>Secure + Non-secure mix with Apache

[kid A]

Hey all.

I've been setting up my site for users (http://www.xio.no), and I wanted to have some sections on the secure site (https). However I found this to be a bit of a problem as it seems I must keep the two completely separate (i.e. not sharing images or other includes from the http site) without getting the standard browser warning message "This page contains both secure and non-secure elements..... blah". I also could not use PHP include statements across the two.

Is there a workaround, or do I have to keep these sites totally separate? In that case I understand that using the SSL site is pointless unless the data transmitted is indeed sensitive, and I'm in reality just giving myself more work by making member sections with no data of that kind use a secure server.

I suppose encrypting the passwords is enough... but it would still be fun to see if there is a way to handle this. Grizz?

[oneal]

Why don't you just point the root of the ssl apache to your other root? (people are going to be able to access the secure pages from the non secure site but that will be their problem) that way you can server the same content from the secure site without worrying about unnecessary duplication..

[Grizzly]

'Tis a tricky one sometimes - but I think I can help you if I knew a little more information.

You currently have a non-SSL site, at www.xio.no ? Now where exactly are you trying to implement an SSL section, a subdomain, or a subfolder?

Either way, that might not matter too much. I noticed that when I request xio.no via http, your HTML-source had all relative links in it. When I requested it via https, I end up at a 403 error page, who's HTML-source had all absolute links in it. The first one that appears in your <head> is:

Code:

<script language="JavaScript" src="http://www.xio.no/inc/mouseover.js"></script>

It's those absolute links using 'http' that are causing the browser alerts I believe you're speaking of. PHP includes do not, and cannot trigger such errors. Those errors are interpreted and handled by the browser, not the web server. The browser has no idea what PHP is, let alone what it's including on the server.

It works kind of like this: The browser requests a document from the web server via HTTPS (usually on port 443), the web server fetches the document, encrypts it with it's private key, and then serves it to the browser, along with the public key (the certificate). The browser decrypts the package with the public key, and then begins parsing the HTML found inside. That HTML, will typically have calls to various images, js files, css files, objects, etc.

Now...within the context of an https request - each item loaded into that HTML document needs also be requested via HTTPS, or else the browser will warn you that the page you're trying to view is attempting to request something insecurely. (such as the .js file I noted above) Generally speaking, relative links to images, js, and css are the way to go - as this prevents having to worry about such things. But if you have to use absolute paths, you *must* https them as well if you want to avoid those security alerts.

Make sense?

As far as requiring SSL in a subdomain, or subfolder, I can help you with the <Directory>, or <VirtualHost> configurations in your httpd.conf / .htaccess file if necessary. Just PM me sometime if you need.

[kid A]

Ah, sorry Grizzly I moved some files from the SSL site, and you got an error message. Decided to just ditch the idea for now.

Its like this, the SSL and non-SSL sites are set up like this on the server:

PHP Code:

/*******/****/********/xio.no/httpdocs/ 


for non-SSL
and

PHP Code:

/*******/****/********/xio.no/httpsdocs/ 


for SSL

Hence relative links wont work as all my images are in a folder under httpdocs.

And I get this when trying to include files with PHP:

Code:

Warning: open_basedir restriction in effect. File is in wrong directory .........

Does that desribe the problem a bit better?

[Grizzly]

Ah I see, I take it you're on a shared host? That's a stinky configuation Basically, you have no choice but to duplicate everything into that httpsdocs root. It sucks I know, but you get what you pay for. Shared hosting packages are often limiting, particularly if you want to engage in secure transactions.

[kid A]

Yeah I thought as much. For my uses its not currently needed though. I just wanted to try it out.

Thanks for the help though.