Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

securing admin and security sections with ssl


Go to End


2 Posts   1731 Views

Avatar
flare

Community Member, 1 Post

24 September 2013 at 11:28am

Hi I'm running silverstripe 2.4.5, can anyone point me to any documentation on how I get these areas protected by SSL?

Currently in _config.php

I have

Director :: set_environment_type ('live');

//force SSL
$force_ssl = array("/admin/","/Security/");
$current_url = $_SERVER['REQUEST_URI'];
if (in_array($current_url,$force_ssl)) {
Director::forceSSL();
} elseif ( isset($_SERVER['SSL']) || (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on')) {
$destURL = str_replace('https','http', Director::absoluteURL($_SERVER['REQUEST_URI']));
header("Location: $destURL", true, 301);
die('<h1>Your browser is not accepting header redirects</h1><p>Please <a href="'.$destURL.'">click here</a>');
}

But this seems to do some of the job but gets into redirection loops and also does not protect the form the credentials are sent to.

Thanks

Avatar
Willr

Forum Moderator, 5523 Posts

28 September 2013 at 5:31pm

You can pass the URL's you want to protect to forceSSL

if(Director::isLive()) Director::forceSSL(array('/^admin/', '/^Security/'));