DesignProjectX

Ninja Domains Part 2: Including SSL in a Multi-Domain Setup using the Symphony XSLT Content Management System

Posted 2009-09-16 in Technology | XSL | XML | Text

This is the second part of a tutorial by my first contributing author, Michael Eichelsdörfer.

In Part 1 of this tutorial we built an an advanced multi-domain setup to power several websites by a single Symphony installation, using a single backend. This approach works fine for SSl/non-SSL domains as well.

Imagine the following situation: You have a website running on Port 80 (non-SSL). Because your “about” page includes a contact form sending sensitive data, you would like to serve this page encrypted by SSL (Port 443).

This tutorial is not about SSL installation. We assume that SSL is working and you are running a (sub)domain with SSL (port 443), while your main www domain is non-SSL (i.e. listening on port 80). Running SSL on the main domain is not covered in this tutorial, since this is a rather simple case. It will only require a subset of the techniques described below.

Prerequisites:

• Symphony XSLT Content Management System
• Apache webserver meeting Symphony’s requirements
• main domain running without SSL (port 80)
• second (sub)domain running with SSL (port 443)

You will need SSH access to the webspace/webserver.

Basic Setup

The www and SSL domains should point to different directories on the server, like so:

                      http://www.domain.com   =>  /var/www/www.domain.com
https://ssl.domain.com  =>  /var/www/ssl.domain.com

                    

Install a Symphony ensemble in /var/www/domain.com. You will find the following files and folders:

                      .htaccess
extensions
index.php
manifest
symphony
workspace

                    

In order to get the SSL domain working with Symphony you will have to create some symbolic links from /var/www/www.domain.com to /var/www/ssl.domain.com. Connect to your server via SSH using an SSH client application (e.g. the Mac OS X Terminal) and create the following links:

                      ln -s  /var/www/www.domain.com/extensions  /var/www/ssl.domain.com/extensions;
ln -s  /var/www/www.domain.com/index.php   /var/www/ssl.domain.com/index.php;
ln -s  /var/www/www.domain.com/manifest    /var/www/ssl.domain.com/manifest;
ln -s  /var/www/www.domain.com/symphony    /var/www/ssl.domain.com/symphony;
ln -s  /var/www/www.domain.com/workspace   /var/www/ssl.domain.com/workspace;

                    

Now create a physical .htaccess file in the SSL root and paste the Symphony part of you main (www) .htaccess file into it.

You should then be able to access your website via http://www.domain.com or https://ssl.domain.com. You should as well be able to login from either http://www.domain.com/symphony or https://ssl.domain.com/symphony.

Enforcing SLL/non-SLL access to pages

In order to manage SSL/non-SSL access to special pages, you might put some rewrite rules in your .htaccess files. Indeed you are strongly advised to do so in order to prevent users from accessing encrypted pages without encryption (and vice versa). And, hey, why not switch your Symphony backend to SSL as well? So we will take care of:

• the ‘About’ page
• the Symphony backend

Here comes the mod_rewrite magic. Add the following rules at the beginning of your .htaccess files:

www domain

                      <IfModule mod_rewrite.c>

    RewriteEngine on
    RewriteBase /

    ### global rewrite
    RewriteCond %{HTTP_HOST} !^www.domain.com$ [NC]
    RewriteRule ^(.*)$ http://www.domain.com/$1 [R,L]

    ### rewrite to SSL domain
    RewriteRule ^symphony(.*)$ https://ssl.domain.com/symphony$1 [R=301,L]
    RewriteRule ^about(.*)$ https://ssl.domain.com/about$1 [R=301,L]

</IfModule>

                    

SSL domain

The rules in your SSL .htaccess file are the tricky part. You must exclude SSL items from being rewritten to the www domain.

                      <IfModule mod_rewrite.c>

    RewriteEngine on
    RewriteBase /

    ### force SSL main rewrite is in Debian's host file

    ### force non-SSL - SSL items other than directories or files must be excluded here!
    RewriteCond %{REQUEST_URI} !symphony(.*)$ [NC]
    RewriteCond %{REQUEST_URI} !image(.*)$ [NC]
    RewriteCond %{REQUEST_URI} !about(.*)$ [NC]
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ http://www.domain.com/$1 [R,L]
    RewriteRule ^$ http://www.domain.com/ [R,L]

</IfModule>

                    

Please note that you will also have to exclude any URLs starting with the word “image” - otherwise you will not be able to use Symphony’s JIT entension to serve images from the SSL domain!

You should also note the comment about the force SSL main rewrite. Due to the encrypted nature of SSL connections and the inner workings of Apache there is probably no way to successfully enforce SSL connections in your .htaccess file. Instead you will need a rewrite instruction in your SSL sites’s configuration file:

                      <VirtualHost *:80>
    ServerAdmin webmaster@domain.com
    DocumentRoot /var/www/ssl.domain.com
    ServerName ssl.domain.com

    ... (more configuration stuff)

    ### force SSL
    RewriteEngine On
    RewriteCond %{SERVER_PORT} !443
    RewriteRule ^/(.*)$ https://ssl.domain.com/$1 [R=301,L]
</VirtualHost>

 <VirtualHost *:443>
    ServerAdmin webmaster@domain.com
    DocumentRoot /var/www/ssl.domain.com
    ServerName ssl.domain.com

    ... (more configuration stuff)

    ### domain rewrite
    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^ssl.domain.com$ [NC]
    RewriteRule ^/(.*)$ https://ssl.domain.com/$1 [R=301,L]
</VirtualHost>

                    

Building navigation links

Once you are done with that, you might notice that your navigation links are always pointing to the root domain of the current page, thus provoking lots of redirects. Additionally, they do not look cool, especially if you are on the SSL domain. (In this case every navigation item will point to the SSL subdomain.)

Open up your master.xsl file and insert the following global variable definitions (before the first <xsl:template> instruction):

                      <xsl:variable name="www-root" select="'http://www.domain.com'" />
<xsl:variable name="ssl-root" select="'https://ssl.domain.com'" />

                    

Now open the Symphony backend and navigate to Blueprints > Pages. Choose the page “About” and define a page type of “SSL”. Since the navigation datasource will output any page types to XML, you may use them in your XSL.

Open your navigation template in your text editor. If you are working through this tutorial using a default installation of Symphony, it will be named navigation.xsl. You will find this template:

                      <xsl:template match="page">
    <li>
        <a href="{$root}/{@handle}/">
            <xsl:if test="@handle = $current-page">
                <xsl:attribute name="class">active</xsl:attribute>
            </xsl:if>
            <xsl:value-of select="name"/>
        </a>
    </li>
</xsl:template>

                    

Replace it by this:

                      <xsl:template match="page">
    <xsl:variable name="page-root">
        <xsl:choose>
            <xsl:when test="types/type = 'SSL'">
                <xsl:value-of select="$ssl-root" />
            </xsl:when>
            <xsl:otherwise>
                <xsl:value-of select="$www-root" />
            </xsl:otherwise>
        </xsl:choose>
    </xsl:variable>
    <li>
        <a href="{$page-root}/{@handle}/">
            <xsl:if test="@handle = $current-page">
                <xsl:attribute name="class">active</xsl:attribute>
            </xsl:if>
            <xsl:value-of select="name"/>
        </a>
    </li>
</xsl:template>

                    

Now all the navigation links for SSL type pages should point to the SSL domain, while all the others should still point to your main domain. (These domains have been defined using the global variables in your master.xsl.)

There you are. You have mastered a Symphony SSL installation.