admin access with shared SSL

[bh_scripts]

I am a recent newcomer to CMS and I agree that it does indeed "make content management simple".

What I want to share here, is a change I made as a result of preferring to access the admin panel via shared SSL. The problem is that the shared admin URL is different from the CMS site URL, for example;-
site: http://www.mysite.com/cms/
shared ssl: https://www.oksecure.com/~mysite/cms/

CODE CHANGES:
To seperate the admin URL from the site URL the following changes were made:

in config.php:
added new line - $config['root_admin_url'] = 'https://www.oksecure.com/~mysite/cms';

in lib/page.functions.php:
in check_login function altered two occurances of
redirect($config["root_url"]."/".$config['admin_dir']."/login.php");

to
redirect($config["root_admin_url"]."/".$config['admin_dir']."/login.php");


if using TinyMCE then need to change modules/tinymce/tinymce.module.php:

in function WYSIWYGGenerateHeader()
config['root_admin_url']....

Have tested these changes and it all seems to function OK, with benefit of secure logon.
Perhaps the allowance for seperation of admin_url from site url is desirable in the BASE code?

Regards

[Ted]

Yeah, this has come up twice in the past week, and I think it's time to include it.  I like your implementation.  Very simple and to the point.  I think there are a couple of other gotchas in there somewhere, and I should probably compare this and the other thread to make sure they're all taken care of.

Hopefully I can get this into 0.10.1, whenever I get time to finish it up.

Thanks!

[seliger]

Hey there,

Has this been included yet?

Thanks!

[Ted]

Unfortunately, no.  The things posted in the forums usually have a habit of becoming forgotten.  It would probably be best to make a feature request so that I can't easily lose track.

Thanks!

[mjoukain]

Hi!

Do you mind if I ask also, is this feature available? Couldn't find any documentation (did I try hard enough?).

BR,
-- MJo

[crossconnect]

So far as I can tell from the documentation, the current revision 1.06 still doesn't include any official mechanism for distinguishing between the http and https top URLs.

Here is the solution that worked for me. In config.php, define root_url differently according as the protocol in use is or is not https. This doesn't require any modifications to any of the rest of the code, and also doesn't require the rest of the code to guess at the URL.

Code: Select all

$config['root_url'] = 'http://www.example.com';
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') {
  $config['root_url'] = 'https://server.example.com/~joe/cmsms/';
}

Elsewhere in config.php, be sure to take the root_url into account.  E.g.:

Code: Select all

$config['uploads_url'] = $config['root_url'] . '/uploads';
$config['image_uploads_url'] = $config['root_url'] . '/uploads/images';

Rahul

[Sorry Go Fish]

I altered my config.php to be location independent. This might slow things down but is needed if your whole site is in a repository, or can be moved around. Below are the modified lines of config.php only.

Code: Select all

///
/// Dynamic locations
///
$url = "http://{$_SERVER["SERVER_NAME"]}".dirname($_SERVER["SCRIPT_NAME"]);
$location = dirname(__FILE__);
for($currentPath = getcwd(); $currentPath != $location;)
{
    $currentPath = dirname($currentPath);
    $url = dirname($url);
}

#-------------
#Path Settings
#-------------

#Document root as seen from the webserver.  No slash at the end
#e.g. http://blah.com
$config['root_url'] = $url;

#Path to document root. This should be the directory this file is in.
#e.g. /var/www/localhost
$config['root_path'] = $location;

#Where do previews get stored temporarily?  It defaults to tmp/cache.
$config['previews_path'] = "{$config['root_path']}/tmp/cache";

#Where are uploaded files put?  This defaults to uploads.
$config['uploads_path'] = "{$config['root_path']}/uploads";

#Where is the url to this uploads directory?
$config['uploads_url'] = "$url/uploads";

#Default path and URL for uploaded images in the image manager
$config['image_uploads_path'] = "{$config['uploads_path']}/images";
$config['image_uploads_url'] = "{$config['uploads_url']}/images";

[crossconnect]

Very ingenious!  I tried replacing my code with yours and it worked perfectly.

If the current directory is reached via symlinks, and hence the output from getcwd() is unpredictable, is there some possibility of the following loop never terminating, for failure to ever match $currentPath to $location?

Code: Select all

for($currentPath = getcwd(); $currentPath != $location;) { ... }

Rahul

[tsw]

just committed that https / http stuff to svn, will be in 1.1

[curana]

Digging out the old stuff...

How do I have to change my config to force the admin-area to be secured by SSL? Just change the admin-path?

Thanks for help.

[curana]

Why does nobody know? I thought its implemented?

[klendino]

Hi

Has this SSL feature been implemented in 1.6 or 1.7.
I've seen a lot of discussions but no real solution as yet.