Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Time to get secure (if you haven't already)


frankl

Recommended Posts

The first rewrite should force HTTPS if it was an HTTP request. Note that I usually see !on rather than off -- try that if yours doesn't work. In the second rewrite, the check for HTTPS on is probably redundant, as you've already forced HTTPS. You might be able to remove that line. For clarity, if nothing else, put a space between $1 and the [R=.

Link to comment
Share on other sites

  • Replies 140
  • Created
  • Last Reply

@@grandpaj

Just to follow up.  You do know you have to make changes in config also to go full SSL, correct?  Also, do a lot of testing to make sure you don't have any issues.  For me, Thanksgiving is a good day to do stuff because no one is on my site.  Probably not as much a factor in NZ though :)

I'm not really a dog.

Link to comment
Share on other sites

@@John W

 

Hi John

 

I have the following in my config file (shop)

 

define('HTTP_SERVER', 'https://www.grunas.co.nz');    (URL changed for forum only)
  define('HTTPS_SERVER', 'https://www.grunas.co.nz');
  define('ENABLE_SSL', true);

 

As far as testing, Ive clicked around logging in, shopping cart etc

Seems to work OK.

 

Look forward to your comments

 

and .htaccess

 

RewriteCond %{HTTPS} on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1[R=301,L]

Link to comment
Share on other sites

If you have a sitemap, check that and make sure it's creating https.  I have one that runs dailey and I had to run it to check.  Also, make sure your Adwords and anything like that you have is pointing to https pages now also. 

I'm not really a dog.

Link to comment
Share on other sites

@@John W

 

Hi John

 

Sitemap shows URL as https, at the moment I don't have any Adwords maybe I should search info about these and "get some".

 

Another good earthquake here in NZ a few hours ago, all good where we live, at the moment.

 

Cheers

 

John

Link to comment
Share on other sites

Hey @@grandpaj,

 

I just clicked the URL in your member screen and it did not redirect me to https.  Do you have your .htaccess redirects active now, or just testing.  When I click on your home on your page it does go SSL.

 

If you haven't done Adwords, then I can talk to my rep about getting you a promo with some free ads.  I don't know if they still do it but it's happened before.  I've used it since 2003.  We can talk more on a dedicated thread, but Adwords pays off.

I'm not really a dog.

Link to comment
Share on other sites

 

RewriteCond %{HTTPS} on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1[R=301,L]

 

Um, why the check for on in the first line? You would want !on or off there. Otherwise it won't change HTTP to HTTPS.

Link to comment
Share on other sites

@@MrPhil

 

Hi Phil

 

This is what I have

 

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1[R=301,L]

 

If I change line 1 to "on" and delete line 3. Site dissapears

 

If I just use

RewriteCond %{HTTPS} !on
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Site is all good

 

So now Im completely confused.

 

@@John W

Hi John

 

Somehow I had deactivated the redirect now hopefully should all work. Here's hopeing. Should I pm you re adwords.

 

Cheers

Grandpa

Link to comment
Share on other sites

Should I pm you re adwords.

 

How about a thread on it...I would love to know how to make Adwords work....I've tried it several times and the only one making money from my efforts was Google.

 

Dan

Link to comment
Share on other sites

 

How about a thread on it...I would love to know how to make Adwords work....I've tried it several times and the only one making money from my efforts was Google.

 

Dan

 

Agreed, will wait for JohnW's reply.

 

Cheers

Grandpa

Link to comment
Share on other sites

@@Dan Cole @@grandpaj

 

I'm no expert on Adwords but in recent months I've got it running better.  We can start a thread on it, but i'm not the best at long detailed explantions and I'm still tweaking.  Adwords seems to continuously grow in complexity and capabilities.  I'll try to gather some thoughts and start a thread, but if one of you wants to get it going first I'm sure as a group we can help each other. 

I'm not really a dog.

Link to comment
Share on other sites

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} on

RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]

RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1[R=301,L]

OK, that looks good, although the line 3 is redundant (it should always be HTTPS after lines 1 and 2).

 

If I change line 1 to "on" and delete line 3. Site dissapears

Why in the world did you do that? That would only rewrite the URL (line 2, to change http to https) if the protocol was already HTTPS! In other words it would loop indefinitely (and the site would disappear -- probably a 500 error). Line 1 could be changed to !on (notice the bang), or possibly !^on.

 

If I just use

RewriteCond %{HTTPS} !on

 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

I assume you're just talking about the first two lines, and not removing the www add. As discussed above, !on should be correct. You want to redirect the request to HTTPS only if it's currently HTTP (not 'on').

Link to comment
Share on other sites

On my site, I'm using this ...

RewriteEngine on

#First rewrite any request to the wrong domain to use the correct one (here www.)
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

#Then, rewrite to /catalog
RewriteCond %{REQUEST_URI} !^/catalog [NC]
RewriteRule ^(.*)$ /catalog/$1 [L]

#Now, rewrite to HTTPS:
#RewriteCond %{HTTPS} off
#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

(no, I'm not running the whole site under the SSL yet, so there are only two redirects ... one to add the www. , the other to redirect to the /catalog directory)

 

However, GTMETRIX is giving me an F grade for Avoid landing page redirects

 

 

And, I am afraid that adding the additional redirect to to the HTTPS will make thing worse.

 

Can someone write a way to combine:

1) add WWW.

2) add HTTPS

3) redirect to /catalog

 

all in one redirect?

 

TIA !

 

Malcolm

Link to comment
Share on other sites

Try to avoid moving your store to the root. It's better under /catalog or /store, as 1) you don't clutter up your site root files with store stuff, 2) you won't interfere with any other applications you want to install (having to go through osC's .htaccess, for example), 3) your store is neatly partitioned away from everything else and can be removed, changed, or upgraded without fear of breaking something else on your site, and 4) all those SE indexes and user bookmarks to /catalog won't break.

 

It's certainly possible to set up your rewrite rules with extra conditions (multiple RewriteConds) so that you don't have more than one redirect. It's not ideal to have multiple 301 redirects for a given query.

if HTTPS and is www and is /catalog (three RewriteConds)  [do nothing]
if HTTP and is www and is /catalog
  redirect to https:// 301
if HTTPS and non-www and is /catalog
  redirect to www  301
if HTTPS and www and is non /catalog
  redirect to /catalog  200
...etc...
Link to comment
Share on other sites

Hello,

 

I have paid SSL and I changed the configure.php files and .htaccess

 

here is the catalog configure.php

  define('HTTP_SERVER', 'http://www.mysite.com');
  define('HTTPS_SERVER', 'https://www.mysite.com');
  define('ENABLE_SSL', 'true');
  define('HTTP_COOKIE_DOMAIN', '.www.mysite.com');
  define('HTTPS_COOKIE_DOMAIN', '.www.mysite.com');

and here admin configure.php

  define('HTTP_SERVER', 'https://www.mysite.com');
  define('HTTP_CATALOG_SERVER', 'https://www.mysite.com');
  define('HTTPS_CATALOG_SERVER', 'https://www.mysite.com');
  define('ENABLE_SSL_CATALOG', 'true');

and here is .htaccess

# If you are getting errors you may need to comment this out like ..
# Options +FollowSymLinks
#Options +SymLinksIfOwnerMatch
<IfModule mod_rewrite.c>
  RewriteEngine On

  # RewriteBase instructions
  # Change RewriteBase dependent on how your shop is accessed as below.
  # http://www.mysite.com = RewriteBase /
  # http://www.mysite.com/catalog/ = RewriteBase /catalog/ 
  # http://www.mysite.com/catalog/shop/ = RewriteBase /catalog/shop/

  # Change RewriteBase using the instructions above  
  RewriteBase / 
  RewriteRule ^([a-z0-9-/]+)-p-([0-9]+).html$ product_info.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-c-([0-9_]+).html$ index.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-m-([0-9]+).html$ index.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-pi-([0-9]+).html$ popup_image.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-pr-([0-9]+).html$ product_reviews.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-pri-([0-9]+).html$ product_reviews_info.php [NC,L,QSA]
  # Articles contribution
  RewriteRule ^([a-z0-9-/]+)-t-([0-9_]+).html$ articles.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-au-([0-9]+).html$ articles.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-a-([0-9]+).html$ article_info.php [NC,L,QSA]
  # Information pages
  RewriteRule ^([a-z0-9-/]+)-i-([0-9]+).html$ information.php [NC,L,QSA]
  # Links contribution
  RewriteRule ^([a-z0-9-/]+)-links-([0-9_]+).html$ links.php [NC,L,QSA]
  # Newsdesk contribution
  RewriteRule ^([a-z0-9-/]+)-n-([0-9]+).html$ newsdesk_info.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-nc-([0-9]+).html$ newsdesk_index.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-nri-([0-9]+).html$ newsdesk_reviews_info.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-nra-([0-9]+).html$ newsdesk_reviews_article.php [NC,L,QSA]
</IfModule>
  

  RewriteCond %{HTTPS} !on
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

and when i open my site it show that

 

 

Get the latest Responsive osCommerce CE (community edition) here .

Link to comment
Share on other sites

@@Omar_one  Sounds like you have an image call or something on the page that isn't secure....try posting your url here...

 

https://www.whynopadlock.com/

 

Dan

Link to comment
Share on other sites

Thank you @@Dan Cole

here is what I got :

1. Server supports SSLv3, may be vulnerable to POODLE attack. It is suggested to disable the SSLv3 protocol.
Server certificate.

2.Insecure URL: http://www.mysite.com/favicon.ico
Found ...... I can't found it there.

3. Insecure URL: http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
Found

Get the latest Responsive osCommerce CE (community edition) here .

Link to comment
Share on other sites

I fixed  (force Script over SSL)

3. Insecure URL: http://ajax.googleap...2/jquery.min.js
Found

by replace 

 <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>

with this

<cfoutput>
            <script src="http#( ( cgi.https IS 'on' ) ? 's' : '' )#://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
   
</cfoutput>

Or you can simply drop the protocol, i.e. "http", from the URL and the browser will use whatever the current request happens to be using:

  <script src="//ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>

Get the latest Responsive osCommerce CE (community edition) here .

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...