LiteSpeed webserver: BASE HREF on my SSL pages is http, not https

[piwanek]

I am having the same issue. My SSL-certificate is fine as far as i can tell: https://managertoolspublishing.com/test.php

So are the configure files, both in admin/includes and /includes:

Admin configure:

define('HTTP_SERVER', 'http://managertoolspublishing.com');
define('HTTPS_SERVER', 'https://managertoolspublishing.com');
define('HTTP_CATALOG_SERVER', 'http://managertoolspublishing.com');
define('HTTPS_CATALOG_SERVER', 'https://managertoolspublishing.com');

// Use secure webserver for catalog module and/or admin areas?
define('ENABLE_SSL_CATALOG', 'true');
define('ENABLE_SSL_ADMIN', 'true');

Include configure:

// Define the webserver and path parameters
// HTTP_SERVER is your Main webserver: eg-http://www.your_domain.com
// HTTPS_SERVER is your Secure webserver: eg-https://www.your_domain.com

define('HTTP_SERVER', 'http://managertoolspublishing.com');
define('HTTPS_SERVER', 'https://managertoolspublishing.com');

// Use secure webserver for checkout procedure?
define('ENABLE_SSL', 'true');

What is causing the problem is the BASE HREF in html_header.php:

<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

If you look at the BASE HREF url in i.e.:

https://managertoolspublishing.com/s...ain_page=login

You will see that the BASE HREF is http, not https. Which makes all relative linked files: css, images cause a security warning. I haven't touched the code in html_header.php.

Any ideas? Of course security warnings will scare people away, so any help is greatly appreciated.

Regards,
Peter

[DrByte]

What version of Zen Cart?

Who is your hosting company? Some do their SSL in nonconventional ways, and may not be compatible with Zen Cart.

[piwanek]

What version of Zen Cart?

Who is your hosting company? Some do their SSL in nonconventional ways, and may not be compatible with Zen Cart.

Version: v1.3.9b

Host: Binero.se

The admin section works perfectly fine in SSL, which does not use a base href. I have dotproject on the server as well, and its SSL works just fine as well.

[DrByte]

Copy the following into a new file, called "ssltest.php", and upload it to your server.
Then access the page using your browser, and copy the output and post it here as a reply.

Code:

<?php
define('HTTPS_SERVER', 'https://put-your-https-URL-here');
$request_type = (((isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) == 'on' || $_SERVER['HTTPS'] == '1'))) ||
                 (isset($_SERVER['HTTP_X_FORWARDED_BY']) && strpos(strtoupper($_SERVER['HTTP_X_FORWARDED_BY']), 'SSL') !== false) ||
                 (isset($_SERVER['HTTP_X_FORWARDED_HOST']) && (strpos(strtoupper($_SERVER['HTTP_X_FORWARDED_HOST']), 'SSL') !== false || strpos(strtolower($_SERVER['HTTP_X_FORWARDED_HOST']), str_replace('https://', '', HTTPS_SERVER)) !== false)) ||
                 (isset($_SERVER['SCRIPT_URI']) && strtolower(substr($_SERVER['SCRIPT_URI'], 0, 6)) == 'https:') ||
                 (isset($_SERVER['HTTP_X_FORWARDED_SSL']) && ($_SERVER['HTTP_X_FORWARDED_SSL'] == '1' || strtolower($_SERVER['HTTP_X_FORWARDED_SSL']) == 'on')) ||
                 (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && (strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'ssl' || strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https')) ||
                 (isset($_SERVER['HTTP_SSLSESSIONID']) && $_SERVER['HTTP_SSLSESSIONID'] != '') ||
                 (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443')) ? 'SSL' : 'NONSSL';
if ($request_type=='NONSSL') {
  if (isset($_SERVER['HTTP_X_FORWARDED_SERVER']) &&  strpos(strtolower($_SERVER['HTTP_X_FORWARDED_SERVER']),  str_replace('https://', '', HTTPS_SERVER)) !== false) {
    $request_type .= '<br> ... BUT HTTP_X_FORWARDED_SERVER may contain useful info. You may need to upgrade to a newer ZC version';
  }
}
echo 'Protocol detected: ' . $request_type . '<br /><br /><br /><pre>' . print_r($_SERVER, TRUE) . '</pre>';

[piwanek]

Thank you for helping me DrBYte.

Here is the output for https://managertoolspublishing.com/ssltest.php:

Protocol detected: NONSSL


Array
(
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
[HTTP_ACCEPT_LANGUAGE] => en-us,en;q=0.5
[HTTP_CONNECTION] => keep-alive
[HTTP_COOKIE] => BIGipServerLitespeed-Cluster-01=1762371776.20480.0000
[HTTP_HOST] => managertoolspublishing.com
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
[HTTP_CACHE_CONTROL] => max-age=0
[HTTP_KEEP_ALIVE] => 115
[DOCUMENT_ROOT] => /storage/content/50/102150/managertoolspublishing.com/public_html
[REMOTE_ADDR] => 192.168.11.100
[REMOTE_PORT] => 1423
[SERVER_ADDR] => 192.168.11.105
[SERVER_NAME] => managertoolspublishing.com
[SERVER_PORT] => 80
[REQUEST_URI] => /ssltest.php
[REDIRECT_STATUS] => 200
[SCRIPT_FILENAME] => /storage/content/50/102150/managertoolspublishing.com/public_html/ssltest.php
[QUERY_STRING] =>
[SCRIPT_URI] => http://managertoolspublishing.com/ssltest.php
[SCRIPT_URL] => /ssltest.php
[SCRIPT_NAME] => /ssltest.php
[SERVER_PROTOCOL] => HTTP/1.1
[SERVER_SOFTWARE] => LiteSpeed
[REQUEST_METHOD] => GET
[PHP_SELF] => /ssltest.php
[PATH] => /bin:/usr/bin
[REQUEST_TIME] => 1284715830
[argv] => Array
(
)

[argc] => 0
)

So the SSL works fine according to the browser, yet your script identifies it as NONSSL.

[DrByte]

If you notice, your server does NOT actually report SSL properly.

- HTTPS is not even mentioned
- SCRIPT_URI is actually showing an http: address, not https:
- SERVER_PORT is 80, and not 443 which is what SSL uses

So, it would seem that the "LiteSpeed" webserver engine you're using isn't operating in any conventional way.
Specifically, it gives NO hooks by which one can properly identify that it's serving content over SSL.
Therefore things are breaking.

[DrByte]

Even litespeed's website suggests that at least HTTP_X_FORWARDED_PROTO should be set if it's going to handle SSL. But yours clearly doesn't do that either. If it did, Zen Cart would pick it up.
ref: http://www.litespeedtech.com/support...https_redirect

[piwanek]

Even litespeed's website suggests that at least HTTP_X_FORWARDED_PROTO should be set if it's going to handle SSL. But yours clearly doesn't do that either. If it did, Zen Cart would pick it up.
ref: http://www.litespeedtech.com/support...https_redirect

Hi DrByte.

Thank you for all your help, I truly appreciate it.

I will contact the host on Monday and talk to them about this. This should be easy to resolve it seems. Running an e-commerce on a server that doesn't handle SSL properly seems a bit counter productive.

Regards,
Peter

[piwanek]

Is the fact that port 80 is used and not 443 a security issue?

[DrByte]

Well, that would be a question I'd be asking the host. (Technically if it's merely proxying between servers in a secure environment, then there's little risk of data being tampered with, but it's not guaranteed since it truly is not encrypted while being transmitted between hosting servers.)
You're right that it raises an alarm, and brings the hosting integrity into question.
If they can't give concrete proof that the data is secure in that scenario, I'd be double-questioning the service.