Ticket #484 (closed task: fixed)

Opened 4 years ago

Last modified 4 years ago

Puffin/Aegir SSL options

Reported by: jim Owned by: chris
Priority: blocker Milestone: PSE
Component: Drupal modules & settings Keywords:
Cc: chris, jim Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.1

Description

Per other tickets, SSL setup certs now work (see ticket:478#comment:15), the actual secure redirects within Drupal are still to do. This is a blocker for now...

See:

  1. Backgound: Do I need an extra IP address in order to deploy an ssl certificate?
  2. More: Auto Forward to https with BOA
  3. Best option?: Use extra config with new "/data/conf/override.global.inc/" file
  4. (SLOW) Drupal module: Carry on using 443 Session

What do you think is best, Chris? My vote is for 3, with 4 as backup...

Change History

comment:1 in reply to: ↑ description Changed 4 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.0 to 0.1

Replying to jim:

  1. Best option?: Use extra config with new "/data/conf/override.global.inc/" file
  2. (SLOW) Drupal module: Carry on using 443 Session

What do you think is best, Chris? My vote is for 3, with 4 as backup...

  1. is simply redirecting some http URLs to https, it won't ensure that all authentication cookies are secure, 4. does what is needed, why do you think it's slow?

comment:2 follow-up: ↓ 3 Changed 4 years ago by jim

4 would be slower than the other options because 3) happens when settings.php (and the global.inc, then override.global.inc) are loaded very early in Drupal's bootstrap. 4 needs a module, which requires lots more files to be loaded and run before the relevant hooks are run.

I've added Session 443 back to the platform, and we'll go with that (option 4).

The code required in our tn.org settings.php looks like this:

# chris
# https://www.transitionnetwork.org/admin/help/session443
  if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
    ini_set('session.cookie_secure', 1);
  }

Which is simple, but I see this commit referring to issues with Drupal e-commmerce stuff: http://drupalcode.org/project/barracuda.git/commit/dfa3536 -- not a problem now, but when the Transition Network shop opens we would need to have a better alternative.

Since ticket:487#comment:2 needs me to add some code to override.global.inc, I can probably add this at the same time.

comment:3 in reply to: ↑ 2 ; follow-up: ↓ 4 Changed 4 years ago by chris

Replying to jim:

I've added Session 443 back to the platform

Thanks, the secure flag does need setting on the authentication cookie.

comment:4 in reply to: ↑ 3 Changed 4 years ago by jim

Replying to chris:

I've added Session 443 back to the platform

Thanks, the secure flag does need setting on the authentication cookie.

Per ticket:487#comment:3, I've now set this for all our sites on all platforms via /data/conf/override.global.php

comment:5 Changed 4 years ago by jim

  • Status changed from new to closed
  • Resolution set to fixed

SSL works now...

  • Cert is correct
  • Redirects to HTTPS in login/logged in and other important pages
  • Works like current site as far as my tests show: forces HTTPS when logged in, and not when not.

Note due to way settings.php is set up, the warning on Drupal's status page shows despite my work over on #487:

443 Session settings.php
Settings.php is not setup correctly. With the current configuration of 443 Session module, the following lines must be in settings.php.

if (!empty($_SERVERHTTPS?) && $_SERVERHTTPS? != 'off') {

ini_set('session.cookie_secure', 1);

}

}

The above is caused by the module dumbly scanning settings.php with a regexp in session443_requirements() in its .install file. I've raised a ticket on Drupal.org.

Closing this for now, unless Chris wants to add anything?

Note: See TracTickets for help on using tickets.