Ok thanks to all the great people here I've finally got our site moved over to nginx and it operates so much better (largely using perusio's configs -- thanks!). We currently have one problem, however, and that is we get a double-slash when securepages moves us to a https page (i.e. checkout) which causes some problems and securepages doesn't appear to take us back to http later - in fact the radio button to enable/disable it is greyed out.
I've read - http://groups.drupal.org/node/206813
and http://drupal.org/node/347682
There are so many options and then a few people saying none of them work with boost (which we also use and appears to be working fine right now on the site - http://www.yinyanghouse.com/ )
Now I know mixedmode is not great but for many reasons we don't want everything secured afterwards, mostly some poor coding involving images, etc. that would take some time to track down to avoid errors.
So we only secure
cart/checkout
cart/checkout/review
cart/checkout/payment_details/*
cart/checkout/complete
cgi-bin/webscr
In one post, perusio mentioned a mapping method within nginx to avoid securepages all together - is that ideal for just a few pages. Is there something simple to get securepages working as it did on our apache server within perusio's configs?
Thanks for any guidance.
Comments
The double-slash
is due to a Drupal 6 feature. That has been fixed.
See the discussion: https://drupal.org/node/827236.
I don't get the secure pages thing because I haven't used it ever. My suggestion is to stay over HTTPS when you enter in a page that is secure: set a secure cookie and keep it there. MIxed mode is vulnerable to MiTM. Because the cookies travel over non secure pages, which doesn't have endpoint authentication, hence you're throwing out the window one of SSL main benefits IMHO.
I suggest that you use two hosts. One over SSL and one over regular HTTP. Unless you're including external images/assets I don't see any problem with a purely HTTPS host. It's simpler and faster. If you're including external images, setup a proxy and request the images from the proxy. Involves changing the URIs of the images. Can be done on the
template.phpfile, for example.It is difficult to make this
It is difficult to make this setup secure and friendly with D6. See the discussion here:
http://drupalscout.com/knowledge-base/drupal-and-ssl-multiple-recipes-po...
and the comments at the old location of the thread:
http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-...
Without the bit in settings.php to change the session cookie to secure mode, you're using the same cookie for http and https, so if someone intercepts the cookie in http, they can spoof that session in https as well.
But that means the user will have different sessions in http and https and their carts won't appear synced. To some extent you can merge the sites if you use ajax-loaded cart blocks that load over https on http pages. D7 addresses the problem by having two different session cookies for each session. There are modules designed to address the problem including:
http://drupal.org/project/securepages_prevent_hijack
http://drupal.org/project/session443
http://drupal.org/project/mixed_session
I haven't tried those last two modules, and the first one doesn't solve the issue of getting different pages in http/https.
As perusio says, you can try to make sure that any time they've visited https that they're on https for the rest of the session. This is in fact what the strict-transport-security header does, although only newer browsers support it. With pressflow, you could detect a session cookie and move them to https any time they have the cookie, including the first time they add an item to a cart. But those would trigger your image problem. If it's a matter of going through the database changing all image locations to relative src then that might be what you have to do.
That mixed_session module promises a real solution, but is one month old and has no community testing.
Tough one.