Download & Extend
Secure Pages » Issues

"Enable Secure Pages" greyed out - no _SERVER["HTTPS"] on phpinfo...Dunno what to do!

Posted by superkt on January 19, 2009 at 7:06am
Project:Secure Pages
Version:6.x-1.7-beta2
Component:Miscellaneous
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (duplicate)
Issue tags:secure pages

Issue Summary

Hi,

I'm having the exact same issue as http://drupal.org/node/347682 but I am not using that host. I am hosted through HostGator. I can access everything in Drupal with https but I still cannot enable Secure Pages.

Any help would be awesome.

Login or register to post comments

Comments

#1

Posted by superkt on January 19, 2009 at 9:07am

Apparently it has something to do with Shared SSL (which I use).
Huh.

#2

Posted by NazMan on September 23, 2009 at 3:52am

Hi,

This has nothing to do with the shared SSL.
This code:

<?php
phpinfo();
?>

returned no $_SERVER['HTTPS']
When I run phpinof(); using Shared SSL $_SERVER[SERVER_PORT] => 443 but $_SERVER['HTTPS'] is not visible.

I kept digging and found a couple of posts suggesting an issue with the hosting. Something about the load balancer dealing with SSL making it transparent to the Web Server.

I found two links that may help you if you have access to your Apache configuration files:
http://www.mellonway.com/Apache2_SSL_Proxy_for_Drupal
and:

Keyword -- Load Balancer

The problem boils down to the fact that the load balancer is handling SSL encryption/decryption and it is completely transparent to the webserver.

Request: Client -> 443or80 -> loadbalancer -> 80 -> php
Response: PHP -> 80 -> loadbalancer -> 443or80 -> Client
The real question here is "do you have control over the load balancer configuration?"

If you do, there are a couple ways to handle it. Configure the load balancer to have seperate service definitions for HTTP and HTTPS. Then send HTTP traffic to port 80 of the web servers, and HTTPS traffic to port 81 of the webservers. (port 81 is not used by anything else).

In apache, configure two different virtual hosts:

ServerName foo.com
SetEnv USING_HTTPS 0
...

ServerName foo.com
SetEnv USING_HTTPS 1
...

Then, the environment variable "USING_HTTPS" will be either 1|0, depending on which virtual host picked it up. That will be available in the $_SERVER array in PHP. Isn't that cool?

If you do not have access to the Load Balancer configuration, then things are a bit tricker. There will not be a way to definitively know if you are using HTTP or HTTPS, because HTTP and HTTPS are protocols. They specify how to connect and what format to send information across, but in either case, you are using HTTP 1.1 to make the request. There is no information in the actual request to say if it is HTTP or HTTPS.

But don't lose heart. There are a couple of ideas.

The 6th parameter to PHP's setcookie() function can instruct a client to send the cookie ONLY over HTTPS connections (http://www.php.net/setcookie). Perhaps you could set a cookie with this parameter and then check for it on subsequent requests?

Another possibility would be to use javascript to update the links on each page depending on the protocol (adding a GET parameter).

(neither of the above would be bullet proof)

Another pragmatic option would be to get your SSL on a different domain, such as "secure.foo.com". Then you could resort to the VirtualHost trick above.

I know this isn't the easiest issue because I deal with it during the day (load balanced web cluster behind a Cisco CSS load balancer with SSL module).

Finally, you can always take the perspective that your web app should switch to SSL mode when needed, and trust the users NOT to move it back (after all, it is their data on the line (usually)).

Hope it helps a bit.

Posted by gahooa http://stackoverflow.com/users/64004/gahooa on
http://stackoverflow.com/questions/552162/detecting-https-vs-http-on-ser...

If anyone thinks of something else...

Thanks

#3

Posted by torgosPizza on September 25, 2009 at 11:06pm

Ah yes, we went through this with our new host. If they are using a load balancer you have to actually enable the secure ports 443 (and sometimes 8443) in the config itself. That's not a Drupal issue per se but something you should contact your host about.

#4

Posted by NazMan on September 26, 2009 at 8:54am

Hi,

Some people are going to say we should use Secure Pages module and I agree. Unfortunately some times it does not work because of the web hosting services...
After a few days googling I found a work around using .htaccess

This code will make sure that you stop using HTTPS when you are not in the checkout, the login or the user pages !(cart/checkout|user|login):

<IfModule mod_rewrite.c>
  RewriteEngine on
   .
   .
   .
   .
  RewriteCond %{HTTPS} on
  RewriteCond %{QUERY_STRING} !(cart/checkout|user|login)
  RewriteRule ^(.*)$ http://www.YourWebsite.com/$1 [R,L]

</IfModule>

This code will make sure that you START using HTTPS when you are in the checkout, the login or the user pages (cart/checkout|user|login):

<IfModule ssl_module>
    RewriteEngine On
    RewriteCond %{HTTPS} !on
    RewriteCond %{QUERY_STRING} (cart/checkout|user|login)
    RewriteRule ^(.*)$ https://www.YourWebsite.com/$1 [R,L]
</IfModule>

Note that you can use as many pages needed in https/http by including their name inside the (pagename1|pagename2|pagename3|....|....|....). Make sure to separate the page names using |.

#5

Posted by webcyt on December 16, 2009 at 10:45am

I also have had the problem of greyed out "enable secured pages"!

My host provides a plesk panel, under the Hosting "setup" icon the is an option to enable "SSL Support" this still does not enable secured pages but you can also check the box "Use a single directory for housing SSL and non-SSL content", I have found that
"enable secured pages"! on drupal can now be enabled.

I am not sure if this is a reccomended drupal workaround since I dont fully understand what further issues this might pose? perhaps someone could enlighten us.

But at least the drupal sytem is happy. and it seems to be working ok for me!

#6

Posted by paulbooker on March 11, 2010 at 12:36pm

I haven't gone through all of this convesation but it looks as though we need to distill all of the great
advice here into the modules documentation.

Any body feel up to this challenge ?

Best,
Paul Booker
Appcoast

#7

Posted by minorOffense on May 9, 2011 at 7:16pm

Beyond the hosting provider specific issues, should the securepages_is_secure function not look like this?
(see securepages.module)

<?php
function securepages_is_secure() {
  return (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) == 'on' || $_SERVER['HTTPS'] == TRUE)) ? TRUE : FALSE;
}
?>

Since a user can use SetEnv HTTPS on or SetEnv HTTPS 1 in your host definition?

#8

Posted by kremo5le on July 7, 2011 at 9:05pm

This is what worked for me:

http://www.ubercart.org/forum/support/10407/cannot_enable_secure_pages_m...

#9

Posted by grendzy on July 20, 2011 at 10:20pm
Status:active» closed (duplicate)

I agree this needs to be better documented - discussion has been moved to #360893: "Enable Secure Pages" greyed out - no _SERVER["HTTPS"] on phpinfo...Dunno what to do! .

In the meantime there's some more detailed instructions on http://www.metaltoad.com/blog/running-drupal-secure-pages-behind-proxy (even if you don't use a proxy this explains how to set $_SERVER['HTTPS'] on non-standard web servers).

#10

Posted by VanessaM on February 5, 2012 at 9:52am

This was the only solution I found to solving the problem I have been having since installing SecurePages on my site containing SSL. The problem was that once I was on an https page, and then clicked on a non secure page, the url still stayed https. Thank you so much!!!!

#11

Posted by VanessaM on February 6, 2012 at 10:44am

I get security errors on the page when I used the above code in #4. Any ideas why?
I am running on server:Apache 2.2.21 using Php 5.3.8