A reseller created Online Store on the domain store.reseller.com in PBA with the following parameters:
Providers Store Host store.provider.com
The Provider's Online Store hosted on the server store.provider.com is configured to use HTTPS protocol and port 443 as well.
The store is running under Apache on POA-managed legacy Linux Shared Hosting server (not NG Hosting server).
An attempt to open the reseller's Online Store in browser using HTTP protocol leads to the error message:
Error occurred: 500 - internal server error
At the same time the following error message appears in the Apache error log of the webspace where the Online Store is hosted:
[Mon Nov 26 03:29:15 2012] [warn] proxy: No protocol handler was valid for the URL /index.php. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
The reseller provided incorrect installation folder for the proxy Online Store, they configured Online Store to use HTTPS protocol while they put Store content into plain HTTP document root.
When reseller (or Provider) create an Online Store in PBA they provide the following parameters:
Path Inside FTP
Proxy Store URL Suffix
Using FTP server address and login credentials PBA uploads special .htacess file with set of Apache rewrite rules into the folder provided in the parameter Path inside FTP. In case proxy Online Store is hosted on POA-managed legacy Linux Shared Hosting server there are different folders for HTTPS and HTTP documents created in a webspace for SSL and non-SSL websites hosted in the webspace. The Apache webserver on POA-managed legacy Linux Shared Hosting server has two separate sets of processes which serve SSL and non-SSL requests. The non-SSL Apache processes cannot serve SSL requests because mod_ssl module is not loaded by such Apache processes at all.
If a reseller provided plain HTTP document root for HTTPS-based Online Store then the following situation will take place:
- A customer opens Online Store in their browser using HTTP protocol.
- Browser establishes connection to HTTP port of the Apache webserver where the Online Store is hosted and requests the Online Store website.
- The plain HTTP document root is used to host the Online Store website (like /usr/local/pem/vhosts/WEBSPACE_ID/webspace/httpdocs/store.reseller.com).
- Apache loads .htaccess file with rewrite rules.
- Since reseller configured Online Store to use HTTPS protocol the .htaccess file contains rewrite rules to redirect browser to HTTPS connection to the Provider's Online Store.
- Apache server cannot process redirect request because it cannot serve HTTPS requests at all.
- As a result the error message 500 - internal server error is shown to a customer in browser and corresponding error message is being logged into the Apache error log.
In accordance with PCI Compliance rules the Online Store must be available only through secure HTTPS connection, so all parts of the Online Store website must use HTTPS.
The reseller has to reconfigure Online Store - put the Store content into HTTPS-enabled folder inside the Apache webspace, like /usr/local/pem/vhosts/WEBSPACE_ID/webspace/httpsdocs/store.reseller.com, not /usr/local/pem/vhosts/WEBSPACE_ID/webspace/httpdocs/store.reseller.com:
- Log into PBA Reseller Control Panel
- Go to Product Director > Online Store Manager > Synchronization Settings
- Click the Install Proxy Store button
- Provide path to the HTTPS-enabled folder in a webspace, the full path should look like this - /webspace/httpsdocs/location, where location is the name of the folder where content of the Online Store website will be placed (namely - the .htaccess file with set of rewrite rules).
Also, to prohibit plain HTTP access to the Online Store reseller has to put the following .htaccess file into the HTTP document root of the Online Store website:
RedirectPermanent / https://store.reseller.com/
So, there will be two .htaccess files in HTTPS and HTTP document roots for SSL and non-SSL Online Store websites:
- If a customer opens the Online Store using HTTP protocol their request will be redirected to SSL-based website using the RedirectPermanent directive.
- if a customer opens the Online Store using HTTPS protocol their request will be correctly redirected to the Online Store engine.