Running Admin under SSL

[limbo90]

I was wondering whether anyone is doing this on a live shop? As in setting the admin/includes/configure.php to contain:

define('HTTP_SERVER', 'https://<My SSL URL>');

I am interested in the added security that this option offers and have tentatively set it up on a live (but not yet under use) site.

I know that this will slow things down but the question is 'by how much?'. It seems that general admin is fine but I suspect that uploads of files e.g. images etc will be very slow as they need to be encrypted.

Maybe a solution would be to protect only the 'reports' and 'customers' menus. Does anyone have any thoughts on this?

cheers

[Vger]

If your site is hosted on an Apache server and .htaccess facilities are fully enabled then you may be able to do this.

1. In the .htaccess file inside the 'admin' folder add this piece of code:

Code:

SSLRequireSSL
ErrorDocument 403 https://www.yourdomain.com/admin/

This will require that all connections to the admin panel are via a secure connection (https). It does not work on all websites, and won't work with a shared ssl.

Vger

[limbo90]

Thats an interesting point, I hadn't thought of implementing it that way. In which case it would be possible to map selected pages onto an SSL URL using mod_rewrite. I might try this . . .

I'll let you know how I get on . . .

[Ajeh]

If you want full secure in the Admin ... just edit the file:
/admin/includes/configure.php

Set both URLs for the Admin to be your secure URL ...

define('HTTP_SERVER', 'https://www.your_domain_name.com');
define('HTTPS_SERVER', 'https://www.your_domain_name.com');

Turn on the enable secure:

define('ENABLE_SSL_ADMIN', 'true');

[theodin]

Hi Ajeh,
I'm using v1.3.0.2, and what you suggested does not work. The Login is secured by SSL, but the remainder of the site is not forced to use SSL. (I dont know if thats some kind of bug or not.)

If it helps to know this, our 'HTTP_SERVER' and 'HTTPS_SERVER' are different: www.ourname.co.nz, and secure.ourname.co.nz.

In admin configure.php, 'ENABLE_SSL_CATALOG' AND 'ENABLE_SSL_ADMIN' are set to 'true'.

I'll have a crack at using the htaccess file for the mo. If this is a bug and i got it wrong, someone please PM me!

Thanks all,
Theodin

[DrByte]

It's not a bug. It's by design as of present time.

If you want your entire admin to be SSL, then use https:// URL's in your /admin/includes/configure.php, as Ajeh outlined above... BOTH defines.