Ticket #484 (closed task: fixed)
Puffin/Aegir SSL options
| Reported by: | jim | Owned by: | chris |
|---|---|---|---|
| Priority: | blocker | Milestone: | PSE |
| Component: | Drupal modules & settings | Keywords: | |
| Cc: | chris, jim | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 0.1 |
Description
Per other tickets, SSL setup certs now work (see ticket:478#comment:15), the actual secure redirects within Drupal are still to do. This is a blocker for now...
See:
- Backgound: Do I need an extra IP address in order to deploy an ssl certificate?
- More: Auto Forward to https with BOA
- Best option?: Use extra config with new "/data/conf/override.global.inc/" file
- (SLOW) Drupal module: Carry on using 443 Session
What do you think is best, Chris? My vote is for 3, with 4 as backup...
Change History
comment:1 in reply to: ↑ description Changed 4 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.0 to 0.1
comment:2 follow-up: ↓ 3 Changed 4 years ago by jim
4 would be slower than the other options because 3) happens when settings.php (and the global.inc, then override.global.inc) are loaded very early in Drupal's bootstrap. 4 needs a module, which requires lots more files to be loaded and run before the relevant hooks are run.
I've added Session 443 back to the platform, and we'll go with that (option 4).
The code required in our tn.org settings.php looks like this:
# chris
# https://www.transitionnetwork.org/admin/help/session443
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
ini_set('session.cookie_secure', 1);
}
Which is simple, but I see this commit referring to issues with Drupal e-commmerce stuff: http://drupalcode.org/project/barracuda.git/commit/dfa3536 -- not a problem now, but when the Transition Network shop opens we would need to have a better alternative.
Since ticket:487#comment:2 needs me to add some code to override.global.inc, I can probably add this at the same time.
comment:3 in reply to: ↑ 2 ; follow-up: ↓ 4 Changed 4 years ago by chris
Replying to jim:
I've added Session 443 back to the platform
Thanks, the secure flag does need setting on the authentication cookie.
comment:4 in reply to: ↑ 3 Changed 4 years ago by jim
Replying to chris:
I've added Session 443 back to the platform
Thanks, the secure flag does need setting on the authentication cookie.
Per ticket:487#comment:3, I've now set this for all our sites on all platforms via /data/conf/override.global.php
comment:5 Changed 4 years ago by jim
- Status changed from new to closed
- Resolution set to fixed
SSL works now...
- Cert is correct
- Redirects to HTTPS in login/logged in and other important pages
- Works like current site as far as my tests show: forces HTTPS when logged in, and not when not.
Note due to way settings.php is set up, the warning on Drupal's status page shows despite my work over on #487:
443 Session settings.php
Settings.php is not setup correctly. With the current configuration of 443 Session module, the following lines must be in settings.php.
if (!empty($_SERVERHTTPS?) && $_SERVERHTTPS? != 'off') {
ini_set('session.cookie_secure', 1);
}
}
The above is caused by the module dumbly scanning settings.php with a regexp in session443_requirements() in its .install file. I've raised a ticket on Drupal.org.
Closing this for now, unless Chris wants to add anything?
Replying to jim: