Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Time to get secure (if you haven't already)


frankl

Recommended Posts

@@sakkiotto, your redirects to add www. and change http to https could be done more efficiently:

RewriteCond  %{HTTPS} off
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]
RewriteCond  %{HTTP_HOST}  !^www\.  [NC]
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]
That way, if someone comes in with http://mysite.it, you'll only use one 301 redirect round trip instead of two, speeding things up and making search engines a bit happier. You could further combine them:

RewriteCond  %{HTTPS} off   [OR]
RewriteCond  %{HTTP_HOST}  !^www\.  [NC]
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]

 

As for why it's adding the products_id Query String, I suspect that you have your https and www redirects after the SEO rewrites. They would pick up any modifications that the SEO code has already made to the URL and Query String. Make sure they are before the SEO. As a rule of thumb, 301 redirects that you want the visitor or search engine to see should come first, and internal rewrites for SEO and other things that you don't really want the visitor to see should come last.

Link to comment
Share on other sites

  • Replies 140
  • Created
  • Last Reply

@@MrPhil

I like the way you combined and simplified this.  Seems so logical really.   A few months ago I added the line below and now if I try to access my site without https I don't get any 301 redirects as long as I have www. in the request.  I just noticed that recently in doing some test. 

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

I'm not really a dog.

Link to comment
Share on other sites

@@sakkiotto, your redirects to add www. and change http to https could be done more efficiently:

RewriteCond  %{HTTPS} off
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]
RewriteCond  %{HTTP_HOST}  !^www\.  [NC]
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]
That way, if someone comes in with http://mysite.it, you'll only use one 301 redirect round trip instead of two, speeding things up and making search engines a bit happier. You could further combine them:
RewriteCond  %{HTTPS} off   [OR]
RewriteCond  %{HTTP_HOST}  !^www\.  [NC]
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]

 

As for why it's adding the products_id Query String, I suspect that you have your https and www redirects after the SEO rewrites. They would pick up any modifications that the SEO code has already made to the URL and Query String. Make sure they are before the SEO. As a rule of thumb, 301 redirects that you want the visitor or search engine to see should come first, and internal rewrites for SEO and other things that you don't really want the visitor to see should come last.

 

@@MrPhil with

 

 

 

RewriteCond  %{HTTPS} off   [OR]

RewriteCond  %{HTTP_HOST}  !^www\.  [NC]

RewriteRule  ^(.*)$  https://www.mysite.it/$1 [R=301,L]nbsp; https://www.mysite.it/$1  [R=301,L]

 

google see https://www.mysite.it/product_info.php?products_id=65122

 

with

 

 

RewriteCond %{HTTPS} off [OR]

RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI}[R=301,L]

 

google see https://www.mysiste.it/vtac-vt1853-lampadina-led-e27-10w-2700k-bianco-caldo-sku-4209-p-65122.html?products_id=65122

 

What's wrong for ?products_id=65122 ?

I don't think is SEO, it's work fine on site, only with redirect on htaccess I have this problem.

Link to comment
Share on other sites

Ok, just solved. For who have my same problem my mistake was to put the rule before seo url like this:

 

RewriteRule ^(.*)-p-(.*).html$ product_info.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-c-(.*).html$ index.php?cPath=$2&%{QUERY_STRING}
RewriteRule ^(.*)-m-([0-9]+).html$ index.php?manufacturers_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pi-([0-9]+).html$ popup_image.php?pID=$2&%{QUERY_STRING}
RewriteRule ^(.*)-t-([0-9]+).html$ articles.php?tPath=$2&%{QUERY_STRING}
RewriteRule ^(.*)-a-([0-9]+).html$ article_info.php?articles_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pr-([0-9]+).html$ product_reviews.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pri-([0-9]+).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-i-([0-9]+).html$ information_pages.php?info_id=$2&%{QUERY_STRING}


RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]


RewriteCond %{HTTPS} off 
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

instead in this way:

 

RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]


RewriteCond %{HTTPS} off 
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


RewriteRule ^(.*)-p-(.*).html$ product_info.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-c-(.*).html$ index.php?cPath=$2&%{QUERY_STRING}
RewriteRule ^(.*)-m-([0-9]+).html$ index.php?manufacturers_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pi-([0-9]+).html$ popup_image.php?pID=$2&%{QUERY_STRING}
RewriteRule ^(.*)-t-([0-9]+).html$ articles.php?tPath=$2&%{QUERY_STRING}
RewriteRule ^(.*)-a-([0-9]+).html$ article_info.php?articles_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pr-([0-9]+).html$ product_reviews.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pri-([0-9]+).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-i-([0-9]+).html$ information_pages.php?info_id=$2&%{QUERY_STRING}
Link to comment
Share on other sites

Yep. As I said...

 

 

As for why it's adding the products_id Query String, I suspect that you have your https and www redirects after the SEO rewrites. They would pick up any modifications that the SEO code has already made to the URL and Query String.
Link to comment
Share on other sites

@@MrPhil

 

Hi there 

thanks for this saves an extra hop

RewriteCond  %{HTTPS} off
RewriteRule  ^(.*)$  https://www.mysite.com/$1  [R=301,L]
RewriteCond  %{HTTP_HOST}  !^www\.  [NC]
RewriteRule  ^(.*)$  https://www.mysite.com/$1  [R=301,L]

Just wondered if there is a reason or preference for

RewriteCond  %{HTTPS} off

or

RewriteCond  %{HTTPS} !on
Link to comment
Share on other sites

No reason one way or the other, AFAIK. I think the response is supposed to be yes or no, in which case either way would work. You may also see =yes or =no, which are apparently equivalent to ^yes$ and ^no$.

 

I seem to recall hearing about a server (IIS?) that returned "1" instead of "yes". I don't know if that's still true.

Link to comment
Share on other sites

  • 1 month later...
  • 1 month later...
  • 7 months later...

Hi all, sorry I hope this is a living thread :)

I've just purchased an SSL certificate and have done the following:

admin\includes\configure.php  (edited to add https )

includes\configure.php (edited to add https)

.htaccess (added the redirect rule, I think, from this thread).

It seems to be working well. My website, techworld.co.nz , redirects to https://techworld.co.nz and chrome says all is good. The certificate however says www.techworld.co.nz but it seems I have one that supports both www.techworld.co.nz and techworld.co.nz .

My problem however is on the actual product pages like this https://techworld.co.nz/xspc-raystorm-waterblock-intel-p-61084.html which whilst https works, it is not 'secure'. It basically seems to lose the certificate. Every other non product page seems to work, its just the product pages. 

Any ideas why?

Link to comment
Share on other sites

6 minutes ago, Scottyj said:

Oh.. I just saw some content was blocked and it looks like the twitter and FB and google links are being blocked and they are http... possibly doesn't like that?

Change http:// to // for all these links contained within script tags... It shall fix the issue :)

Warm Regds./

radhavallabh

 

Link to comment
Share on other sites

29 minutes ago, radhavallabh said:

Change http:// to // for all these links contained within script tags... It shall fix the issue :)

Warm Regds./

radhavallabh

 

Thanks for the quick reply. It seems I have a few hard coded http links instead of using tep_href_link, especially in the menu. Looks like I have some coding to do!

Link to comment
Share on other sites

On 4/4/2017 at 6:06 AM, jamiehennings said:

In Today's world it is necessary to prevent own website from threats and spam, so using SSL is a best way to prevent it.

You're giving out false information. SSL has nothing to do with protecting against threats and spam. The only thing it does is ensure privacy of your communications back and forth between the browser and the server, so no one can snoop on (or modify) them in-between.

Link to comment
Share on other sites

  • 3 weeks later...

Great thread for people that are late to the game with going all https.

I *think* I have fully migrated everything.  Everything gets a solid lock, all http in code has been changed to https, config files changed, etc.

I have a couple of questions to try and make sure I'm all set.

site: thebestcandles.com

htaccess code:

I have a lot of code in the htaccess.  What I added during the migration to going all https:
# Always use https for secure connections
# Replace 'www.example.com' with your domain name
# (as it appears on your SSL certificate)
 RewriteEngine On
 RewriteCond %{SERVER_PORT} 80
 RewriteRule ^(.*)$ https://www.thebestcandles.com/$1 [R=301,L]


I have additional "stuff" in there, that to be VERY honest... I have no idea what it does... this is the part that I am most interested in determining what it does, is it needed, is it good or bad, etc.:
 

# $Id: .htaccess,v 1.3 2003/06/12 10:53:20 hpdl Exp $

# Set some options
Options -Indexes
Options FollowSymLinks

RewriteEngine on
RewriteBase /
#
# Skip the next two rewriterules if NOT a spider
RewriteCond %{HTTP_USER_AGENT} !(msnbot|slurp|googlebot) [NC]
RewriteRule .* - [S=2]
#
# case: leading and trailing parameters
RewriteCond %{QUERY_STRING} ^(.+)&osCsid=[0-9a-z]+&(.+)$ [NC]
RewriteRule (.*) $1?%1&%2 [R=301,L]
#
# case: leading-only, trailing-only or no additional parameters
RewriteCond %{QUERY_STRING} ^(.+)&osCsid=[0-9a-z]+$|^osCsid=[0-9a-z]+&?(.*)$ [NC]
RewriteRule (.*) $1?%1 [R=301,L]
#
#Deals with the .index in the url
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.thebestcandles.com/ [R=301,L]
#
#Deals with the www or no www in the url

RewriteCond %{HTTP_HOST} ^thebestcandles.com [NC]
RewriteRule ^(.*)$ http://www.thebestcandles.com/$1 [L,R=301] 


#rewriteCond %{HTTP_HOST} .
# And if requested domain is NOT the canonical domain
#rewriteCond %{HTTP_HOST} !^www\.thebestcandles\.com
# Redirect to requested page in canonical domain
#rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L]
# If non-canonical domain requested (case-insensitive compare)
#rewriteCond %{HTTP_HOST} ^thebestcandles\.com [NC]
# Redirect to requested page in canonical domain
# rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L]
 

And a "small" second part of my question:

In the Google Search Console... I now have two listings, one is http and one is https.  They both have "activity" -- but the newer, https has much more.
Do you leave them both?  How do you handle the old one?

Link to comment
Share on other sites

Yes, google requires both but if your shop is setup completely for https, the http one will be mostly empty.  The same is true for www and non-www. This assumes you have the proper redirection code added to your shops .htaccess file to redirect all http urls to https. The preferred url should be the one that you use on the shop.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Yes, still here. :)  There are a few mistakes in the file. I assume you have the first code you posted somewhere after the other tests since the redirects are happening as they should. But you shouldn't reference http anywhere in your site and you have that twice in that file. You are telling it to redirect to http and then redirect again to https. And I suggest you remove the following block of comments. The .htaccess file gets loaded on every page refresh so keeping its size down is helpful.

#rewriteCond %{HTTP_HOST} .
 # And if requested domain is NOT the canonical domain
 #rewriteCond %{HTTP_HOST} !^www\.thebestcandles\.com
 # Redirect to requested page in canonical domain
 #rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L]
 # If non-canonical domain requested (case-insensitive compare)
 #rewriteCond %{HTTP_HOST} ^thebestcandles\.com [NC]
 # Redirect to requested page in canonical domain
 # rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L]

 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Ah!  Ok!  I'll remove that #'d code...

And... to make sure I get it right, you're saying that the "http:" here:

 

#Deals with the .index in the url
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.thebestcandles.com/ [R=301,L]
#
#Deals with the www or no www in the url

RewriteCond %{HTTP_HOST} ^thebestcandles.com [NC]
RewriteRule ^(.*)$ http://www.thebestcandles.com/$1 [L,R=301] 

 

should be "https"

 

ergo:

 

#Deals with the .index in the url
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ https://www.thebestcandles.com/ [R=301,L]
#
#Deals with the www or no www in the url

RewriteCond %{HTTP_HOST} ^thebestcandles.com [NC]
RewriteRule ^(.*)$ https://www.thebestcandles.com/$1 [L,R=301] 

 

Do I have that right? :)

Link to comment
Share on other sites

The idea is to end up with a site which is 100% SSL (https) usage, with no non-SSL (http) left. In a nutshell:

  1. Get an SSL certificate for your domain, and have it installed. Many hosts now offer free private SSL certs. Note exactly what domain names that it covers.
  2. Update your configure.php files to use https:// everywhere, with no http:// left anywhere. Watch out that you have the correct domain name format.
  3. Check for (and fix) any hard-coded http:// in your code and database, including banner ads and such. They will upset browsers.
  4. Put a statement in your .htaccess to redirect incoming http:// to https:// and if necessary non-www to www (or vice-versa).

Note that being under SSL protects your site and user data from snooping by hackers while in transit between the server and browser, and back. It otherwise does nothing to prevent someone from breaking into and modifying your site. It won't help you if someone installed a keystroke logger on your PC, or has your database ID and password. Major search engines (especially Google) also prefer SSL sites over non-SSL sites.

Link to comment
Share on other sites

  • 6 months later...

I am trying to fix my new installation to use SSL everywhere.  I get mixed content warnings.  I get warnings about:

Quote

Mixed Content: The page at 'https://www.mysiteURL.com/admin/orders.php?page=1&oID=4735' was loaded over HTTPS, but requested an insecure stylesheet 'http://wwwmysiteURL.com/ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css'. This content should also be served over HTTPS.

I edited the site config file to be:

 define('HTTP_SERVER', 'http://www.mysiteURL.com');
  define('HTTPS_SERVER', 'https://www.mysiteURL.com');
  define('ENABLE_SSL', true);

I also edited the admin>includes config to have:

  define('HTTP_SERVER', 'http://www.mysiteURL.com');
  define('HTTPS_SERVER', 'https://www.mysiteURL.com');
  define('ENABLE_SSL', true);
  define('HTTP_COOKIE_DOMAIN', '');
  define('HTTPS_COOKIE_DOMAIN', '');
  define('HTTP_COOKIE_PATH', '/admin');
  define('HTTPS_COOKIE_PATH', '/admin');
  define('HTTP_CATALOG_SERVER', 'http://www.mysiteURL.com');
  define('HTTPS_CATALOG_SERVER', 'https://www.mysiteURL.com');
  define('ENABLE_SSL_CATALOG', 'false'); ### I tried true here as well

I edited the .htaccess file in the root folder with this at the top:

RewriteEngine On

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

I have verified that the SSL certificate is installed correctly, and it appears to work on the main site but not the Admin site.  I also tried putting the same .htaccess code in the Admin area but it made no difference.  The only place still throwing a warning is the CSS/jquery on the admin area...if I don't ignore the warnings the site is ugly.

Why No Padlock says my main site is not SSL secured but I get the padlock in Chrome.  The Admin site fails for all sorts of stuff like the error at the top of this post.

please help!

Link to comment
Share on other sites

@tightwad the oscommerce code was designed only to make the checkout process secure (the enable SSL toggle just affects that bit).

For the whole site secure, set the HTTP_SERVER values to https: as well as the HTTPS_SERVER values

If you still get mixed content warnings then http:// is hard-coded and you'll have to track down exactly where

Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...