Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

alexpacteau

SSL Messed Up Site

Recommended Posts

Hi there i am almost finished setting up my site to go live www.theonlinefurniturestore.org.uk but i just put in a forced redirect to https in the htaccess file so that the site is secure by ssl however now in google chrome it is saying there are parts that are unsecure and i know that the ssl is installed correctly as i have spoken to my host however i dont know how to fix this error

 

 

 

2
[blocked] The page at
ran insecure content from
.

 

 

how would i fix this?

 

thanks in advance for any help

Share this post


Link to post
Share on other sites

@@alexpacteau

 

Not all pages in osCommerce are SSL enabled. You can't just force your site into HTTPS. You would also have to change every page to use the SSL.

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hi there i am almost finished setting up my site to go live www.theonlinefurniturestore.org.uk but i just put in a forced redirect to https in the htaccess file so that the site is secure by ssl however now in google chrome it is saying there are parts that are unsecure and i know that the ssl is installed correctly as i have spoken to my host however i dont know how to fix this error

 

 

 

 

 

2
[blocked] The page at
ran insecure content from
.

 

 

how would i fix this?

 

thanks in advance for any help

The error occurs because there is some link to a different site that is not secure, FB or Twitter, for example. You can fix the code to work with those pages but there isn't any reason to do so, An ssl certificate doesn't provide any security for the site. It just encrypts your customers data so that it cannot be stolen. So having ssl enabled for a page where customer data is not entered, like the home page, is wasted effort. You should just enable the cert option in the configure files and let the shop handle the switching.

Share this post


Link to post
Share on other sites

Take the "force HTTPS" out of the ,htaccess - that's just plain ridiculous.

 

The site is supposed to switch to HTTPS when necessary. If it won't click the "SSL Implentation Help" link in my signature. Post there if you have problems and we'll figure something out.

 

Your problem is you can't load content (scripts, images, css, iframes, fonts, etc.) from HTTP sources on HTTPS pages.

 

In your /incluides/template_top.php find this code:

 

<link href='http://fonts.googleapis.com/css?family=Quattrocento+Sans' rel='stylesheet' type='text/css'>

 

Change it to this:

 

<?php
if ( $request_type == 'NONSSL' ) {
?>
<link href='http://fonts.googleapis.com/css?family=Quattrocento+Sans' rel='stylesheet' type='text/css'>
<?php
}
else {
?>
<link href='https://fonts.googleapis.com/css?family=Quattrocento+Sans' rel='stylesheet' type='text/css'>
<?php
}
?>


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

I don't get why people are all grouchy about forcing SSL. It's just sooooo much extra load on CPUs and the network... like really??? I upgraded my 8086 and my shiny new computer can actually manage SSL very nicely (rolls eyes). It's all fine and dandy for people to be on their high horses saying that nobody needs SSL on pages unless customer data is being transferred. That's not the case for the project I'm working on where my client requires that customer catalog browsing is PRIVATE-- not only customer personal information. And what's so horribly wrong with my client asking for that? CPUs will be running so dangerously hotter at 0.0000015 kelvin higher than they would if they didn't have to do the extra math? Gimme a break!

 

Chris said "Not all pages in osCommerce are SSL enabled. You can't just force your site into HTTPS."

 

Huh??? I did. I didn't have to go through the site changing every file either. I just switched it on in configure.php and used htaccess to rewrite http to https. Presto, the site is all secure and I have absolutely zero problems with any pages. If you have external links just change them to https if the external sites support that and you won't have the problem with pages only being partially secure. If external sites don't support https then there's not much you can do about that. I just pushed those ones onto other pages on the website so that customers won't be confused about the security when they're looking at the osCommerce pages.

 

Also, htaccess is the right mechanism, imo, for doing the force-ssl rewrite. Why not use htaccess? People talk about it as if it's some kind of gnarly hack. It's not. It provides a separation of concerns and in the project I'm working on, the only administrative control I have for the server config is via htaccess. It's right, it's good, it makes perfect sense to me. Definitely NOT "ridiculous"!

 

The only problem I'm experiencing now is that I can no longer log into the admin interface. I doubt anybody here will want to help me figure out how to fix that since there's so much negativity here about forcing ssl.

Share this post


Link to post
Share on other sites
Posted · Hidden by Jan Zonjee, December 31, 2012 - not appropriate
Hidden by Jan Zonjee, December 31, 2012 - not appropriate

I don't get why people are all grouchy about forcing SSL. It's just sooooo much extra load on CPUs and the network... like really??? I upgraded my 8086 and my shiny new computer can actually manage SSL very nicely (rolls eyes). It's all fine and dandy for people to be on their high horses saying that nobody needs SSL on pages unless customer data is being transferred. That's not the case for the project I'm working on where my client requires that customer catalog browsing is PRIVATE-- not only customer personal information. And what's so horribly wrong with my client asking for that? CPUs will be running so dangerously hotter at 0.0000015 kelvin higher than they would if they didn't have to do the extra math? Gimme a break!

 

Chris said "Not all pages in osCommerce are SSL enabled. You can't just force your site into HTTPS."

 

Huh??? I did. I didn't have to go through the site changing every file either. I just switched it on in configure.php and used htaccess to rewrite http to https. Presto, the site is all secure and I have absolutely zero problems with any pages. If you have external links just change them to https if the external sites support that and you won't have the problem with pages only being partially secure. If external sites don't support https then there's not much you can do about that. I just pushed those ones onto other pages on the website so that customers won't be confused about the security when they're looking at the osCommerce pages.

 

Also, htaccess is the right mechanism, imo, for doing the force-ssl rewrite. Why not use htaccess? People talk about it as if it's some kind of gnarly hack. It's not. It provides a separation of concerns and in the project I'm working on, the only administrative control I have for the server config is via htaccess. It's right, it's good, it makes perfect sense to me. Definitely NOT "ridiculous"!

 

The only problem I'm experiencing now is that I can no longer log into the admin interface. I doubt anybody here will want to help me figure out how to fix that since there's so much negativity here about forcing ssl.

More "ridiculousness"...


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post

Why??? Instead of being rude, why not just explain what's so wrong with this approach? It works great. The only snag I have is with my admin. If I push my .htaccess aside then I can log into admin. I can even be in the admin and pop the .htaccess back in place and still work in the admin interface with no problem. It's just the logging in that's a problem (login incorrect) when I have my .htaccess with the rewrite rule in it. As for everything else, it works 100% perfectly. I thought maybe it might be a bit sluggish with the SSL on for everything but it's not (which, I would say, speaks highly of osCommerce's performance). Why are you so rude and arrogant to people for forcing SSL? I don't get why you hate that so much.

Share this post


Link to post
Share on other sites

You know, everywhere I turn these days people are just mean and rude. Set up something that works great and somebody will call it "ridiculous". Why I wonder? Does it help you feel better about yourself to be mean and rude to people? If the cost of sharing opinions, ideas and asking questions is to get a puke spray of rudeness, I'm not going to buy into it.

Share this post


Link to post
Share on other sites

I don't get why people are all grouchy about forcing SSL. It's just sooooo much extra load on CPUs and the network... like really??? I upgraded my 8086 and my shiny new computer can actually manage SSL very nicely (rolls eyes). It's all fine and dandy for people to be on their high horses saying that nobody needs SSL on pages unless customer data is being transferred. That's not the case for the project I'm working on where my client requires that customer catalog browsing is PRIVATE-- not only customer personal information. And what's so horribly wrong with my client asking for that? CPUs will be running so dangerously hotter at 0.0000015 kelvin higher than they would if they didn't have to do the extra math? Gimme a break!

 

Chris said "Not all pages in osCommerce are SSL enabled. You can't just force your site into HTTPS."

 

Huh??? I did. I didn't have to go through the site changing every file either. I just switched it on in configure.php and used htaccess to rewrite http to https. Presto, the site is all secure and I have absolutely zero problems with any pages. If you have external links just change them to https if the external sites support that and you won't have the problem with pages only being partially secure. If external sites don't support https then there's not much you can do about that. I just pushed those ones onto other pages on the website so that customers won't be confused about the security when they're looking at the osCommerce pages.

 

The only problem I'm experiencing now is that I can no longer log into the admin interface. I doubt anybody here will want to help me figure out how to fix that since there's so much negativity here about forcing ssl.

 

I don't think everyone is so upset about it. It is just frustrating to see something that is not being done as it should be. When you have ssl enabled for all pages, there is an extra load on the server. Your computer may be able to handle one visitor with ssl enabled but what if there are thousands of hits every hour, which is quite common? Do the pages all get delivered as quickly as if ssl was not enabled? No, they can't because they all have to be encrypted. Is it enough to cause one not to use it? Only you can decide that. And when you say that customer browsing is private, that has nothing to do with an ssl. There's nothing to encrypt on a regular page so there isn't anything to protect. A second problem with all ssl is that more bandwidth is used because everything is encrypted. If the site has a lot of bandwidth, then perhaps this is a non-issue for you, but it is one to consider for many shops. A third problem is that any non-secure link will cause a non-secure dialog to appear. Not all external sites have secure links so you would need to add code to disable those links when used. That is just extra, unnecesary, work. And a fourth problem is that the non-ssl pages will still be active and search engines start searching a site with non-ssl links. That means you have two identical pages (ssl and non-ssl). You did say you added rewrite code to force the redirect so as long as those are 301's it is probably OK. I only mention this in case others see your post and don't realize the pitfalls.

 

You seem to basing this on the idea that an ssl certificate offers some kind of security. It doesn't. It encrypts the data that is sent so I suppose you could call that security. But security, at least to me, refers to preventing a hacker from getting something from the site and an ssl certificate won't do that. It only protects data after it leaves the site, not while on it.

 

 

You just need to enable the ssl in the admins configure file and set the three urls in it to https. You should also force ssl for the admin via the .htaccess file but that is not required to get it to work. It is just more secure.

Share this post


Link to post
Share on other sites
Posted · Hidden by Jan Zonjee, December 30, 2012 - offensive
Hidden by Jan Zonjee, December 30, 2012 - offensive

Well I came back to see if there's a way to block another member (couldn't find such a feature). I'm not interested in being insulted, especially by a guy who lives by the egotistical motto: "Never back down, never give in." Too bad a person can't come here and be treated nicely. I made my comments light-heartedly and jokingly and I got rudeness in return. Not even helpful rudeness.

 

Anyway, thanks Jack. You were right on the money. I forgot to modify the configure.php in admin/includes. That worked like a charm.

 

The idea that SSL is performance heavy is a misconception btw. It's the handshaking that increases the network load and that's where I thought I would see an impact in the stress testing but the results were insignificant. The handshaking isn't Earthshaking. If anybody is having performance problems with SSL then it's more likely that the O/S isn't tuned properly or the web server isn't correctly configured. If SSL is the straw that's going to break your camel's back then you're already in a precarious situation. For the project I'm working on, the web server isn't my concern. The people responsible for that will no doubt use load balancing if they're running too close to the high water mark. In any case, it's not my problem (this time).

 

As for the arguments that not everything is encrypted, sure, the URI is exposed. So what? The assumption may be that if an eavesdropper can see the URI they can simply go to the page and look at the content. That's how it works out-of-the-box but it doesn't *have* to work that way. That's not the way it works in my current project. If you are unable to access the URI and the payload is encrypted then you're an eavesdropper out of luck.

 

Of course, if you don't need SSL for everything then use it only for pages requiring customer personal information. If the catalog is open to anybody and everybody then there's no point in encrypting the pages. However, if you do need this level of privacy, there are no "pitfalls". I would encourage people to consider their requirements carefully and make the right choice, but don't be scared away from SSL by statements that simply are not true. It's not the Goliath performance hog that people are making it out to be.

 

Scum.. or germ rather.. I'm not interested in your ridiculous retorts. Kindly keep your insults to yourself (you deserve them).

Share this post


Link to post

HA! You deleted my comment I see. You may as well do me a favour and delete my account since you don't provide a way for *me* to do that.

 

So folks, here's what they apparently don't want you to know... SSL is not a performance hog. If you require private browsing then there is no reason not to implement it. You need to change "http" to "https" in configure.php in both catalog/includes and admin/includes. You can use htaccess to force SSL, just add these lines:

 

RewriteEngine On

RewriteCond %{HTTPS} !=on

RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

Even with SSL "on", the URI is still exposed to anybody eavesdropping the connection so you need to implement some mechanism to restrict access to whatever you want to keep private. If anybody can just copy/paste the URI and see the page then there's no point in encrypting the page in the first place. There are many different ways you can restrict access in order to work around that problem, use your imagination.

 

You need to change all external links from "http" to "https" or your pages will be only partially secure. If the external sites don't support https then consider moving them to another page on your site. That page will be only partially secure but the critical pages will be totally secure. Even if your pages are only partially secure, using the approach I described above will still keep the catalog browsing private but the page won't be indicated by the browser as secure.

 

If you don't need to provide private catalog browsing then there's no point in forcing SSL on everything. People commenting on this thread seem to be insisting that there is never any reason anybody would need to provide private browsing and the "cost" (in overhead, performance, etc) of using SSL on everything is too high. It is obvious that *most* sites don't need to provide private browsing but are we to turn down projects where the spec calls for private browsing? Or must we use another shopping cart solution because meeting this requirement would require an improper implementation of osC? Also, if the additional loading that SSL will place on the network and on the web server is going to be a problem then you already have a problem before you switch "on" SSL. The handshaking to set up the SSL connection, in all likelihood, amounts to less data than one single product image in your catalog. There are well-established, inexpensive, tried and proven techniques for dealing with load balancing. Increasing website performance is cheap!

 

So, moderator, go ahead and delete this if you want and I will repost it again. We can just keep going around in circles or you can delete my account (which is what I would prefer).

Share this post


Link to post
Share on other sites

Ah, the power!!!

 

:-)


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

@@Jan Zonjee Can i ask why it was deleted. As far as I can remember it was in no way offensive, or anything else.


REMEMBER BACKUP, BACKUP AND BACKUP

Before installing the official version of oscommerce first look at a responsive version here

It's very easy to over complicate what are simple things in life

Share this post


Link to post
Share on other sites

@@14steve14

 

I guess you must have missed the "scum", "prick" and other colourful adjectives used by the poster and directed at another poster, both in this thread and in her profile.


~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites

If that was the reason, I didnt see it, but saying that I never read peoples profiles anyway, most of them are so full of rubbish they mean nothing anyway. If that was posted within the forum, then it was right to remove it.


REMEMBER BACKUP, BACKUP AND BACKUP

Before installing the official version of oscommerce first look at a responsive version here

It's very easy to over complicate what are simple things in life

Share this post


Link to post
Share on other sites

How could you doubt Jan?

 

:-)

 

He is my candidate for Member of the Year!!!!

 

Cheers

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

@@Jan Zonjee Can i ask why it was deleted. As far as I can remember it was in no way offensive, or anything else.

 

Thanks everybody for the votes of confidence. I'm flattered :blush:

 

Regarding the post and profile. Yes, what was removed was offensive (two posts actually) but in the end Sarah (responsible for one of the posts) and I agreed on certain things and there were no hard feelings.

Share this post


Link to post
Share on other sites

To set the record straight...

 

It was never my intent to belittle someone's ideas, or attack them personally.

 

All I ever meant to imply as being "ridiculous" was running your store is SSL all the time. I suppose there are situations where this is desirable, but by and large the vast majority of osC installs shouldn't be run in this manner. IMHO.

 

It is unfortunate that what was posted was construed in any other fashion.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Hey I am having a similar problem with my site after adding a SSL Certificate. It displays fine using Safari and Firefox but when I try and open it up in IE or Chrome it displays completely screwed up. All data on the site displays all over the place.

 

The url for my site is https://www.fantasy-art-trading.com/store'>https://www.fantasy-art-trading.com/store You can also access the store through https://www.fantasy-art-trading.com and clicking the STORE button on the left panel.

 

Would love some help on this matter as my ISP Host setup the SSL Certificate for me as I don't know enough PHP to do it myself.

 

In saying that I know the basics, just not confident enough to do this kind of thing myself.

 

Would appreciate all the help anyone can give me on this as I would like to get it solved asap so that people accessing the site using either Chrome or IE get the same results as Safari and Firefox.

 

Thanks in advance and hope someone can point me in the right direction or help solve this for me.

 

It also stops me from logging in to my dummy account and adding things to the shopping cart, this is happening in Safari.

Share this post


Link to post
Share on other sites

Never mind with this post, have decided to remove the SSL Certificate as we didn't really benefit from using it on our site. Don't want to waste your time so please delete this post and the one before so no one puts the time into solving it. Have no idea how to delete it myself so an admin could please delete them.

Share this post


Link to post
Share on other sites

I noticed some years ago that Sites run only in SSL also have no "page rank" in Google.

 

This could be a concern assuming that the site owner is bothered about "page rank".


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest current code (community-supported responsive 2.3.4.1BS Edge) here

 

Share this post


Link to post
Share on other sites

One person I helped with SSL a few years ago had been running the site SSL all the time since it's inception.

 

It had been online for over a year and g00gle hadn't indexed a single page (because of the SSL all the time I can only surmise). There were many links pointing to the site in g00gle, but none from the site itself.

 

Since then the almighty g00gle has revised it's policy and does index SSL pages.

 

But that policy could be changed at any time, and without notice.

 

In my mind, that's another reason to keep it "SSL only when necessary".


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Never mind with this post, have decided to remove the SSL Certificate as we didn't really benefit from using it on our site. Don't want to waste your time so please delete this post and the one before so no one puts the time into solving it. Have no idea how to delete it myself so an admin could please delete them.

It's a mistake to remove the ssl. It is used on the site, if nowhere else than the create account page. Many people won't use a site that doesn't have ssl so you should enable it. You shouldn't use ssl on all pages (see my previous post for the reasons). All you need to do is make a few changes to the configure files. This thread explains that in more detail.

Share this post


Link to post
Share on other sites

At this stage I have gotten our hosts to remove the SSL Certificates from our site, everything worked fine for customers to login and buy from our site now.

 

My problem that persists is that I can't log into the administrators side of *** - error comes up in a pink/red line up the top stating ERR0R_INVALID_ADMINISTRATOR

 

Could someone please help me with this error, I have changed the username and password in the Password Protect Directories and using that information for the login to admin page but still not working properly. When I try and enter the Username and Password it just refreshes the page instead of logging into the admin page.

 

I will try and get the SSL Certificate back on at a later date and possible see if someone could do it for me as I don't want to go through the hassles of it not working again.

Share this post


Link to post
Share on other sites

×