By djax80 on

Can anyone tell me which is the best way to do HTTPS for Drupal 6

For example - i would like to have the login page as HTTPS

In a basic web site, you would simply add the LOGIN page (login.php) to the HTTPS folder on your server - but as Drupal is database driven, there is no single LOGIN page (login.php) - and everything goes through page.tpl

Thereofre - what is the best way to do this? - do i make a complete copy of my Drupal 6 files - and add them to the HTTPS folder (making sure the settings.php still point to the SAME database as the live site in the HTTP folder)

Is this what everyone else does? Or is there an easier way (i imagine there is a more complex way too)

many thanks

djax

Categories: Drupal 6.x

Comments

Anonymous’s picture

Anonymous (not verified) commented

Hello,

I use the securepages module
http://drupal.org/project/securepages

I use it for the login page and admin interface

/user
/admin

Regards,

djax80’s picture

djax80 commented

thanks - i added it to my modules, but not enabled it as yet - but there is very little info with it

could you tell me how you have your set up?

in the Admin > Module page it says

"Set which pages are always going to be used in secure mode (SSL) Warning: Do not enable this module without configuring your web server to handle SSL with this installation of Drupal"

Therefore, i didnt enable it

Specifically i want to know how to configure it with an Apache server?

Do i need to direct SSL at my Drupal folder on the server?

djax

Anonymous’s picture

Anonymous (not verified) commented

If ssl is set up on the apache server, nothing else to do, just enable the module and configure it to protect the "folders" you want to protect with SSL

e.g.
/user and /admin

barbnooch’s picture

barbnooch commented

But what is the best way to access the files in the http area from the https folder?
I have /vhost/drupal-test/http and /vhost/drupal-test/https. Should I set up a symbolic link in the https folder to point to http or something?

barbnooch’s picture

barbnooch commented

I actually figured this out and left and explanation of what I did over on another post:
http://drupal.org/node/327805#comment-2846384

strae’s picture

strae commented

My actual client website is 99% in http, and just 2 pages in https (login and retrieve password).
I have to rebuild it in drupal, keeping the 'public area' in http and the 'sensible-data pages' in https, i'll try the secure pages module, but i havent understood a thing: my /var/www/vhosts/example.com/httpsdocs/ folder is actually empty (i have put drupal in /httpdocs), should i put something in it?

You HAVE to assume your visitor is a maniac serial killer, out to destroy your application. And you have to prevent it.

Anonymous’s picture

Anonymous (not verified) commented

just install and enable the module and then configure via the admin interface. You tell it which pages to protect using SSL.
if you try to access a protected page over http you will automatically redirect to the https page.

espirates’s picture

espirates commented

I opted to not use SSL, it's a sham, buying over-priced certificates just to have a logo that says your verified and https which in fact doesn't prove anything. I'll make my own logo, users generally aren't aware of http or https anway, if you ask me the whole SSL thing is just a way to scam people out of their money.

davidhernandez’s picture

davidhernandez
Primary language English
Location USA
commented

No. SSL (HTTPS) encrypts the connection to protect data transferred between the web browser and the server. It is important to have when passing sensitive information like passwords, credit card information, etc. It is most definitely not a scam. Without it, the data is in the clear, and anyone that intercepts it can read it. Which is pretty easy to do.