Skip to content

Secure Typo admin with HTTPS

Jump to bottom Edit New page
fdv edited this page Sep 13, 2010 · 1 revision

You can setup typo so that the web administrative interface is encrypted but it will require some configuring of your web server. Here’s how to do it in lighttpd with mongrel. First, setup typo with mongrel at a port on your server. Then, you will need to buy or generate a certificate for your web server to use if you don’t already have one. The following command will ask you some questions and then generate one if you have openssl installed.

user@host$ openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes

Put the generated server.pem in /etc/ssl or someplace safe. Then, use the following lighttpd config (this will require that lighttpd is compiled with ssl support and a version at 1.4.19 or later).

$HTTP["host"] =~ "yoohoo.yourdomain.com" {
   $HTTP["scheme"] == "http"   {  
         server.document-root        = "/usr/home/myname/typo/public/"
         accesslog.filename          = "/usr/home/myname/typo/log/lighty-access.log"

         $HTTP["url"] =~ "^/(admin|accounts)" { url.redirect = ( "^/(.*)$" => "https://yoohoo.yourdomain.com/$1" ) }
         $HTTP["url"] !~ "^/files" { proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 9517 ))) }
                                }
                                          }

$SERVER["socket"] == "72.34.55.79:443" {
  ssl.engine                  = "enable"
  ssl.pemfile                 = "/etc/ssl/private/server.pem"

  server.name                 = "yoohoo.yourdomain.com"

  server.document-root        = "/usr/home/myname/typo/public/"
  accesslog.filename          = "/usr/home/myname/typo/log/lighty-access.log"

  $HTTP["url"] =~ "^/(admin|accounts)" { proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 9517 ))) }

}

You will need to tailor the above config to your own setup, replacing the domain, paths, mongrel port, and socket IP address with your own info. This setup will redirect all requests sent to http://yoohoo.yourdomain.com/admin or accounts/ to https. Once you’re in https encrypted mode, you won’t have to worry about falling into http as lighttpd sends a “X-Forwarded-Proto: https” header to rails that forces everything to be encrypted (you’ll have to set this header yourself in Apache). Also, you will need to load the mod\proxy, mod\_accesslog, and modredirect modules at the top of your lighttpd.conf in order to use the above config.

Add a custom footer
Add a custom sidebar
Clone this wiki locally