Securing Flex App on Shared Hosting

Question

I'm not an expert and don't want to make a mistake, so please forgive me if the answer is obvious (better safe than sorry).

I finished a Flex app using FB4.5 and uploaded and tested it fine to a shared host. I'm now in the process of securing the app using https, but have landed in a quagmire.

First: I forced the load of all pages to https with .htaccess so that the Flex app loads with SSL. Problem is that I get a connection failed ('BadVersion') when the app makes a data service call using the gateway.php file because of the .htaccess force (it is looking for http rather than https). I believe I can hardcode the https path in the Flash Builder class file, but I don't want prevent the app from working on my dev machine either. Any thoughts here?

Also, even if the gateway.php file is called using SSL, will the following calls to the PHP files containing the actual SQL queries fail because of the forced SSL by the .htaccess directives.

Second: Instead of using .htaccess, I have also successfully used PHP to secure the initial launch of the app with a https redirect statement in the beginning. This allows the app to work, calling the gateway.php file fine because it isn't forcing https on everything. BUT, this defeats the purpose of trying to get everything to be encrypted.

Third: Is is it necessary to have the gateway.php file launched on SSL because of transmitting in binary AMF?

Thoughts? Explanations? Things I'm missing. Suggestions?

Thanks in advance.

Answer 1

If your AMF calls are going over HTTPS, then you need to use a SecureAMFChannel rather than a vanilla AMFChannel.

Typcially this is configured either in the client, where you have declared your RemoteObject or ChannelSet, or in the services-config.xml file.

Most likely, this mismatch is what's causing the BadVersion error you're getting.