SSL: two copies of everything... doing it very wrong

Question

this may be a an SO question, but it sounds servery...

Whenever I set up an SSL utilising site (not the certificate and the server itself, just the uploading of the files), I always end up with one copy of my site in the HTTP bit, and another copy in the HTTPS part, with forwarding headers sending the user backwards and forwards. This also results in two copies which is ridiculous to maintain. Which makes me think I am doing this wrong, hence this post.

I understand that SSL "stops bad dudes" (or at least slows some down), I know there are separate parts on the host for SSL and non SSL, but could someone show me the ropes, a little? or recommend some article on the internet?

...big noob tears...

Thank you very much

edit:Gimel said details would be good...

Um, LAMP on a shared host, with shared SSL certificate, currently battling with Zencart, but broader advice would be appreciated, which I don't have command line access to, just FTP and what not (unix is a little scary)... is that what you meant?

You should add some details like: OS, Web Framework, ... – gimel Jun 23 '09 at 11:38 — gimel, Jun 23 '09 at 11:38

score 4 · Accepted Answer · edited Apr 13 '17 at 12:14

On the assumption you're using apache vhosting, it's as simple as settting the DocumentRoot to the same location for both. To use symlinks (as in Dan C's answer) ensure you have

Options +FollowSymLinks

Set in your httpdocs/.htaccess file, or your master httpd.conf as appropriate (.htaccess files are looked for and processed on each page load in that directory, so there's no need to restart apache, however they are slower than implementing the same code in httpd.conf as this file is only processed on server startup).

Here is an httpd.include to serve HTTPS data from the same location as HTTP:

<VirtualHost *:80>
        ServerName   test.com
        ServerAlias  www.test.com
        UseCanonicalName Off
        DocumentRoot /var/www/vhosts/test.com/httpdocs
        CustomLog  /var/www/vhosts/test.com/logs/access_log common
        ErrorLog   /var/www/vhosts/test.com/logs/error_log
        <IfModule mod_ssl.c>
                SSLEngine off
        </IfModule>
        Include /var/www/vhosts/test.com/conf/vhost.conf
</VirtualHost>

<VirtualHost *:443>
        ServerName   test.com
        ServerAlias  www.test.com
        UseCanonicalName Off
        DocumentRoot /var/www/vhosts/test.com/httpdocs
        CustomLog  /var/www/vhosts/test.com/logs/access_log common
        ErrorLog   /var/www/vhosts/test.com/logs/error_log
        <IfModule mod_ssl.c>
                SSLEngine on
                SSLVerifyClient none
                # example ssl certs
                SSLCertificateFile /usr/local/apache/certs/my.ca.pem
                SSLCertificateKeyFile /usr/local/apache/certs/my.server.key.pem
        </IfModule>
        Include /var/www/vhosts/test.com/conf/vhost_ssl.conf
</VirtualHost>

Useful links from O'Reilly's Step by Step: Configuring SSL Under Apache and the Apache SSL Page (verbose!)

Edit:

You should be able to access you conf/httpd.include file over FTP (it may be in a different directory, but it will be in the vhost's subdirectory of /var/www/vhosts/test.com/ or similar - you can find the vhost directory in your main httpd.conf).

You should also be able to access .htaccess files - they are linux hidden files, so you may need to check your FTP client's documentation. Alternatively, try creating a .htaccess file in your vhost's httpdocs/ directory - if you can't the file may already be present.

Last gasp: contact your hosting provider!

I should come clean and admit I have no idea what I'm doing. I hope you guys have your end sorted out, because things are going to get worse before they get better, and I don't want to take out any innocent bystanders. — Assembler, Jun 26 '09 at 05:38
@Assembler "I don't want to take out any innocent bystanders" - don't worry, you shared hosting won't collapse under the weight of an erroneous apache config ;) — Andy, Jun 26 '09 at 10:15

score 1 · Answer 2 · answered Jun 23 '09 at 11:57

I tend to store documents as follows:

html      (HTTP resources)
html_ssl  (HTTPS resources)

If the content for each isn't destined to be the same then usually I will symlink one to the other.

ln -s html_ssl html

Then you only need to update the documents in html_ssl.

Alternatively you can point both DocumentRoot directives to the same location. But this is slightly less intuitive.

score 0 · Answer 3 · answered Jun 23 '09 at 11:57

There is separate setups for HTTP & HTTPS, but they're served out of the same directory. If a request arrives over http, then the response is served over http, and contrawise https. To block a document from being served over http, you'll have to set up a virtual host with a separate DocumentRoot and put it there.

SSL: two copies of everything... doing it very wrong

3 Answers3