Jump to content
Latest News: (loading..)
frankl

Time to get secure (if you haven't already)

Recommended Posts

The first rewrite should force HTTPS if it was an HTTP request. Note that I usually see !on rather than off -- try that if yours doesn't work. In the second rewrite, the check for HTTPS on is probably redundant, as you've already forced HTTPS. You might be able to remove that line. For clarity, if nothing else, put a space between $1 and the [R=.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

@@grandpaj

Just to follow up.  You do know you have to make changes in config also to go full SSL, correct?  Also, do a lot of testing to make sure you don't have any issues.  For me, Thanksgiving is a good day to do stuff because no one is on my site.  Probably not as much a factor in NZ though :)


I'm not really a dog.

Share this post


Link to post
Share on other sites

@@John W

 

Hi John

 

I have the following in my config file (shop)

 

define('HTTP_SERVER', 'https://www.grunas.co.nz');    (URL changed for forum only)
  define('HTTPS_SERVER', 'https://www.grunas.co.nz');
  define('ENABLE_SSL', true);

 

As far as testing, Ive clicked around logging in, shopping cart etc

Seems to work OK.

 

Look forward to your comments

 

and .htaccess

 

RewriteCond %{HTTPS} on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1[R=301,L]

Edited by grandpaj

Share this post


Link to post
Share on other sites

If you have a sitemap, check that and make sure it's creating https.  I have one that runs dailey and I had to run it to check.  Also, make sure your Adwords and anything like that you have is pointing to https pages now also. 


I'm not really a dog.

Share this post


Link to post
Share on other sites

@@John W

 

Hi John

 

Sitemap shows URL as https, at the moment I don't have any Adwords maybe I should search info about these and "get some".

 

Another good earthquake here in NZ a few hours ago, all good where we live, at the moment.

 

Cheers

 

John

Share this post


Link to post
Share on other sites

Hey @@grandpaj,

 

I just clicked the URL in your member screen and it did not redirect me to https.  Do you have your .htaccess redirects active now, or just testing.  When I click on your home on your page it does go SSL.

 

If you haven't done Adwords, then I can talk to my rep about getting you a promo with some free ads.  I don't know if they still do it but it's happened before.  I've used it since 2003.  We can talk more on a dedicated thread, but Adwords pays off.


I'm not really a dog.

Share this post


Link to post
Share on other sites

 

RewriteCond %{HTTPS} on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1[R=301,L]

 

Um, why the check for on in the first line? You would want !on or off there. Otherwise it won't change HTTP to HTTPS.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

@@MrPhil

 

Hi Phil

 

This is what I have

 

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1[R=301,L]

 

If I change line 1 to "on" and delete line 3. Site dissapears

 

If I just use

RewriteCond %{HTTPS} !on
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Site is all good

 

So now Im completely confused.

 

@@John W

Hi John

 

Somehow I had deactivated the redirect now hopefully should all work. Here's hopeing. Should I pm you re adwords.

 

Cheers

Grandpa

Edited by grandpaj

Share this post


Link to post
Share on other sites
Should I pm you re adwords.

 

How about a thread on it...I would love to know how to make Adwords work....I've tried it several times and the only one making money from my efforts was Google.

 

Dan

Share this post


Link to post
Share on other sites

 

How about a thread on it...I would love to know how to make Adwords work....I've tried it several times and the only one making money from my efforts was Google.

 

Dan

 

Agreed, will wait for JohnW's reply.

 

Cheers

Grandpa

Share this post


Link to post
Share on other sites

@@Dan Cole @@grandpaj

 

I'm no expert on Adwords but in recent months I've got it running better.  We can start a thread on it, but i'm not the best at long detailed explantions and I'm still tweaking.  Adwords seems to continuously grow in complexity and capabilities.  I'll try to gather some thoughts and start a thread, but if one of you wants to get it going first I'm sure as a group we can help each other. 


I'm not really a dog.

Share this post


Link to post
Share on other sites

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} on

RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]

RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1[R=301,L]

OK, that looks good, although the line 3 is redundant (it should always be HTTPS after lines 1 and 2).

 

If I change line 1 to "on" and delete line 3. Site dissapears

Why in the world did you do that? That would only rewrite the URL (line 2, to change http to https) if the protocol was already HTTPS! In other words it would loop indefinitely (and the site would disappear -- probably a 500 error). Line 1 could be changed to !on (notice the bang), or possibly !^on.

 

If I just use

RewriteCond %{HTTPS} !on

 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

I assume you're just talking about the first two lines, and not removing the www add. As discussed above, !on should be correct. You want to redirect the request to HTTPS only if it's currently HTTP (not 'on').


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

@@MrPhil

 

Hi Phil

 

Ended up with this, hopefully all now correct, (if I have understood your previous posts correctly)

 

 

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1[R=301,L]

 

Many thanks

Grandpa

Share this post


Link to post
Share on other sites

On my site, I'm using this ...

RewriteEngine on

#First rewrite any request to the wrong domain to use the correct one (here www.)
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

#Then, rewrite to /catalog
RewriteCond %{REQUEST_URI} !^/catalog [NC]
RewriteRule ^(.*)$ /catalog/$1 [L]

#Now, rewrite to HTTPS:
#RewriteCond %{HTTPS} off
#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

(no, I'm not running the whole site under the SSL yet, so there are only two redirects ... one to add the www. , the other to redirect to the /catalog directory)

 

However, GTMETRIX is giving me an F grade for Avoid landing page redirects

 

 

And, I am afraid that adding the additional redirect to to the HTTPS will make thing worse.

 

Can someone write a way to combine:

1) add WWW.

2) add HTTPS

3) redirect to /catalog

 

all in one redirect?

 

TIA !

 

Malcolm


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release here

Share this post


Link to post
Share on other sites

Hey @@ArtcoInc,

 

Maybe now is a good time to think about moving your catalog to your root directory.  What do you think?  You can rewrite anyone that goes to your /catalog/  directory easily. 


I'm not really a dog.

Share this post


Link to post
Share on other sites

Try to avoid moving your store to the root. It's better under /catalog or /store, as 1) you don't clutter up your site root files with store stuff, 2) you won't interfere with any other applications you want to install (having to go through osC's .htaccess, for example), 3) your store is neatly partitioned away from everything else and can be removed, changed, or upgraded without fear of breaking something else on your site, and 4) all those SE indexes and user bookmarks to /catalog won't break.

 

It's certainly possible to set up your rewrite rules with extra conditions (multiple RewriteConds) so that you don't have more than one redirect. It's not ideal to have multiple 301 redirects for a given query.

if HTTPS and is www and is /catalog (three RewriteConds)  [do nothing]
if HTTP and is www and is /catalog
  redirect to https:// 301
if HTTPS and non-www and is /catalog
  redirect to www  301
if HTTPS and www and is non /catalog
  redirect to /catalog  200
...etc...

If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Hello,

 

I have paid SSL and I changed the configure.php files and .htaccess

 

here is the catalog configure.php

  define('HTTP_SERVER', 'http://www.mysite.com');
  define('HTTPS_SERVER', 'https://www.mysite.com');
  define('ENABLE_SSL', 'true');
  define('HTTP_COOKIE_DOMAIN', '.www.mysite.com');
  define('HTTPS_COOKIE_DOMAIN', '.www.mysite.com');

and here admin configure.php

  define('HTTP_SERVER', 'https://www.mysite.com');
  define('HTTP_CATALOG_SERVER', 'https://www.mysite.com');
  define('HTTPS_CATALOG_SERVER', 'https://www.mysite.com');
  define('ENABLE_SSL_CATALOG', 'true');

and here is .htaccess

# If you are getting errors you may need to comment this out like ..
# Options +FollowSymLinks
#Options +SymLinksIfOwnerMatch
<IfModule mod_rewrite.c>
  RewriteEngine On

  # RewriteBase instructions
  # Change RewriteBase dependent on how your shop is accessed as below.
  # http://www.mysite.com = RewriteBase /
  # http://www.mysite.com/catalog/ = RewriteBase /catalog/ 
  # http://www.mysite.com/catalog/shop/ = RewriteBase /catalog/shop/

  # Change RewriteBase using the instructions above  
  RewriteBase / 
  RewriteRule ^([a-z0-9-/]+)-p-([0-9]+).html$ product_info.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-c-([0-9_]+).html$ index.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-m-([0-9]+).html$ index.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-pi-([0-9]+).html$ popup_image.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-pr-([0-9]+).html$ product_reviews.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-pri-([0-9]+).html$ product_reviews_info.php [NC,L,QSA]
  # Articles contribution
  RewriteRule ^([a-z0-9-/]+)-t-([0-9_]+).html$ articles.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-au-([0-9]+).html$ articles.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-a-([0-9]+).html$ article_info.php [NC,L,QSA]
  # Information pages
  RewriteRule ^([a-z0-9-/]+)-i-([0-9]+).html$ information.php [NC,L,QSA]
  # Links contribution
  RewriteRule ^([a-z0-9-/]+)-links-([0-9_]+).html$ links.php [NC,L,QSA]
  # Newsdesk contribution
  RewriteRule ^([a-z0-9-/]+)-n-([0-9]+).html$ newsdesk_info.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-nc-([0-9]+).html$ newsdesk_index.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-nri-([0-9]+).html$ newsdesk_reviews_info.php [NC,L,QSA]
  RewriteRule ^([a-z0-9-/]+)-nra-([0-9]+).html$ newsdesk_reviews_article.php [NC,L,QSA]
</IfModule>
  

  RewriteCond %{HTTPS} !on
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

and when i open my site it show that

 

 

Share this post


Link to post
Share on other sites

@@Omar_one  Sounds like you have an image call or something on the page that isn't secure....try posting your url here...

 

https://www.whynopadlock.com/

 

Dan

Share this post


Link to post
Share on other sites

Thank you @@Dan Cole

here is what I got :

1. Server supports SSLv3, may be vulnerable to POODLE attack. It is suggested to disable the SSLv3 protocol.
Server certificate.

2.Insecure URL: http://www.mysite.com/favicon.ico
Found ...... I can't found it there.

3. Insecure URL: http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
Found

Share this post


Link to post
Share on other sites

I fixed  (force Script over SSL)

3. Insecure URL: http://ajax.googleap...2/jquery.min.js
Found

by replace 

 <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>

with this

<cfoutput>
            <script src="http#( ( cgi.https IS 'on' ) ? 's' : '' )#://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
   
</cfoutput>

Or you can simply drop the protocol, i.e. "http", from the URL and the browser will use whatever the current request happens to be using:

  <script src="//ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
Edited by Omar_one

Share this post


Link to post
Share on other sites

Move your favicon into your image folder and put a link to it in your template_top like this

  <link rel="shortcut icon" href="/images/favicon.ico">
Edited by John W

I'm not really a dog.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×