securing admin? how do I do it?

[gheffron]

Apologies if it's obvious -- my client noticed that it wasn't secure and I need to fix it pronto pronto! I thought it would be secure because I reinstalled and got the SSL working for the catalog (checkout is currently secure). Why isn't the admin secure? Do I need to reinstall again?

Thanks ahead,
Greg

[michael_s]

Hi,

you need to edit the admin/includes/configure.php file.

Find the http server define and change it to your https url. Do the same for the https define. Make sure use ssl is set to 'True'

That should secure it for you...

[gheffron]

Thanks a heap! Worked like a charm.

Cheers,
Greg

[david510]

Hello,
I just did that and noe it is showing as 'You are protected by a unknown secure SSL connection.' Please help

David

[groggory]

It's SSL. You're good.

[sagarc]

How did you get the checkout working? I am having a terrible problem in connecting the checkout, create account etc to SSL. Am using a shared SSL connection and it it having database problems.

[groggory]

Quote:

Originally Posted by sagarc

How did you get the checkout working? I am having a terrible problem in connecting the checkout, create account etc to SSL. Am using a shared SSL connection and it it having database problems.

I put it in the wiki. I tested it using both a cert and a shared cert. Just follow the wiki.

http://oscdox.com/modules.php?op=mod...p;pagename=SSL

[NickW]

I had to change the following line of code in the admin index.php file before it would recognise that the connection is secure (seems to be a peculiarity of this 1&1 server):

around line 236:
if (getenv('HTTPS') == 'on')
changed to:
if (getenv('HTTPS') == '1')

The variable SSL_CIPHER_ALGKEYSIZE does not seem to be available on my server so I'm getting the message "...unknown secure SSL connection".

[michael_s]

Quote:

"...unknown secure SSL connection".

If anyone is interested, this is usually due to the Apache environment not making the ModSSL environment variables available to virtual accounts.

If your host allows htaccess and is using ModSSL, you should be able to add the following directive to your /admin .htaccess file to enable the SSL environment variables:

Code:

SSLOptions +CompatEnvVars

Then, you should change the following line (341 in oscmax v2) in /admin/index.php:

Code:

    $size = ((getenv('SSL_CIPHER_ALGKEYSIZE')) ? getenv('SSL_CIPHER_ALGKEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

to

Code:

    $size = ((getenv('SSL_KEYSIZE')) ? getenv('SSL_KEYSIZE') . '-bit' : '<i>' . BOX_CONNECTION_UNKNOWN . '</i>');

That will allow osCMax to read the ModSSL environment variable 'SSL_KEYSIZE' and the admin page will correctly display the level of encryption your cert is using.