Secure Typo admin with HTTPS

fdv edited this page Sep 13, 2010 · 1 revision

You can setup typo so that the web administrative interface is encrypted but it will require some configuring of your web server. Here’s how to do it in lighttpd with mongrel. First, setup typo with mongrel at a port on your server. Then, you will need to buy or generate a certificate for your web server to use if you don’t already have one. The following command will ask you some questions and then generate one if you have openssl installed.

user@host$ openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes

Put the generated server.pem in /etc/ssl or someplace safe. Then, use the following lighttpd config (this will require that lighttpd is compiled with ssl support and a version at 1.4.19 or later).

$HTTP["host"] =~ "yoohoo.yourdomain.com" {
   $HTTP["scheme"] == "http"   {  
         server.document-root        = "/usr/home/myname/typo/public/"
         accesslog.filename          = "/usr/home/myname/typo/log/lighty-access.log"

         $HTTP["url"] =~ "^/(admin|accounts)" { url.redirect = ( "^/(.*)$" => "https://yoohoo.yourdomain.com/$1" ) }
         $HTTP["url"] !~ "^/files" { proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 9517 ))) }
                                }
                                          }

$SERVER["socket"] == "72.34.55.79:443" {
  ssl.engine                  = "enable"
  ssl.pemfile                 = "/etc/ssl/private/server.pem"

  server.name                 = "yoohoo.yourdomain.com"

  server.document-root        = "/usr/home/myname/typo/public/"
  accesslog.filename          = "/usr/home/myname/typo/log/lighty-access.log"

  $HTTP["url"] =~ "^/(admin|accounts)" { proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 9517 ))) }

}

You will need to tailor the above config to your own setup, replacing the domain, paths, mongrel port, and socket IP address with your own info. This setup will redirect all requests sent to http://yoohoo.yourdomain.com/admin or accounts/ to https. Once you’re in https encrypted mode, you won’t have to worry about falling into http as lighttpd sends a “X-Forwarded-Proto: https” header to rails that forces everything to be encrypted (you’ll have to set this header yourself in Apache). Also, you will need to load the mod\proxy, mod\_accesslog, and modredirect modules at the top of your lighttpd.conf in order to use the above config.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.