MrPhil Posted February 21, 2017 Share Posted February 21, 2017 @@sakkiotto, your redirects to add www. and change http to https could be done more efficiently: RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://www.mysite.it/$1 [R=301,L] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ https://www.mysite.it/$1 [R=301,L] That way, if someone comes in with http://mysite.it, you'll only use one 301 redirect round trip instead of two, speeding things up and making search engines a bit happier. You could further combine them: RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ https://www.mysite.it/$1 [R=301,L] As for why it's adding the products_id Query String, I suspect that you have your https and www redirects after the SEO rewrites. They would pick up any modifications that the SEO code has already made to the URL and Query String. Make sure they are before the SEO. As a rule of thumb, 301 redirects that you want the visitor or search engine to see should come first, and internal rewrites for SEO and other things that you don't really want the visitor to see should come last. Link to comment Share on other sites More sharing options...
♥John W Posted February 21, 2017 Share Posted February 21, 2017 @@MrPhil I like the way you combined and simplified this. Seems so logical really. A few months ago I added the line below and now if I try to access my site without https I don't get any 301 redirects as long as I have www. in the request. I just noticed that recently in doing some test. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" I'm not really a dog. Link to comment Share on other sites More sharing options...
sakkiotto Posted February 21, 2017 Share Posted February 21, 2017 @@sakkiotto, your redirects to add www. and change http to https could be done more efficiently: RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://www.mysite.it/$1 [R=301,L] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ https://www.mysite.it/$1 [R=301,L] That way, if someone comes in with http://mysite.it, you'll only use one 301 redirect round trip instead of two, speeding things up and making search engines a bit happier. You could further combine them: RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ https://www.mysite.it/$1 [R=301,L] As for why it's adding the products_id Query String, I suspect that you have your https and www redirects after the SEO rewrites. They would pick up any modifications that the SEO code has already made to the URL and Query String. Make sure they are before the SEO. As a rule of thumb, 301 redirects that you want the visitor or search engine to see should come first, and internal rewrites for SEO and other things that you don't really want the visitor to see should come last. @@MrPhil with RewriteCond %{HTTPS} off [OR]RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ https://www.mysite.it/$1 [R=301,L]nbsp; https://www.mysite.it/$1 [R=301,L] google see https://www.mysite.it/product_info.php?products_id=65122 with RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC] RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI}[R=301,L] google see https://www.mysiste.it/vtac-vt1853-lampadina-led-e27-10w-2700k-bianco-caldo-sku-4209-p-65122.html?products_id=65122 What's wrong for ?products_id=65122 ? I don't think is SEO, it's work fine on site, only with redirect on htaccess I have this problem. Link to comment Share on other sites More sharing options...
sakkiotto Posted February 21, 2017 Share Posted February 21, 2017 Ok, just solved. For who have my same problem my mistake was to put the rule before seo url like this: RewriteRule ^(.*)-p-(.*).html$ product_info.php?products_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-c-(.*).html$ index.php?cPath=$2&%{QUERY_STRING} RewriteRule ^(.*)-m-([0-9]+).html$ index.php?manufacturers_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-pi-([0-9]+).html$ popup_image.php?pID=$2&%{QUERY_STRING} RewriteRule ^(.*)-t-([0-9]+).html$ articles.php?tPath=$2&%{QUERY_STRING} RewriteRule ^(.*)-a-([0-9]+).html$ article_info.php?articles_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-pr-([0-9]+).html$ product_reviews.php?products_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-pri-([0-9]+).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-i-([0-9]+).html$ information_pages.php?info_id=$2&%{QUERY_STRING} RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC] RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] instead in this way: RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC] RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] RewriteRule ^(.*)-p-(.*).html$ product_info.php?products_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-c-(.*).html$ index.php?cPath=$2&%{QUERY_STRING} RewriteRule ^(.*)-m-([0-9]+).html$ index.php?manufacturers_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-pi-([0-9]+).html$ popup_image.php?pID=$2&%{QUERY_STRING} RewriteRule ^(.*)-t-([0-9]+).html$ articles.php?tPath=$2&%{QUERY_STRING} RewriteRule ^(.*)-a-([0-9]+).html$ article_info.php?articles_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-pr-([0-9]+).html$ product_reviews.php?products_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-pri-([0-9]+).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-i-([0-9]+).html$ information_pages.php?info_id=$2&%{QUERY_STRING} Link to comment Share on other sites More sharing options...
MrPhil Posted February 22, 2017 Share Posted February 22, 2017 Yep. As I said... As for why it's adding the products_id Query String, I suspect that you have your https and www redirects after the SEO rewrites. They would pick up any modifications that the SEO code has already made to the URL and Query String. Link to comment Share on other sites More sharing options...
douglaswalker Posted February 23, 2017 Share Posted February 23, 2017 @@MrPhil Hi there thanks for this saves an extra hop RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://www.mysite.com/$1 [R=301,L] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ https://www.mysite.com/$1 [R=301,L] Just wondered if there is a reason or preference for RewriteCond %{HTTPS} off or RewriteCond %{HTTPS} !on Link to comment Share on other sites More sharing options...
MrPhil Posted February 23, 2017 Share Posted February 23, 2017 No reason one way or the other, AFAIK. I think the response is supposed to be yes or no, in which case either way would work. You may also see =yes or =no, which are apparently equivalent to ^yes$ and ^no$. I seem to recall hearing about a server (IIS?) that returned "1" instead of "yes". I don't know if that's still true. Link to comment Share on other sites More sharing options...
jamiehennings Posted April 4, 2017 Share Posted April 4, 2017 In Today's world it is necessary to prevent own website from threats and spam, so using SSL is a best way to prevent it. Link to comment Share on other sites More sharing options...
Mikepo Posted May 15, 2017 Share Posted May 15, 2017 @@Gergely @@frankl @@John W Thanks for this thread, my site is fully https now :) regards Mike osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!) Link to comment Share on other sites More sharing options...
Scottyj Posted January 8, 2018 Share Posted January 8, 2018 Hi all, sorry I hope this is a living thread :) I've just purchased an SSL certificate and have done the following: admin\includes\configure.php (edited to add https ) includes\configure.php (edited to add https) .htaccess (added the redirect rule, I think, from this thread). It seems to be working well. My website, techworld.co.nz , redirects to https://techworld.co.nz and chrome says all is good. The certificate however says www.techworld.co.nz but it seems I have one that supports both www.techworld.co.nz and techworld.co.nz . My problem however is on the actual product pages like this https://techworld.co.nz/xspc-raystorm-waterblock-intel-p-61084.html which whilst https works, it is not 'secure'. It basically seems to lose the certificate. Every other non product page seems to work, its just the product pages. Any ideas why? Link to comment Share on other sites More sharing options...
Scottyj Posted January 8, 2018 Share Posted January 8, 2018 Oh.. I just saw some content was blocked and it looks like the twitter and FB and google links are being blocked and they are http... possibly doesn't like that? Link to comment Share on other sites More sharing options...
radhavallabh Posted January 8, 2018 Share Posted January 8, 2018 6 minutes ago, Scottyj said: Oh.. I just saw some content was blocked and it looks like the twitter and FB and google links are being blocked and they are http... possibly doesn't like that? Change http:// to // for all these links contained within script tags... It shall fix the issue :) Warm Regds./ radhavallabh Link to comment Share on other sites More sharing options...
Scottyj Posted January 8, 2018 Share Posted January 8, 2018 29 minutes ago, radhavallabh said: Change http:// to // for all these links contained within script tags... It shall fix the issue :) Warm Regds./ radhavallabh Thanks for the quick reply. It seems I have a few hard coded http links instead of using tep_href_link, especially in the menu. Looks like I have some coding to do! Link to comment Share on other sites More sharing options...
MrPhil Posted January 8, 2018 Share Posted January 8, 2018 On 4/4/2017 at 6:06 AM, jamiehennings said: In Today's world it is necessary to prevent own website from threats and spam, so using SSL is a best way to prevent it. You're giving out false information. SSL has nothing to do with protecting against threats and spam. The only thing it does is ensure privacy of your communications back and forth between the browser and the server, so no one can snoop on (or modify) them in-between. Link to comment Share on other sites More sharing options...
OldPete Posted January 24, 2018 Share Posted January 24, 2018 Great thread for people that are late to the game with going all https. I *think* I have fully migrated everything. Everything gets a solid lock, all http in code has been changed to https, config files changed, etc. I have a couple of questions to try and make sure I'm all set. site: thebestcandles.com htaccess code: I have a lot of code in the htaccess. What I added during the migration to going all https: # Always use https for secure connections # Replace 'www.example.com' with your domain name # (as it appears on your SSL certificate) RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.thebestcandles.com/$1 [R=301,L] I have additional "stuff" in there, that to be VERY honest... I have no idea what it does... this is the part that I am most interested in determining what it does, is it needed, is it good or bad, etc.: # $Id: .htaccess,v 1.3 2003/06/12 10:53:20 hpdl Exp $ # Set some options Options -Indexes Options FollowSymLinks RewriteEngine on RewriteBase / # # Skip the next two rewriterules if NOT a spider RewriteCond %{HTTP_USER_AGENT} !(msnbot|slurp|googlebot) [NC] RewriteRule .* - [S=2] # # case: leading and trailing parameters RewriteCond %{QUERY_STRING} ^(.+)&osCsid=[0-9a-z]+&(.+)$ [NC] RewriteRule (.*) $1?%1&%2 [R=301,L] # # case: leading-only, trailing-only or no additional parameters RewriteCond %{QUERY_STRING} ^(.+)&osCsid=[0-9a-z]+$|^osCsid=[0-9a-z]+&?(.*)$ [NC] RewriteRule (.*) $1?%1 [R=301,L] # #Deals with the .index in the url RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ RewriteRule ^index\.php$ http://www.thebestcandles.com/ [R=301,L] # #Deals with the www or no www in the url RewriteCond %{HTTP_HOST} ^thebestcandles.com [NC] RewriteRule ^(.*)$ http://www.thebestcandles.com/$1 [L,R=301] #rewriteCond %{HTTP_HOST} . # And if requested domain is NOT the canonical domain #rewriteCond %{HTTP_HOST} !^www\.thebestcandles\.com # Redirect to requested page in canonical domain #rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L] # If non-canonical domain requested (case-insensitive compare) #rewriteCond %{HTTP_HOST} ^thebestcandles\.com [NC] # Redirect to requested page in canonical domain # rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L] And a "small" second part of my question: In the Google Search Console... I now have two listings, one is http and one is https. They both have "activity" -- but the newer, https has much more. Do you leave them both? How do you handle the old one? Link to comment Share on other sites More sharing options...
OldPete Posted January 24, 2018 Share Posted January 24, 2018 So... I've been reading here:https://support.google.com/webmasters/answer/44231 It appears that you need both https and http in the Search Console. I'm a bit stuck on the "preferred" part, however... Link to comment Share on other sites More sharing options...
Jack_mcs Posted January 24, 2018 Share Posted January 24, 2018 Yes, google requires both but if your shop is setup completely for https, the http one will be mostly empty. The same is true for www and non-www. This assumes you have the proper redirection code added to your shops .htaccess file to redirect all http urls to https. The preferred url should be the one that you use on the shop. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
OldPete Posted January 24, 2018 Share Posted January 24, 2018 Hi Jack!... you're still around (you've helped me before)... If you scroll up (to the post before my last)... you'll see parts of my htaccess code. Thoughts? Link to comment Share on other sites More sharing options...
Jack_mcs Posted January 24, 2018 Share Posted January 24, 2018 Yes, still here. :) There are a few mistakes in the file. I assume you have the first code you posted somewhere after the other tests since the redirects are happening as they should. But you shouldn't reference http anywhere in your site and you have that twice in that file. You are telling it to redirect to http and then redirect again to https. And I suggest you remove the following block of comments. The .htaccess file gets loaded on every page refresh so keeping its size down is helpful. #rewriteCond %{HTTP_HOST} . # And if requested domain is NOT the canonical domain #rewriteCond %{HTTP_HOST} !^www\.thebestcandles\.com # Redirect to requested page in canonical domain #rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L] # If non-canonical domain requested (case-insensitive compare) #rewriteCond %{HTTP_HOST} ^thebestcandles\.com [NC] # Redirect to requested page in canonical domain # rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L] Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
OldPete Posted January 24, 2018 Share Posted January 24, 2018 Ah! Ok! I'll remove that #'d code... And... to make sure I get it right, you're saying that the "http:" here: #Deals with the .index in the url RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ RewriteRule ^index\.php$ http://www.thebestcandles.com/ [R=301,L] # #Deals with the www or no www in the url RewriteCond %{HTTP_HOST} ^thebestcandles.com [NC] RewriteRule ^(.*)$ http://www.thebestcandles.com/$1 [L,R=301] should be "https" ergo: #Deals with the .index in the url RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ RewriteRule ^index\.php$ https://www.thebestcandles.com/ [R=301,L] # #Deals with the www or no www in the url RewriteCond %{HTTP_HOST} ^thebestcandles.com [NC] RewriteRule ^(.*)$ https://www.thebestcandles.com/$1 [L,R=301] Do I have that right? :) Link to comment Share on other sites More sharing options...
Jack_mcs Posted January 25, 2018 Share Posted January 25, 2018 Yes, that's correct. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
big_goals Posted January 26, 2018 Share Posted January 26, 2018 Okay, so I am new do this and these and I don't get what should we do exactly to be protected. I guess I have to read the whole thread. Link to comment Share on other sites More sharing options...
MrPhil Posted January 26, 2018 Share Posted January 26, 2018 The idea is to end up with a site which is 100% SSL (https) usage, with no non-SSL (http) left. In a nutshell: Get an SSL certificate for your domain, and have it installed. Many hosts now offer free private SSL certs. Note exactly what domain names that it covers. Update your configure.php files to use https:// everywhere, with no http:// left anywhere. Watch out that you have the correct domain name format. Check for (and fix) any hard-coded http:// in your code and database, including banner ads and such. They will upset browsers. Put a statement in your .htaccess to redirect incoming http:// to https:// and if necessary non-www to www (or vice-versa). Note that being under SSL protects your site and user data from snooping by hackers while in transit between the server and browser, and back. It otherwise does nothing to prevent someone from breaking into and modifying your site. It won't help you if someone installed a keystroke logger on your PC, or has your database ID and password. Major search engines (especially Google) also prefer SSL sites over non-SSL sites. Link to comment Share on other sites More sharing options...
tightwad Posted August 24, 2018 Share Posted August 24, 2018 I am trying to fix my new installation to use SSL everywhere. I get mixed content warnings. I get warnings about: Quote Mixed Content: The page at 'https://www.mysiteURL.com/admin/orders.php?page=1&oID=4735' was loaded over HTTPS, but requested an insecure stylesheet 'http://wwwmysiteURL.com/ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css'. This content should also be served over HTTPS. I edited the site config file to be: define('HTTP_SERVER', 'http://www.mysiteURL.com'); define('HTTPS_SERVER', 'https://www.mysiteURL.com'); define('ENABLE_SSL', true); I also edited the admin>includes config to have: define('HTTP_SERVER', 'http://www.mysiteURL.com'); define('HTTPS_SERVER', 'https://www.mysiteURL.com'); define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', ''); define('HTTPS_COOKIE_DOMAIN', ''); define('HTTP_COOKIE_PATH', '/admin'); define('HTTPS_COOKIE_PATH', '/admin'); define('HTTP_CATALOG_SERVER', 'http://www.mysiteURL.com'); define('HTTPS_CATALOG_SERVER', 'https://www.mysiteURL.com'); define('ENABLE_SSL_CATALOG', 'false'); ### I tried true here as well I edited the .htaccess file in the root folder with this at the top: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] RewriteCond %{HTTPS} on RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC] RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L] I have verified that the SSL certificate is installed correctly, and it appears to work on the main site but not the Admin site. I also tried putting the same .htaccess code in the Admin area but it made no difference. The only place still throwing a warning is the CSS/jquery on the admin area...if I don't ignore the warnings the site is ugly. Why No Padlock says my main site is not SSL secured but I get the padlock in Chrome. The Admin site fails for all sorts of stuff like the error at the top of this post. please help! Link to comment Share on other sites More sharing options...
BrockleyJohn Posted August 24, 2018 Share Posted August 24, 2018 @tightwad the oscommerce code was designed only to make the checkout process secure (the enable SSL toggle just affects that bit). For the whole site secure, set the HTTP_SERVER values to https: as well as the HTTPS_SERVER values If you still get mixed content warnings then http:// is hard-coded and you'll have to track down exactly where Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.