|
|
Rank: Newbie
Joined: 5/7/2008
Posts: 10
Location: co.us
|
Hi there,
I've been evaluating umbraco for a while and I'm at the point where I've overcome most issues and feeling pretty good about implementing our new website with it. I'm getting at the hard issues now, and one of which is preventing the admin login username/pwd from being sent in plain text.
Can anyone tell me how to accomplish this? I have read the "SSL and umbraco" thread several times and partially tried the last post solution (require SSL in IIS Admin with a 403 redirect) without success. We don't need SSL protected content pages (at this time). We just want to prevent sending username/passwords in plain text to reduce the risk of being defaced.
Thanks in advance for your help!
|
|
Rank: Umbracoholic
Joined: 9/8/2006
Posts: 1,831
Location: MA, USA
|
A quick thought... could you handle this with URLrewriting so that only requests to the back end would be sent to the https port? You wouldn't need to set IIS to use ssl for the entire site that way. [Disclaimer: I'm NOT a URL rewriting expert... there may be a reason this won't work that I'm not thinking of at the moment :) ] cheers, doug.
MVP 2007-2009 - Percipient Studios
|
|
Rank: Fanatic
Joined: 7/20/2006
Posts: 408
Location: Amsterdam
|
Also quick thought: Put Windows Authentication on the Umbraco dir, think that's more secure as SSL.
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 608
Location: Bad Homburg, Germany
|
chancock wrote:
Can anyone tell me how to accomplish this? I have read the "SSL and umbraco" thread several times and partially tried the last post solution (require SSL in IIS Admin with a 403 redirect) without success. We don't need SSL protected content pages (at this time).
This should work, so what is the behaviour you get? PS: we have restricted our umbraco to local IPs, but this works for us in our configuration. Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Newbie
Joined: 5/7/2008
Posts: 10
Location: co.us
|
hoehler wrote:
This should work, so what is the behaviour you get?
PS: we have restricted our umbraco to local IPs, but this works for us in our configuration.
Thomas
Thanks all for your suggestions. Nothing happens when I have require ssl enabled. When I try to navigate to mysite/umbraco I just get a blank browser window. The redirect is occurring, but after that I just get a blank window. I was assuming there was something breaking behind the scenes. I have not tried to track down exactly where it is failing. I just assumed it would not work like that. I'll dig a little deeper and try to determin where it is failing. I may alsol try the windows authentication and as a last resort local IPs, but I don't feel that restricting IP is really the level of security we want. Thanks again!
|
|
Rank: Fanatic
Joined: 3/15/2007
Posts: 378
Location: Cary, NC USA
|
Do you have an SSL certificate installed on the server and also configured for the web site in IIS? Also, check out this post as well (if it's not the above post you mention) for more info on securing the admin (last post on page 2): http://forum.umbraco.org/yaf_postst3224p2_SSL-and-umbraco.aspx
|
|
Rank: Newbie
Joined: 5/7/2008
Posts: 10
Location: co.us
|
That is the post I was referring to. I only did the first part though (step 1) as I don't need to secure any content pages on my site, just the login page. Is that the problem?
I do have a certificate installed, but I'm starting to think that may be the problem. As I'm just evaluating umbraco and I still have a live static site on the server, I'm running umbraco as cms.myhostname, so I get a certificate mismatch warning when I navigate to https://mysite/umbraco. I have tried in both firefox and ie to ignore the error and trust the site, but I'm getting a 404 page not found when I go past that. (Above I said it was blank, that is acually only if I try to go to the page without https. And its not blank, it actually is the redirect javascript that is not redirecting me)
I tried the windows authentication route and it works no problem. That may be a solution for us, however it has two downfalls. 1) it requires the use of IE. 2) the umbraco uname/pwd would still be sent in plain text would it not? I suppose one could argue that even if someone had the umbraco uname/pwd it would not matter b/c they would also need a valid domain acct uname/pwd as well.
|
|
Rank: Fanatic
Joined: 3/15/2007
Posts: 378
Location: Cary, NC USA
|
do you have the certificate enabled on your Umbraco website? also  
|
|
Rank: Fanatic
Joined: 3/15/2007
Posts: 378
Location: Cary, NC USA
|
you could also try a free (for 90 days) SSL certificate here and see if the works for the test site: http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html
|
|
Rank: Newbie
Joined: 5/7/2008
Posts: 10
Location: co.us
|
Ahh... that did it! Thank you for the screenshots. I assumed because I was getting a certificate warning that it was enabled for my umbraco site properly. But it was not. I had missed a step.
Thank you so much for all your help even though it was an IIS issue. Hopefully this thread will be helpful for the next person that wants to do this. And I do think its a very good idea security wise. I would think more people would want to do this.
|
|
Rank: Fanatic
Joined: 3/15/2007
Posts: 378
Location: Cary, NC USA
|
super - not a problem... glad it helped!
|
|
Rank: Enthusiast
Joined: 10/9/2008
Posts: 26
Location: London
|
Hi Umbraconian, Lets see who can give me some help. I have 1 Umbraco installed with on 1 IIS websites, but have 3 sites on the Umbraco. All sites domain are assigned to IIS header and as well as an additional domain for editing purpose. So, www.site1.comwww.site2.comwww.site3.comediting.site1.com <---- Only used for editing. For editing I have added SSL and all fine and working. Now I need to add another SSL for www.site2.com (for user registration) but IIS (6) only allows 1 SSL cert. Only way is add another IIS site and point to the same Umbraco installation, but that would cause problem as mentioned in the forum. Has any done something similar? Mizan
I am only trying
|
|
Rank: Umbracoholic
Joined: 9/8/2006
Posts: 1,831
Location: MA, USA
|
Not sure it would work, but could you assign the SSL by IP address? cheers, doug.
MVP 2007-2009 - Percipient Studios
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 608
Location: Bad Homburg, Germany
|
No, cause a SSL-certificate is nailed to one hostheader, not to an IP-Address. Sorry, but you can only separate the installations (e.g. via umbraco currier) to use two certificates. Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Enthusiast
Joined: 10/9/2008
Posts: 26
Location: London
|
So does it mean one Umbraco for editing/production and using Courier to update various Umbraco instances (separate IIS sites), and each of the IIS will handle separate SSL header?
Mizan
I am only trying
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 608
Location: Bad Homburg, Germany
|
I have to correct myself: now there are wilcardcertificates and identitycertificates. Wildcartcertificates (*.domain.tld) are certificates nailed to the domainname but with wildcard to the subdomain (e.g. www.domain.tld and www2.domain.tld). See here. Also I know now that there are certificates identifying the company behind so that this certificate can be used with every domainname I guess. But I havn't found a description in the hurry. hth, Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
Rank: Enthusiast
Joined: 10/9/2008
Posts: 26
Location: London
|
I take 'identitycertificates' means Unified Communications Certificates (UCC)?
Mizan
I am only trying
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 608
Location: Bad Homburg, Germany
|
It seems so, but I don't know them right now. Thomas
• 2007/2008 MVP • www.thoehler.com • Bad Homburg, Germany
|
|
|
Guest |