PDA

View Full Version : secure vs. non-secure issues in Miva5



PaulMat
01-23-2007, 01:51 PM
I am not 100% certain I have configured my store properly and need some assistance. I have been trying to finalize my upgrade to MivaMerchant5. In IE when switching to a secure part of the store (such as checking out or logging in) I get numerous pop-ups relating to insecure items. I think the issue is somewhere in my link to graphics; although all my links are relative links (using miva merchant soft paths) if I select "NO" to the security pop-ups none of my images will display. I have set up the MivaMerchant links to use

http://www.uneed-a-uniform.com/mm5/merchant.mvc?

on the non-secure side, and

https://SSL4.westserver.net/uneed-a-uniform.com/mm5/merchant.mvc?

for the secure side; for secure graphics the baseref is:

https://SSL4.westserver.net/uneed-a-uniform.com/mm5/

while the baseref for the non-secure graphics is simply

http://www.uneed-a-uniform.com/mm5/

I have looked through all of my code trying to find any absolute references that may be causing issues and cannot find any that have not been adjusted.

A link to the (new off line ) store is:

http://www.uneed-a-uniform.com/mm5/merchant.mvc?

Any thoughts, comments, assistance will be appreciated.

wildjokerdesign
01-24-2007, 11:09 AM
For some reason your base herf is not being set right.

<base href="http://www.uneed-a-uniform.com/mm5/">

I am not a miva user but I would look into the template that controls your header.

PaulMat
01-24-2007, 11:26 AM
Thanks, that is what I am trying to figure out: Either what should the code look like in the templates (I cannot find anything different in the Miva examples on their site), or do I have something incorrect in the Miva setup strings (that I show in my initial post)?

I'll keep searching and trying things...

rispku
01-25-2007, 01:35 PM
Check to make sure you haven't hardcoded any base URLs into your templates/pages. Also, double check your domain settings to make sure they're correct. I would re-enter and save them just to be sure.

I had a similar problem--with the exact opposite effect--when I first used Merchant on Westhost. See this post: 26781. My problem was related to an Apache directive instructing the server to initiate a secure connection for any request containing 'merchant.mvc' in the URL. This caused MM to set the base URL to my secure address, and load all of my graphics through the secure server. Can you post the contents of the miva.conf file I referenced in the aforementioned post?

PaulMat
01-26-2007, 06:55 AM
rispku:

Thanks for your thoughts, I will check out that thread shortly.

As for further clues, we discovered late yesterday that the base href generated by Miva seems to be following whatever is entered in the domainsettings/siteconfig/secure GRAPHICS baseurl and sets the base href for every page (whether it should be secure or not) to that setting. In other words, it doesn't matter what the non-secure or secure Miva base url is set to, the pages generated by Miva are somehow using the setting for non-secure graphics (this can be set to either an http:// or https:// location, I have tried it both ways).

At this moment I have the non-secure graphics base url pointing to:

https://ssl4.westhost.com/uneed-a-uniform.com/mm5/

Unfortunately this slows down the loading of the site but at least I don't see all the security warnings in IE and the lock symbol is displayed.

I'll go check out the thread and do some digging and report back here. I also have an agenda this morning to pitch my boss for a dedicated SSL cert, maybe getting one of those will help alleviate some fo these hassles.

Thanks again,

pm

PaulMat
01-26-2007, 07:12 AM
Rispku,

OK, just checked, everything is already as you suggested in that thread.

And I think I was just shot down (again) on a dedicated ssl cert.

Thanks again, I'm still open to thoughts and suggestions...

pm

PaulMat
01-26-2007, 07:15 AM
Sorry, here is the miva.conf file:

AddType application/x-httpd-Miva .mv
AddType application/x-miva-compiled .mvc
Action application/x-miva-compiled /cgi-bin/mivavm
Action application/x-httpd-Miva /cgi-bin/miva

#SetEnvIf Request_URI admin\.mvc HTTPS=on
#SetEnvIf Request_URI admin\.mv HTTPS=on
#SetEnvIf Request_URI merchant\.mvc HTTPS=on
#SetEnvIf Request_URI merchant\.mv HTTPS=on





# BEGIN MIVA 5 INSTALL
SetEnv MvCONFIG_DIR_MIVA /var/www/html
SetEnv MvCONFIG_DIR_DATA /usr/home/uneed-a-uniform/htsdata
SetEnv MvCONFIG_DIR_BUILTIN /usr/local/miva/lib/builtins
SetEnv MvCONFIG_DIR_CA /usr/local/miva/certs
SetEnv MvCONFIG_SSL_OPENSSL /var/www/html/mm5/openssl/lib/libssl.so
SetEnv MvCONFIG_SSL_CRYPTO /var/www/html/mm5/openssl/lib/libcrypto.so
SetEnv MvCONFIG_DATABASE_MySQL /usr/local/miva/lib/databases/mysql.so

SetEnv MvCONFIG_COMMERCE_CyberCash /usr/local/lib/mivalibs/cybercash.so
SetEnv MvCONFIG_COMMERCE_AuthorizeNet /usr/local/lib/mivalibs/authnet.so
SetEnv MvCONFIG_COMMERCE_LinkPoint /usr/local/lib/mivalibs/linkpoint.so
SetEnv MvCONFIG_COMMERCE_UPSRSS /usr/local/lib/mivalibs/upsrss.so
SetEnv MvCONFIG_COMMERCE_ICS2 /usr/local/lib/mivalibs/ics2.so
SetEnv MvCONFIG_COMMERCE_GlobalCommerce /usr/local/lib/mivalibs/globcomm-linux.so
# END MIVA 5 INSTALL

rispku
01-26-2007, 02:32 PM
Okay, you should force WestHost support to resolve this issue for you. If your domain settings are correct, and there aren't any Apache directives changing the environmental variables, then it should be working.

I've never used MM5 on Westhost, so I'm not familiar enough with the peculiarities in running it in their hosting environment, but I HAVE seen MM5 stores on Westhost using their shared secure server. By all means, it should be working for you, too.

You don't need to purchase a dedicated cert to test whether or not it will make a difference. You can use the self-signed cert that's generated for you when you install (or configure) OpenSSL from the control panel. You'll still get a security pop-up regarding the authenticity of the cert, but you'll at least be able to see if it works properly with MM5.

By the way, you should uncomment the SetEnvIf statement that examines requests for 'admin.mvc'. Working securely in the admin area doesn't seem to work properly unless that line is present and enabled. (From my experiences, at least.)


#SetEnvIf Request_URI admin\.mvc HTTPS=onshould look like this:

SetEnvIf Request_URI admin\.mvc HTTPS=onThen, restart your VPS/Apache.

rispku
01-26-2007, 02:55 PM
Apparently, you already have the temp/self-signed cert installed. If you load your site using the secure address it's configured for, https://www.uneed-a-uniform.com/mm5/merchant.mvc?, you'll see that it uses the proper secure base url.

So, it would seem that getting a dedicated cert would resolve this issue for you. However, I think this shows that there must be some sort of misconfiguration in the server settings. I would still recommend you have Westhost look into this issue, especially if you still want to use the shared secure server.

PaulMat
01-31-2007, 02:33 PM
Rispku,

Thanks for taking the time to think about this. I will be coming back to this shortly, but for now I am trying to just get a few things fine tuned as we had to turn the store live. I agree that there is something awry in some config setting somewhere but I need to brush way up on my apache stuff before I get too lost in .htaccess and http.conf files.

Again, thanks and I will post any findings here.

--pm