Home » Forums » Ubercart » Support
11 replies [Last post]
Fri, 04/16/2010 - 00:26
acheung456
acheung456's picture
Offline
Joined: 04/16/2010
Juice: 16
Was this information Helpful?

So I've been reading several threads about others with this problem and possible solutions. Unfortunately I don't quite understand where they are going and hoping someone can shed a little light on the situation with less complex wording Smiling

I have a GoDaddy Deluxe hosting account, with only access to the /html/ root folder, so as I try to specify any subfolders as the keys directory I get the "non-existent directory" error.

I heard I have several options: Create a false domain and point at my Drupal root, create an obscure folder and protect with .htaccess, and another that is escaping me at the moment. What my question is: Which is the most viable method? The site is designed with a Flash front end (located at: site.com/index.html) and the drupal install as a backend is located at (site.com/drupal/). What method of getting CC processing up would you think will work best?

(btw we have yet to purchase the SSL certifcates yet until we have things configured properly)

Thank you for all your help Smiling

Top
Fri, 04/16/2010 - 05:02
#1 View page
GreyHawk
GreyHawk's picture
Offline
Joined: 03/17/2009
Juice: 174
Have you set your Open Basedir...?

In the setup I use, had to set up a vhost.conf file for ssl to work that enacted an Open Basedir to allow the app to access the keys directory.

I think for optimal security the keys directory had to be located outside the normal accessible webstuff; my ecommerce clients have a keys directory outside of their normal httpdocs webroot.

You could ask the GD folks how you can set open basedir and if they could put a keys directory outside of your normal reach.

According to torgosPizza, the vhost.conf method isn't the best, but it works. Here's some additional data:

http://www.ubercart.org/forum/support/14703/encryption_key_filepath_problem

http://www.ubercart.org/forum/support/9020/https_issues

Top
Fri, 04/16/2010 - 10:31
#2 View page
acheung456
acheung456's picture
Offline
Joined: 04/16/2010
Juice: 16
Re: Encryption Folder Question

I stumbled upon this as well:

http://help.godaddy.com/article/4067

The idea is to make a false domain name as a primary domain, and then add your actual domain as just another one and have your actual name domain point to a subfolder of the false one, while the false domain root is unaccessible. Thoughts?

Top
Fri, 04/16/2010 - 11:01
#3 View page
GreyHawk
GreyHawk's picture
Offline
Joined: 03/17/2009
Juice: 174
Still not secure...

It doesn't look that will be very secure. Oddly enough, they end that article with this paragraph:

"After you update your account in this way, it is important to remember that the root folder of your site still allows access to anonymous users, but not through a Web browser. It is possible that your site may allow users to access files stored in these directories. If you would like folders to be more secure, create a new virtual directory off of the site root and restrict its access."

...that's effectively what you want -- a directory off of the site that you can restrict access to. (Not sure if "virtual" is very comforting, tho -- not sure what ~their~ idea of virtual is.)

Top
Fri, 04/16/2010 - 11:05
#4 View page
GreyHawk
GreyHawk's picture
Offline
Joined: 03/17/2009
Juice: 174
I'm guessing you've seen this ...

I'm guessing that you've already seen this from GoDaddy --

http://help.godaddy.com/article/718

...if not, maybe some of the information there and linked to from there would be useful to you.

Top
Sun, 04/18/2010 - 12:26
#5 View page
acheung456
acheung456's picture
Offline
Joined: 04/16/2010
Juice: 16
Re: Encryption Folder Question

I ended setting up the false domain, so here is my architecture now:

secure-site.com/ <-- "Primary Domain" term used by GoDaddy to specify the root
secure-site.com/webroot/drupal/ <--- location of drupal installation
site.com/ <-- root points to secure-site.com/webroot/

This makes site.com/drupal work correctly. I added another directory on the same level as webroot called verify:

secure-site.com/verify

But when I specify this as the folder for encryption I get the "Non-existent directory" error. I've checked the file permissions, 777 for the folder. Any thoughts on what I may be doing wrong?

Top
Sun, 04/18/2010 - 15:51
#6 View page
GreyHawk
GreyHawk's picture
Offline
Joined: 03/17/2009
Juice: 174
If you're pointing to Webroot...

From what you wrote above, and this is only my speculation -- If you're pointing the virtual host to webroot, then verify isn't going to be seen.

It would have to be inside webroot, on the same level as drupal (but obviously not within the drupal directory).

site.com points to secure-site.com/webroot, so for verify to work as a directory it has to be within webroot, and then you'd specify the following as your folder for the encryption:

site.com/verify

Top
Sun, 04/18/2010 - 16:00
#7 View page
acheung456
acheung456's picture
Offline
Joined: 04/16/2010
Juice: 16
Re: If you're pointing to Webroot...

But if the verify directory is in webroot, then it'll be accessible via a web browser (without some restriction settings), and I thought the whole point of going throught this setup was so I would be able to put the directory outside of the root...?

Top
Sun, 04/18/2010 - 16:12
#8 View page
GreyHawk
GreyHawk's picture
Offline
Joined: 03/17/2009
Juice: 174
You're correct on both counts.

I don't know if you can set your "site.com" to point to "secure-site.com/verify" -- that would resolve part of the issue.

But re-read the excerpt I included in #3 from GoDaddy -- I'll repeat part of it here:
"After you update your account in this way, it is important to remember that the root folder of your site still allows access to anonymous users, but not through a Web browser. It is possible that your site may allow users to access files stored in these directories. If you would like folders to be more secure, create a new virtual directory off of the site root and restrict its access."
If you point "site.com" to "secure-site.com/webroot" then the verify directory would have to be in webroot to be accessible, and would be accessible by a browser.

If you set "site.com" to point to "secure-site.com/verify" then you should be in better shape -- at least from a browser. It still wouldn't be really secure unless or until you secured the accessibility of the folder. At least, that's how I'm reading the GoDaddy info.

I don't know if they've got better info on options depending on the payment method you're using or not, but in post #5 I pointed out this link:

http://help.godaddy.com/article/718

It has a bit more info and the links it provides might be useful if you prefer to try another method.

I think simply repointing "site.com" to "secure-site.com/verify" instead of "secure-site.com/webroot" will get you where you need to go, and then you just have determine what restrictions you can place on it so that ubercart can still read the encryption key.

Top
Sun, 04/18/2010 - 16:27
#9 View page
GreyHawk
GreyHawk's picture
Offline
Joined: 03/17/2009
Juice: 174
Re: Re: If you're pointing to Webroot...

Further thought...

Not sure if scenario A or scenario B makes a difference:

Scenario A: site.com -> secure-site.com/verify

Scenario B: site.com -> secure-site.com/

If you point "site.com" to "secure-site.com/verify" as in Scenario A, then I don't know what you'd set your encryption filepath to -- site.com maybe? So you might need instead to set "site.com" to point to "secure-site.com/" ...and then set the permissions for the "verify" directory accordingly.

Top
Sun, 04/18/2010 - 17:00
#10 View page
acheung456
acheung456's picture
Offline
Joined: 04/16/2010
Juice: 16
Re: Re: Re: If you're pointing to Webroot...

I see, well if I point site.com -> secure-site.com/, then what's the point in having a false domain name? Having verify outside of the webroot makes it unaccessible via browser, but I assumed that Drupal would be able to access outside it's installation directory? If it can't, then how could it possibly use a folder outside the root director to verify things?

Top
Sun, 04/18/2010 - 17:17
#11 View page
GreyHawk
GreyHawk's picture
Offline
Joined: 03/17/2009
Juice: 174
I'm still guessing here...

I'm still guessing here, but if you have a virtual domain that points to something outside the webroot, then GoDaddy must allow some type of access that way -- being outside of the webroot simply means that a browser can't get to it.

That would explain why GoDaddy also specifies that the folder may be accessible by other means, so I suspect you'd need to lock it down so that it's not open to the world (i.e., not 777).

At this point, tho, I'm only going on what they wrote -- I'm not on GoDaddy so I can't test it.

Drupal will apparently be able to access the directory because the false domain points to it and drupal would be following the false domain...which still sounds kinda dodgy to me. It would make more sense (in my mind) if GoDaddy would simply allow you to set the open_basedir -- this must be their way of creating a workaround for the application/system/site level.

Top