site that I checked was previously on 2.0.4, with SSL Admin.

That's more of a sever environment issue.
Why are people infatuated with IE?

[pgmarshall]

I would strongly suggest using FireFox or Chrome to manage your admin panel. IE has loads of quirks in it ... at no point should the browser be trying to download the php file from the server!

Try it in FireFox and see if it crashes - if it does then add it to the bug tracker and we can take a look but otherwise I suspect it is a browser issue.

Regards,

[michael_s]

Uh, if this is an issue in 2.0.4, don't add to the bugtracker, as that version is no longer supported.

This is most likely an environment issue, but since you are using such an old version, all I can say with certainty is that I cannot reproduce it in 2.0.25 or 2.5 in any of my test environments. Same for your backup issue.

I vaguely remember seeing something here in the forums about the admin ssl notice not working in some environments, and there is a change to the code somewhere in the forums. It really is non-important as long as your browser knows it is ssl protected. If you cannot find the solution to correct the code (it just reads an ssl environment variable, so your server is using a different variable than oscmax is expecting) and it really bothers you, I suggest disabling the code entirely so that the browser ssl check is the only one showing.

[GPMaina]

Thank you all for responding:

pgmarshall - as you suggested I did test the https backup process using FireFox and it crashed as well. For what it's worth I have attached the error message I received which supports the suggestion that this is an server environment issue.

ridexbuilder - Why IE? Because according to my site tracker 80% of my visitors use IE - so naturally I make sure that all is working in that browser first. I do check its functionality in FireFox (12% visitors) but only after IE is working well. I ignore Chrome (3% visitors) for now.

michael_s - thank you for your help here. I can indeed live with the admin panel not reporting the SSL lock as long as the browser is actually operating under the https// lock - which apparently it is. I am looking forward to starting over with 2.5 as soon as it is released in a production version in order to resolve this and other issues.

Thanks to you all for taking the time to respond. It's not often that one gets the Big 3 to all respond to an issue. Thanks again...

GEORGE

[JohnW]

This is basically a quirk in the base osc code, but set up the admin config just like EJ stated and log in using https. Take a browser and make it your home button. I hope you are using htaccess as well as SSL in accessing your admin. I saw something recently talking about using a dedicated browser for accessing one site for higher security. The set up below will work and your browser will show a padlock if you don't have any links that aren't SSL.

PHP Code:

  define('HTTP_SERVER', 'https://www.yoursite.com'); 
  define('HTTP_CATALOG_SERVER', 'http://www.yoursite.com');
  define('HTTPS_CATALOG_SERVER', 'https://www.yoursite.com'); 


;

[GPMaina]

John:

Thanks for your help. Yes, the code you outlined is the same SSL code I am using. And Yes, I do get an indication in the https:// browser that the SSL lock is operating even though the Admin panel fails to recognize the SSL. So I am assuming, as you and michael_s say, that this is some kind of code quirk or environment disconnect that I understand has been resolved with later releases - to which, hopefully, I will soon be able to upgrade.

And Yes, I do have an htaccess password lock for the admin directory as well. But I have not gone the additional step of using the dedicated IP allow / all deny in the htaccess because my host changes my IP periodically and I do travel - so a dedicated IP just wouldn't work that well.

As far as the other quirk - the admin-backup-download-crash quirk - since it's better to use admin with SSL than not, I am getting around the backup download crash by simply using reverse FTP to download the compressed backup file (which does work) from the admin/backup directory to my desktop. This workaround will do for now - at least until I can get the version upgrade installed.

Thanks again for taking the time to respond...

GEORGE