cgi script + https.

[Pandora]

OK, here's the URL of the error:
https://secure54.nocdirect.com/~asta...ing/sendit.cgi

Basically, I am hosting a site for a fall gathering for a friend. The email form collects some private but not *sensitive* data. Names and contact details, etc.

I want that to be through the certificate, so that the contact page and transfer of the data through the form are secure.

However, I get the above error.

So, is it just that cgi scripts don't work through the shared cert? Or have I just hosed up the script and have the referrers incorrect?

These are the referrers:
@referers = ('thelammasgathering.com','secure54.nocd irect.com');

I admit, it's been like 4 years since I did any Full Time web dev stuff, so I could be just totally off my hat!

Anyway, anyone? Help?

[Pandora]

Does no one know the answer? Or is the question *that* wrong?

and FYI, there's no "gap" in secure54.nocdirect.com in my script. No idea why there is above.

If no one can answer the above, can anyone tell me how to point to a cgi script through the SSL? Just in case I'm doing it wrong?

I would have thought it would be the same thing as pointing to a page, but doesn't seem to be working like that, which would be weird since most people use SSL for t5hings like shopping carts, which are themselves usually CGI/perl or php scripts. *puzzled emoticon*

Thanks!

[jason]

You shouldn't have to do anything special to get a script to run under SSL. All of the encryption and transmission stuff happens at a level above the script, so generally speaking, your scripts should wheter you call them with normal http or https.

A 403 error usually indicates a permissions problem. Calling the script form the secure54 URL with normal http also results in a 403 error, so I don't think that HTTPS is the issue here.

My hunch is that this is a limitation of suExec. JPC uses suExec to run srcipts as the script's owner rather than "nobody" for security purposes. SuExec can be set up in such a way that not only will scripts run under their owner's UID, but also so that only scripts owned by a named owner and/or group in the Apache config can be run under a given virtual host (domain). I'm guessing that, since you aren't accessing the script from your virtual host, you are getting a conflict with this required owner setting.

The first thing I would do is check that the CGI has proper execute permissions (755). If that doens't solve the problem, I'd go to support. They may be able to adjust things on the default site to allow this through. I'm not sure if it will be possible or not, though.

When you get it figured out, be sure to post back so that we know what happend.

--Jason

P.S. If your script is sending the information it collects to you by email, you're kind of defeating the purposed of using HTTPS in the first place. The email message (unless you encrypt it yourself) is sent in the clear, so it is just as likely that someone will sniff it out en route to your email client as they will sniff it out when the original submitter submits your form.

[Pandora]

Hi Jason and folks,

OK, so basically, I've got my friend's gathering site in a subdir. The domain name points to her dir.

HOWEVER, with the script in her dir, NOT directly in my public_html (www) dir, it gets a forbidden error.

Totally weird, given the page accessed through SSL loads and works, but the script in the *same* dir does not.

So, wherever you have the site uploaded, say a site in it's own dir with URL pointing to that dir, it appears, at leat on the machine where I am hosted, that cgi/pl scripts must be in the home public_html/www dir.

Works a treat!

For now it's email (just so I can get it working and see what's what), but I am trying to instead, find or write a script that will let the user fill the form out, and then it will pass the details to a database (MySQL), which will be in a different dir, which will be password protected.

Then she can have all the details of all attendees in the same place.

That would be fine, security-wise, right?

If anyone has any ideas where I could find/buy a script like that - I'd love to hear about it!

This is a non-profit org, so funds are tight, but I'd be willing to pay a bit for it.

Thanks!

[Pandora]

Oh but: The script would have to send an email each time there was a new request, something along the lines of: Subj: Invitation Request
Body: Check database.

Or whatever. Just something to let her know to check it.

Thanks and happy Almost Weekend!