Announcement

Collapse
No announcement yet.

Secure Online Shopping Issue

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Secure Online Shopping Issue

    Can Actinic cope with have the standard network settings running using our domain name but then having the ssl settings using a different url?

    The Actinic partner hosting solution (Artisan) have provided documentation that suggests they have remapped our URL to a secure URL i.e. "https://<servername>.<domainname>/<sitename>/" = "http://<mydomain.com/". It is also suggested that for the remapping to work relative paths rather than absolute paths have to be used so I have also selected "Use relative CGI-BIN URL's in Catalog Pages" Ping on the the secure server brings back the same ip address as a ping on the domain name.


    The following are the current settings :

    Standard Settings

    Catalog URL = http://<mydomain.com/acatalog/
    CGI-BIN URL = http://<mydomain.com/cgi-bin/


    SSL Settings

    Catalog URL = https://<servername>.<domainname>/<sitename>/acatalog/ (this needed to be changed as well?)
    CGI-BIN URL = https://<servername>.<domainname>/<sitename>/cgi-bin/


    The site uploads without any errors but as soon as you select Checkout a redirect takes place to the SSL cgi-bin path which results in a HTTP 404 error indicating the page cannot be found. The redirect path being used is https://<servername>.<domainname>/<sitename>/cgi-bin/os000001.pl

    Will this setup work?

    They are running Apache/2.0.55. Does anyone know if (this being a shared server which I assume it is) it is possible to run Shared and Private SSL Certs side by side on the same server? One option maybe for me to purchase my own cert and run with that.

    Other options

    Maybe to use the built-in Actnic encryption. The only problem with this is that there is no visual indicator i.e. the industry standard golden padlock. I personally do not know anyone who would shop on the Internet and give out personal details without them being able to see that they are running in an encrypted session. Granted you could add into the T&C's that a proprietry built-in encryption method is being used but at the end of the day it's just words on a page which anyone could write. How do you go about proving to your customers otherwise?
    Tags: None
    #2
    I see your redirect path just includes sitename and not the cgi-bin on the end, so that might be why it is not showing the file, as it is looking in the wrong place...

    Might be helpfull to post your full network settings on the forum for assistance (less usernames and passwords).

    With server shared ssl, it is down to how it is setup, but with what you have said, it should be fine, just need to tweak the settings.

    Having your own SSL certificate for the domain on there server will most probably require them to issue you with your own IP address and not the shared one that you are on now, so best speak with artisan before paying for an ssl certificate or spending time on looking into it, just incase it is not an option.

    Alternatives are the java applet or the Actinic Shared SSL service, or full blown OCCP with WorldPay, Protx and the like..

    Comment

      #3
      ah the redirect path is a typo on my part when editing the line from the browser.

      Having double checked the redirect path being used is https://<servername>.<domainname>/<sitename>/cgi-bin/os000001.pl

      *corrected the original post

      I'm really not keen on the Java Applet purely because how can I expect my customers to trust some words written on a site. I wouldn't and it's our site! I guess I could point them to http://downloads.actinic.com/docs/wh...s/Security.pdf and ask them to read about the built-in encryption but why should they and would they even understand it if they did? It only lists a few of the UK Banks so what do the customers of other banks not mentioned do? If I was the customer I'd be asking questions for sure. All this goes to backup that the only universal security standard that everyone knows is the golden padlock.

      Do not want to go full OCCP at the moment for reasons such as refunds for out of stock/back order items etc.

      I don't know anything about the Actinic Shared SSL service. I guess I can find out more from their site? Can someone give me a brief run down on what it is etc?

      This is the only thing stopping my site from going live.

      Comment

        #4
        Actually after going through a few broken links I have found the info on Shared SSL service. As I thought it comes at a price and to be honest this is where I start getting a bit annoyed as I was assured that part of my hosting plan payment was covering this service which appears doesn't work. We went with a Actinic Partner for obvious reasons and after asking a whole load of questions some of which surrounding shared certs etc we decided to signup after getting positive answers and being assured they deliver that service. Anyway rant over ....

        I've done the dummy order and indeed it does display the golden padlock. So how exactly does this work technically? I take it some bits of my site get uploaded onto the Shared SSL Server as well as on my existing host?

        Comment

          #5
          As requested we are using the following Network Settings.

          HTTPPROXYADDRESS
          HTTPPROXYPORT 80
          HTTPPROXYUSER
          HTTPPROXYPASSWORD
          FTPPROXYMODE 0
          FTPPROXYADDRESS
          FTPPROXYPORT 21
          FTPPROXYUSER
          FTPPROXYPASSWORD
          SCRIPTID 1
          SCRIPTEXT .pl
          SMTPHOST *REMOVED*
          WEBSITEURL http://www.mxbits.com
          IGNOREPASSIVEERRORS true
          USERELATIVECGIURLS true
          PATHTOPERL /usr/bin/perl
          USEENHANCEFTP false
          FTPCLIENTTIMEOUT 5000
          FTPRETRYDELAY 3000
          FTPSILENT false
          FTPMAXRETRIES 3
          FTPCONNECTTIMEOUT 15000
          SMTPAUTHREQUIRED true
          SMTPUSERNAME *REMOVED*
          SMTPPASSWORD *REMOVED*
          SSLCATALOGURL https://web16.secure-secure.co.uk/mxbits.com/acatalog/
          SSLCGIBINURL https://web16.secure-secure.co.uk/mxbits.com/cgi-bin/
          SSLPATHFROMCGITOCATALOG ../public_html/acatalog/
          SSLCODEBASE ./
          SSLFTPHOST *REMOVED*
          SSLFTPUSERNAME *REMOVED*
          SSLFTPPASSWORD *REMOVED*
          SSLPATHTOCGIBIN cgi-bin/
          SSLUSEPASSIVEFTP false
          CATALOGURL http://www.mxbits.com/acatalog/
          CGIBINURL http://www.mxbits.com/cgi-bin/
          PATHFROMCGITOCATALOG ../public_html/acatalog/
          CODEBASE ./
          FTPHOST *REMOVED*
          FTPUSERNAME *REMOVED*
          FTPPASSWORD *REMOVED*
          PATHTOCGIBIN cgi-bin/
          USEPASSIVEFTP false
          FTPPATHFROMCGITOCATALOG


          We are currently hosting two sites. Our old site can be accessed using the domainname only but to access our new ecommerce site you need to use http://www.mxbits.com/shpindex.html

          Using the https://web16.secure-secure.co.uk/mx...alog/shop.html I can run the whole shop in an SSL session which say to me the redirection is working fine leaving the only problem being accessing the checkout

          Comment

            #6
            It Works!

            It appears our host failed to create the proper config as detailed in the repsonse I got back.

            "Due to the way the ScriptAlias works, (i.e., looking for location
            '/cgi-bin/...'), it doesn't get triggered with the shared SSL URLs, which
            have the location '/domainname.com/cgi-bin/...'. Instead, that really would
            be ~/public_html/cgi-bin/. The work-around is to add a symlink from
            ~/public_html/cgi-bin to ~/cgi-bin and add the FollowSymlinks option to a
            .htaccess file in ~/public_html. I've done that for this site now, so both
            the secure and normal URLs should work the same."


            All I need to do now is sort my shipping issue out but I have a separate thread for that!

            Comment

            Previous template Next
            Working...
            X