SSL certificate, upload, location, destination,

Gravity Support Forums » Plugin Support » Gravity Forms

Joseph
Member

Hello Darlings!

My site has an SSL cert. Recommended clients upload private info, that informs us what kind of support they need. I have looked around the forum for a solution to what I would like to do on the site; I am sure I have seen it but can't find it

:(

When clients upload documents they contain sensitive information, I would like to apply a password to the gravity uploads folder via the SSL cert, so a document can only but downloaded via the url link in the email with the password protection. However, I assume that this may prevent stuff being uploaded to it via a form. Is this the case?

If so, would it be possible for the information to be uploaded to another folder on the domain via gForms?

If so, how (im sure Ive seen it discussed somewhere else!!!)?

Thanks RocketGeniuses!!!

Posted 12 years ago on Monday September 3, 2012 | Permalink
Chris Hajer
Key Master
Protecting the uploads is not part of Gravity Forms. However, you can do a couple things:

1. You can force all access to the upload folder to be via https/SSL by adding this to your .htaccess file:
```
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} wp-content/uploads/gravity_forms
RewriteRule ^(.*)$ https://example.com/wp-content/uploads/gravity_forms/$1 [R,L]
```
That will work if your host allows that type of override in an .htaccess file. That will force any access to that folder via http to be redirected over https. That protects the request during transit.

2. You can change the upload directory with the gform_upload_path filter: http://www.gravityhelp.com/documentation/page/Gform_upload_path That will put uploads into a new directory for you. If you do that, the information in item 1 above will need to be adjusted to the new location and URL.

3. However, none of that will prevent someone with the URL from accessing the document directly. They would just be directed to a secure connection and the download would continue. You can however, protect the upload directory with Apache Basic Authentication, which will force the visitor to log in with a username and password before they can download the file. You can read more about Apache Basic Authentication here: http://www.rahul.net/howto/basicauth.html There are a lot of tutorials online. There are two parts to it. Create the .htpasswd file, and create the .htaccess file. The .htaccess file will go in the upload directory for the form, and will look like this:
```
Options -Indexes
AuthName "Protected Upload Directory"
AuthType Basic
AuthUserFile /path/on/server/to/file/htdocs/.htpasswd
require valid-user
```
And then in the file /path/on/server/to/file/htdocs/.htpasswd you will store the authentication information.

This basic auth does not interfere with the uploads, just the access over http (and https).

It's a worthwhile customization but will take a bit of work and the help of your system administrator maybe.
Posted 12 years ago on Monday September 3, 2012 | Permalink
Joseph
Member

Will have a look and try. Phew thats a long one.

Posted 12 years ago on Monday September 3, 2012 | Permalink
Chris Hajer
Key Master

There is a lot to it, but I did it on an installation I have in about 30 minutes or so, including the form. So, for a competent systems administrator, it should not take too long. On shared hosting, it might take longer to accomplish, depending on the support you receive.

Posted 12 years ago on Monday September 3, 2012 | Permalink
Joseph
Member

cheers chris!

i will have a go.... I'm doing too many things here

(rolling of eyes)

Posted 12 years ago on Monday September 3, 2012 | Permalink

Hi Chris,

I pasted...

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} wp-content/uploads/gravity_forms
RewriteRule ^(.*)$ <a href="https://example.com/wp-content/uploads/gravity_forms/$1" rel="nofollow">https://example.com/wp-content/uploads/gravity_forms/$1</a> [R,L]

but replacing the the URL with my domain and wordpress install folder.

However I get an internal server error.

this is currently what my .htaccess file looks like

DirectoryIndex index.php

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

where exactly should it go so I so I don't get the internal error?

I think I'm being lame here

Posted 12 years ago on Friday September 14, 2012 | Permalink

Chris Hajer
Key Master

The syntax looks OK. I would put your rules right where blank line 2 is in the default WordPress .htaccess file.

It's possible your host does not support these overrides in an .htaccess file. You will need to contact your host or look at the Apache error logs to see what the problem is that is causing the 500 Internal Server error.

Posted 12 years ago on Saturday September 15, 2012 | Permalink
Joseph
Member

Just to say this is sorted now!

Posted 12 years ago on Sunday September 23, 2012 | Permalink
Chris Hajer
Key Master

How did you resolve the problem Joseph?

Posted 12 years ago on Sunday September 23, 2012 | Permalink
Joseph
Member

As you suggested. Also placed a username password on the folder!

Posted 12 years ago on Sunday September 23, 2012 | Permalink
Chris Hajer
Key Master

OK, thank you for the update.

Posted 12 years ago on Monday September 24, 2012 | Permalink

This topic has been resolved and has been closed to new replies.