Thanks again Bob, First off, the site is still being debugged off-line, and part of the problem, as you suggested is my confusion over UNIX SERVER and the Apache Server. OK. Got that.
What I'm trying to do: Any file that utilizes $_SESSION variables accessed through username/password validation is accessed via https. This includes the original signup screen, logins, etc. The only place for http files are static files that display non-sensitive info, and that do not require db access. > If you are trying to hide scripts with important information (ie, > passwords) then running a secure server will not work. They will STILL be > available from the internet, just at >https://mywebsite/myfilewithapassword.php. If the user is not logged in, they get an error message, and can go no further since $_SESSION['authenticate'] must match their username/password. All I'm trying to do is to provide an extra layer of security by shoving all sensitive files into the 'secure' directory, outside of the DOCUMENT_ROOT (but I have no idea what 'doc_root' in PHP is for??). >From what I'm trying to accomplish, do I really need to bother setting the 'secure' directory outside of the document_root? Wouldn't the setup I've done so far suffice? At any rate, I've tried just setting : https://localhost/secure/test.php -- it still gives a 404 Tia, Andre On Wednesday 21 August 2002 10:12 pm, Bob Irwin wrote: > > Thanks Bob, > > > > Got a 404: File not Found. Checked the ssl_error_log as suggested, and > > found > > > a rather interesting entry: > > > > "No such file: /var/www/html/var/www/secure/test.php" > > Ahhh - ok - I thought you were including them internally from PHP. You are > actually linking to the file being SERVED by the web server in HTML. IN > this case, all you need to do is reference to it as > https://secureserveraddress/filename.php > > First of all, we need to understand this. We have two seperate servers > here, the unix server that apache is running on and the apache server (this > runs PHP, the secure server etc) itself. > > So... your normal website (served by the apache server) is at > http://mywebsite.com/files.php > > BUT 'files.php' is located ON THE UNIX SERVER as /var/www/html/files.php > > The /var/www/html/ is the UNIX path to the file. The users who are using > your APACHE server to get file do not see this in anyway. All they see is > what is in the root directory, ie, /var/www/html from > http://mywebsite.com/, this is exactly the same for the secure server, > except the served files are encrypted. > > Success in this depends on what you are trying to do. Are you trying to > secure files that contain information like your database passwords? Or are > you just trying to run PHP scripts that produce HTML on a secure server > (so that you can take credit card details from the remote users?). > > If you are trying to hide scripts with important information (ie, > passwords) then running a secure server will not work. They will STILL be > available from the internet, just at > https://mywebsite/myfilewithapassword.php. This is not easily explained > and I don't want to spend time going into it if its not what you're after, > but if this is what you are doing, let me know and I'll help out. > > If you are just trying to encrypted the data from the server to the user, > then you are doing the right thing, you just need to lose the > /var/www/secure/ in the https:// address. > > > Obviously it's goes to DOCUMENT_ROOT (pre-pending the/var/www/html) and > > adds > > > what I've asked for. So, how do I tell it where to look, and not the > > default > > > setting? > > > > How am I including them? Well, most of the action occurs from the menu so > > it's: > > > > <a href="https://localhost/var/www/secure/test.php";>Testing for Bugs</a> > > (I've also tried /secure/test.php > > > > Any ideas what I'm messing up? > > > > > > Scanned by PeNiCillin http://safe-t-net.pnc.com.au/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
