SSL and Drupal

By pmontesinos on 3 Apr 2011 at 00:05 UTC

Hi,

I apologize is this is a stupid question, but I'm just not understanding this concept.

I currently maintain a static html site. Recently, they asked me if I could build an authenticated application for them. I decided I would use Drupal since the functionality they want is pretty basic and Drupal offers it. I also wanted Drupal so that I could put the rest of the site on it and they would be able to maintain the site themselves instead of asking me to do those mundane text updates every week. I will be converting the static html pages to the Drupal version after I finish the application (they want that first and quickly).

They wanted the app to be served over SSL. We have bought the certificate and it's ready for use. I'm guessing also it would be best to have the admin pages served over SSL as well.

I still want most of the site to be served over HTTP. The admin pages and the application I'm building I would like served over HTTPS.

Do I have to save all the Drupal files to both public_html directory and the secure_html directory? This would mean everything would be duplicated, which doesn't seem to make sense to me. Having duplicates has to be bad, right?

Or is it the case that I save everything in public_html (leaving secure_html directory empty) and that something like the Secure Login module will make it seem like I'm viewing a page in HTTPS even though it physically lives in HTTP?

Which one is right? Am I just way off?

Thanks!

Comments

No need for duplicating files

dono1 commented 5 April 2011 at 16:33

pmontesinos,
No need for duplicating your files as it would be a waste and your users that log in would most likely lose their session which in turn would also stop them from logging in. It throws off their cookie - so to speak.

In D7 and D6, you can set your base url to https:// . This allows users to have their sessions pass from http:// to https:// without any error.

If you check out your settings.php file inside of sites/default/settings.php you can search through the code and locate the base_url. You would want it to look something like this:

$base_url = 'https://yourdomain.com';  // NO trailing slash!

Consider this module for specific pages to be under SSL: http://drupal.org/project/securepages
Secure Pages, allows you to set what pages you want under SSL. Even though it is not a full D7 release, it still works perfectly fine. Just be sure if you use it, that you automatically update the module when a new release occurs.

Another way would be to force

Southpawz commented 6 April 2011 at 08:02

Another way would be to force https:// using mod_rewrite in your .htaccess file.

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} somefolder 
RewriteRule ^(.*)$ https://www.domain.com/somefolder/$1 [R,L]

Thanks guys. I will try to

pmontesinos commented 17 April 2011 at 19:01

Thanks guys.

I will try to see what works best.

However, I still have a lingering question:
If I leave the files in public_html, isn't it still possible for a hacker to gain access to the site just by dropping the s in https and go in through the site that way?

the above code will redirect

fmw commented 11 March 2013 at 13:23

I am no expert by any means,
so i tried,
just test it yourself,
if you try to access a webpage using http the above code will immediately redirect / change it to https.

Actually, I think in any case there is not much to gained for somebody to try that.
He/she will not have write-access to documents on your server just because it is a http connection.

By the way: here is link to another useful article from drupalscout about the same topic.
A must read.
http://drupalscout.com/knowledge-base/drupal-and-ssl-multiple-recipes-po...

And another one which is also informative:
http://www.besthostratings.com/articles/force-ssl-htaccess.html

Thanks everybody for your comments.

SSL and Drupal

dinus commented 3 August 2013 at 08:03

I'm also new to SSL with Drupal.

Have installed a certificate and verified that it works correctly. I can manually go to https:// and it works. Have also set conf['https'] = true for mixed mode, as instructed by the securepages module, which I have also installed.

My issues are:
1. No pages are redirecting to https - I thought user, admin, and content editing pages should do that automatically?
2. I can't find where to configure the securepages modules - how do I add more URLs (eg. my shopping cart) to be secured?

Thanks in advance.

Cheers
Dinus