How to secure an integrated Orchard-MVC 4 Project ?

Topics: Francais (French), General, Installing Orchard
Sep 22, 2012 at 1:47 PM

I need to build a new Orchard web site having a link on its default page to call an MVC 4 application.
For security, I have to consider https for:
-    Login link for customers on the Orchard default web page, to access the MVC 4 web application.
-    Login for Orchard admin interface.
-    Login on an Orchard page to the internal mail server.
-    A mail Form for users to send their mail to the internal mail server.

I wonder what should be the best practice regarding domain name splitting (layout), do I need to use only the main domain name and secure with only 1 SSL certificate, or may be have to use multiple subdomains  like appzone.mydomain.com, mail.mydomain.com, admin.mydomain.com, etc … and use 1 certificate per subdomain.

Coordinator
Sep 22, 2012 at 6:05 PM

Wildcard certificates tend to be even more super-expensive than regular certificates. It'll probably be a lot less expensive to by one certificate for each, unless you really plan on having a lot. But in terms of how it affects security, I don't think it makes a difference. But I may be wrong.

Sep 22, 2012 at 7:04 PM

Oui Bertrand, I agree with you that Wildcard is much expensive for a small application, but as a basic SSL makes encryption for a given domain or for a given subdomain, what should be the behavior of SSL when the URL changes using the same domain name.

For example:

https://www.domain.com/userlogin.aspx and https://www.domain.com/contact.aspx may be should use the same Certificate but if we use par exemple:

https://www.admin.domain.com/ and  https://www.mail.domain.com/ necessarily have to use two different certificates.

Sep 22, 2012 at 10:07 PM

Well, we got a wildcard SSL since then you're free to do subdomain-wise what you want ^^

We're using it for non-http stuff too though.

Sep 23, 2012 at 12:37 PM
Edited Sep 23, 2012 at 12:40 PM

May be I have to consider MVC areas like this: site.com/area/controller/action to try to have one good certificate for the whole application (https:\\www.site.com) . Since I am new to Orchard I do not know if it already uses or supports areas.

Sep 23, 2012 at 12:49 PM

module is area, see the router.cs

Sep 23, 2012 at 1:09 PM
Edited Sep 23, 2012 at 1:27 PM

So do you think using the same basic SSL certificate (not wildcard) for:

https://www.site.com/customer/account/login
https://www.site.com/admin/users
https://www.site.com/admin/mail/login

could be possible ?

 

Sep 23, 2012 at 2:00 PM

You really should read up how SSL certificates work, but yes...

Sep 23, 2012 at 9:03 PM

Thank you AimOrchard.