hi guys, my webhost has recently provided me with ssl on for my website. From what i know you can apply secure pages to your site by modifiying the .htaccess file. I have looked around the net for information on this but its not been a good day. I have approached my host for some assistance but they won't respond for another 24 hours at the earliest. I would like to get this up and running tonight.

I'm running Apache
Have a dedicated IP
when i attempt to access https://mysite.com i get the padlock but no pages as its not setup properly ( i think?)

You are getting two sorts of security mixed up.

Security to restrict access to your page using passwords can be done via the .htaccess file.

Security to encrypt whay your visitors enter into your form using SSL resuires that the pages be loaded to the secure foldre on your site and that a security certificate be installed. Pages in the secure area are accessed via https:// instead of http://

Hi, so how would i implement this? The cert is already installed on the server.


the pages be loaded to the secure foldre on your site and that a security certificate be installed.

SSL is turned on at the server level so your hosting service probably moved you to a different server with a different doc root which hasn't been pointed back at your old file system. Once you get your site visible again then you can start to set up the Basic Authentication for it.

I could be wrong on this one, but I'm pretty sure you can set the SSL directives via .htaccess (or whatever it may be named on the server in question) on Apache 2.2.0+. Provided the usual necessary tweaks have been made to the httpd.conf file that is of course.

Provided the usual necessary tweaks have been made to the httpd.conf file that is of course.I thought modules had to be loaded at the real rather than the virtual server level but I've never configured SSL in any server. Of course virtual servers can listen on different ports so maybe it could get sorted out that way.

That's why I'm not so sure about it. It's actually what caught me out when upgrading Apache from 2.0.5 to 2.2.0. It took me a while to figure out how to set up SSL/TLS in Apache 2.2. It would seen they've made efforts to unify the whole config for startup. It's more to do with the abolition of the old ssl.conf file and the use of the "startssl" option at the start of apache ("/usr/local/apache2/bin/apachectl startssl" for example). You can have ssl.conf (I still use seperate files myself), but they are seen as a single file by apache at startup because ssl.conf is now used as an include to httpd.conf, so it can allow decentralised configuration of SSL/TLS (and other things).

No idea if you can set restrictions on what is permitted in the includes though. I don't think you can, other than slicking the include directive inside a <VirtualHost/>. Even so, I suppose there's nothing to stop someone sticking:

# Usual derectives for their host here

</VirtualHost>

# Naughty directives here

<VirtualHost "some fake host block to stop a syntax error">

To see what they could get away with. I guess it'd only be useful for internal use within organisations etc., rather than public use by strangers.

i'm stilll in limbo with this issue. I didn't think it would be this hard to apply ssl to folders.

I have about 30 php pages contained in 3 different folders.
I have a self signed ssl cert that is active on the server
if i type in https://subdomain.domain.com i get the cert (great) but the page gives back a 404 error, if i type in http://subdomain.domain.com the page renders but i have no padlock of course

s0 how do i go about securing the pages? I have contacted my webhost but the guy responding to my tickets must be a giraffee or something :o

You have to make sure the doc root of the secure server is pointed to your home file structure.

and how do i do this?

ok, so the guy from the hosting company got back to me today and said that .htaccess is required to apply the ssl to folders on the server. So i looked up .htaccess ssl and tried to apply it myself using these settings:

Order deny,allow
<IfModule !mod_ssl.c>
Redirect permanent / https://subdomain.domaincom/
</IfModule>

RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule (.*) https://subdomain.domain.com/site/account [R]

but neither worked. I save both files in notepad as .htaccess and uploaded the file to the root of the folder. Any ideas?

None here.