Posted on

Magento SSL Offloading with Amazon ELB

I’ve had a fun & games sort of day working through this Magento SSL offload on Amazon’s ELB and I thought it’d be worth documenting what’s involved, in the process I’ll give some steps to get it working and explain what the new (since version 1.6.2) Offloader header config option is for and how it helps.

Background

Firstly, a bit of background – if you just want the quick fix, skip right to it. The Internet can beam magically onto your computer screen one of two ways: http and https. http means the things you see everyone else can see too, the content is unencrypted and sent from the server to your computer. If you’re at a wifi hotspot, what you do online is being broadcast to everyone around you. Conversely, an https connection means the content is securely encrypted, and the endpoint server you are connecting to, is probably who they say they are. So we want https in public places, or when financial or personal information is involved – and if we’re paranoid, we want it all the time.
Continue reading Magento SSL Offloading with Amazon ELB

Posted on

How to use Apache Virtual Hosts over a local network with MAMP

I was asked recently whether it was possible to use the Virtual hosting in Apache I describe for Magento on MAMP over a network rather than just locally. To make a sensible response I wanted to give a quick background to the HTTP requests going on and how Apache uses those requests to decide what HTTP response to send back. It turned into a bit of a long reply comment so here it is as a post instead.

I use a network Apache virtual hosts setup all the time (though the network isn’t a local network it’s the internet, but same principle).

Continue reading How to use Apache Virtual Hosts over a local network with MAMP

Posted on

A simple way to password protect your Magento store

This post will describe a simple technique to secure your Magento virtual host with basic HTTP password protection provided by Apache. This can be useful if you want to keep users away from the webstore during development, or if you sell products wholesale and do not want unauthorized users to view your catalog/pricing.

To be very clear from the outset, this technique uses basic HTTP authentication, which if used over HTTP (rather than HTTPS) affords no security for the passwords while they are in transit across the internet. If you are interested, you can learn more about the limitations of basic access authentication. As a simple mechanism for keeping people out of a site, it will do just fine. If you store your nuclear missile access codes in a Magento store database, do not use this technique to protect them, please.

Normally when I’m developing a new site I just use virtual hosting and a modified operating system hosts file to prevent people visiting it while it’s in development. I realize that’s not really security, more obscurity, but it has worked fine for me in the past.

Recently I have had a need to more fully protect a site, but also to make it public via DNS records. In a nutshell the steps required are, configure virtual hosting for your webstore, configure Apache authentication, setup a user/password and reload apache. I’ll run through everything in detail below.
Continue reading A simple way to password protect your Magento store