Jump to content
Latest News: (loading..)
frankl

Time to get secure (if you haven't already)

Recommended Posts

@@sakkiotto, your redirects to add www. and change http to https could be done more efficiently:

RewriteCond  %{HTTPS} off
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]
RewriteCond  %{HTTP_HOST}  !^www\.  [NC]
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]
That way, if someone comes in with http://mysite.it, you'll only use one 301 redirect round trip instead of two, speeding things up and making search engines a bit happier. You could further combine them:

RewriteCond  %{HTTPS} off   [OR]
RewriteCond  %{HTTP_HOST}  !^www\.  [NC]
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]

 

As for why it's adding the products_id Query String, I suspect that you have your https and www redirects after the SEO rewrites. They would pick up any modifications that the SEO code has already made to the URL and Query String. Make sure they are before the SEO. As a rule of thumb, 301 redirects that you want the visitor or search engine to see should come first, and internal rewrites for SEO and other things that you don't really want the visitor to see should come last.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

@@MrPhil

I like the way you combined and simplified this.  Seems so logical really.   A few months ago I added the line below and now if I try to access my site without https I don't get any 301 redirects as long as I have www. in the request.  I just noticed that recently in doing some test. 

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

I'm not really a dog.

Share this post


Link to post
Share on other sites

@@sakkiotto, your redirects to add www. and change http to https could be done more efficiently:

RewriteCond  %{HTTPS} off
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]
RewriteCond  %{HTTP_HOST}  !^www\.  [NC]
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]
That way, if someone comes in with http://mysite.it, you'll only use one 301 redirect round trip instead of two, speeding things up and making search engines a bit happier. You could further combine them:
RewriteCond  %{HTTPS} off   [OR]
RewriteCond  %{HTTP_HOST}  !^www\.  [NC]
RewriteRule  ^(.*)$  https://www.mysite.it/$1  [R=301,L]

 

As for why it's adding the products_id Query String, I suspect that you have your https and www redirects after the SEO rewrites. They would pick up any modifications that the SEO code has already made to the URL and Query String. Make sure they are before the SEO. As a rule of thumb, 301 redirects that you want the visitor or search engine to see should come first, and internal rewrites for SEO and other things that you don't really want the visitor to see should come last.

 

@@MrPhil with

 

 

 

RewriteCond  %{HTTPS} off   [OR]

RewriteCond  %{HTTP_HOST}  !^www\.  [NC]

RewriteRule  ^(.*)$  https://www.mysite.it/$1 [R=301,L]nbsp; https://www.mysite.it/$1  [R=301,L]

 

google see https://www.mysite.it/product_info.php?products_id=65122

 

with

 

 

RewriteCond %{HTTPS} off [OR]

RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI}[R=301,L]

 

google see https://www.mysiste.it/vtac-vt1853-lampadina-led-e27-10w-2700k-bianco-caldo-sku-4209-p-65122.html?products_id=65122

 

What's wrong for ?products_id=65122 ?

I don't think is SEO, it's work fine on site, only with redirect on htaccess I have this problem.

Edited by sakkiotto

Share this post


Link to post
Share on other sites

Ok, just solved. For who have my same problem my mistake was to put the rule before seo url like this:

 

RewriteRule ^(.*)-p-(.*).html$ product_info.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-c-(.*).html$ index.php?cPath=$2&%{QUERY_STRING}
RewriteRule ^(.*)-m-([0-9]+).html$ index.php?manufacturers_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pi-([0-9]+).html$ popup_image.php?pID=$2&%{QUERY_STRING}
RewriteRule ^(.*)-t-([0-9]+).html$ articles.php?tPath=$2&%{QUERY_STRING}
RewriteRule ^(.*)-a-([0-9]+).html$ article_info.php?articles_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pr-([0-9]+).html$ product_reviews.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pri-([0-9]+).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-i-([0-9]+).html$ information_pages.php?info_id=$2&%{QUERY_STRING}


RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]


RewriteCond %{HTTPS} off 
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

instead in this way:

 

RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]


RewriteCond %{HTTPS} off 
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


RewriteRule ^(.*)-p-(.*).html$ product_info.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-c-(.*).html$ index.php?cPath=$2&%{QUERY_STRING}
RewriteRule ^(.*)-m-([0-9]+).html$ index.php?manufacturers_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pi-([0-9]+).html$ popup_image.php?pID=$2&%{QUERY_STRING}
RewriteRule ^(.*)-t-([0-9]+).html$ articles.php?tPath=$2&%{QUERY_STRING}
RewriteRule ^(.*)-a-([0-9]+).html$ article_info.php?articles_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pr-([0-9]+).html$ product_reviews.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-pri-([0-9]+).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING}
RewriteRule ^(.*)-i-([0-9]+).html$ information_pages.php?info_id=$2&%{QUERY_STRING}

Share this post


Link to post
Share on other sites

Yep. As I said...

 

 

As for why it's adding the products_id Query String, I suspect that you have your https and www redirects after the SEO rewrites. They would pick up any modifications that the SEO code has already made to the URL and Query String.

If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

@@MrPhil

 

Hi there 

thanks for this saves an extra hop

RewriteCond  %{HTTPS} off
RewriteRule  ^(.*)$  https://www.mysite.com/$1  [R=301,L]
RewriteCond  %{HTTP_HOST}  !^www\.  [NC]
RewriteRule  ^(.*)$  https://www.mysite.com/$1  [R=301,L]

Just wondered if there is a reason or preference for

RewriteCond  %{HTTPS} off

or

RewriteCond  %{HTTPS} !on

Share this post


Link to post
Share on other sites

No reason one way or the other, AFAIK. I think the response is supposed to be yes or no, in which case either way would work. You may also see =yes or =no, which are apparently equivalent to ^yes$ and ^no$.

 

I seem to recall hearing about a server (IIS?) that returned "1" instead of "yes". I don't know if that's still true.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Hi all, sorry I hope this is a living thread :)

I've just purchased an SSL certificate and have done the following:

admin\includes\configure.php  (edited to add https )

includes\configure.php (edited to add https)

.htaccess (added the redirect rule, I think, from this thread).

It seems to be working well. My website, techworld.co.nz , redirects to https://techworld.co.nz and chrome says all is good. The certificate however says www.techworld.co.nz but it seems I have one that supports both www.techworld.co.nz and techworld.co.nz .

My problem however is on the actual product pages like this https://techworld.co.nz/xspc-raystorm-waterblock-intel-p-61084.html which whilst https works, it is not 'secure'. It basically seems to lose the certificate. Every other non product page seems to work, its just the product pages. 

Any ideas why?

Share this post


Link to post
Share on other sites

Oh.. I just saw some content was blocked and it looks like the twitter and FB and google links are being blocked and they are http... possibly doesn't like that?

Share this post


Link to post
Share on other sites
6 minutes ago, Scottyj said:

Oh.. I just saw some content was blocked and it looks like the twitter and FB and google links are being blocked and they are http... possibly doesn't like that?

Change http:// to // for all these links contained within script tags... It shall fix the issue :)

Warm Regds./

radhavallabh

 

Share this post


Link to post
Share on other sites
29 minutes ago, radhavallabh said:

Change http:// to // for all these links contained within script tags... It shall fix the issue :)

Warm Regds./

radhavallabh

 

Thanks for the quick reply. It seems I have a few hard coded http links instead of using tep_href_link, especially in the menu. Looks like I have some coding to do!

Share this post


Link to post
Share on other sites
On 4/4/2017 at 6:06 AM, jamiehennings said:

In Today's world it is necessary to prevent own website from threats and spam, so using SSL is a best way to prevent it.

You're giving out false information. SSL has nothing to do with protecting against threats and spam. The only thing it does is ensure privacy of your communications back and forth between the browser and the server, so no one can snoop on (or modify) them in-between.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Great thread for people that are late to the game with going all https.

I *think* I have fully migrated everything.  Everything gets a solid lock, all http in code has been changed to https, config files changed, etc.

I have a couple of questions to try and make sure I'm all set.

site: thebestcandles.com

htaccess code:

I have a lot of code in the htaccess.  What I added during the migration to going all https:
# Always use https for secure connections
# Replace 'www.example.com' with your domain name
# (as it appears on your SSL certificate)
 RewriteEngine On
 RewriteCond %{SERVER_PORT} 80
 RewriteRule ^(.*)$ https://www.thebestcandles.com/$1 [R=301,L]


I have additional "stuff" in there, that to be VERY honest... I have no idea what it does... this is the part that I am most interested in determining what it does, is it needed, is it good or bad, etc.:
 

# $Id: .htaccess,v 1.3 2003/06/12 10:53:20 hpdl Exp $

# Set some options
Options -Indexes
Options FollowSymLinks

RewriteEngine on
RewriteBase /
#
# Skip the next two rewriterules if NOT a spider
RewriteCond %{HTTP_USER_AGENT} !(msnbot|slurp|googlebot) [NC]
RewriteRule .* - [S=2]
#
# case: leading and trailing parameters
RewriteCond %{QUERY_STRING} ^(.+)&osCsid=[0-9a-z]+&(.+)$ [NC]
RewriteRule (.*) $1?%1&%2 [R=301,L]
#
# case: leading-only, trailing-only or no additional parameters
RewriteCond %{QUERY_STRING} ^(.+)&osCsid=[0-9a-z]+$|^osCsid=[0-9a-z]+&?(.*)$ [NC]
RewriteRule (.*) $1?%1 [R=301,L]
#
#Deals with the .index in the url
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.thebestcandles.com/ [R=301,L]
#
#Deals with the www or no www in the url

RewriteCond %{HTTP_HOST} ^thebestcandles.com [NC]
RewriteRule ^(.*)$ http://www.thebestcandles.com/$1 [L,R=301] 


#rewriteCond %{HTTP_HOST} .
# And if requested domain is NOT the canonical domain
#rewriteCond %{HTTP_HOST} !^www\.thebestcandles\.com
# Redirect to requested page in canonical domain
#rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L]
# If non-canonical domain requested (case-insensitive compare)
#rewriteCond %{HTTP_HOST} ^thebestcandles\.com [NC]
# Redirect to requested page in canonical domain
# rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L]
 

And a "small" second part of my question:

In the Google Search Console... I now have two listings, one is http and one is https.  They both have "activity" -- but the newer, https has much more.
Do you leave them both?  How do you handle the old one?

Edited by OldPete
Add 2nd part of question.

Share this post


Link to post
Share on other sites

Yes, google requires both but if your shop is setup completely for https, the http one will be mostly empty.  The same is true for www and non-www. This assumes you have the proper redirection code added to your shops .htaccess file to redirect all http urls to https. The preferred url should be the one that you use on the shop.

Share this post


Link to post
Share on other sites

Hi Jack!... you're still around (you've helped me before)...

If you scroll up (to the post before my last)... you'll see parts of my htaccess code.

Thoughts?

Share this post


Link to post
Share on other sites

Yes, still here. :)  There are a few mistakes in the file. I assume you have the first code you posted somewhere after the other tests since the redirects are happening as they should. But you shouldn't reference http anywhere in your site and you have that twice in that file. You are telling it to redirect to http and then redirect again to https. And I suggest you remove the following block of comments. The .htaccess file gets loaded on every page refresh so keeping its size down is helpful.

#rewriteCond %{HTTP_HOST} .
 # And if requested domain is NOT the canonical domain
 #rewriteCond %{HTTP_HOST} !^www\.thebestcandles\.com
 # Redirect to requested page in canonical domain
 #rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L]
 # If non-canonical domain requested (case-insensitive compare)
 #rewriteCond %{HTTP_HOST} ^thebestcandles\.com [NC]
 # Redirect to requested page in canonical domain
 # rewriteRule (.*) http://www.thebestcandles.com/$1 [R=301,L]

 

Share this post


Link to post
Share on other sites

Ah!  Ok!  I'll remove that #'d code...

And... to make sure I get it right, you're saying that the "http:" here:

 

#Deals with the .index in the url
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.thebestcandles.com/ [R=301,L]
#
#Deals with the www or no www in the url

RewriteCond %{HTTP_HOST} ^thebestcandles.com [NC]
RewriteRule ^(.*)$ http://www.thebestcandles.com/$1 [L,R=301] 

 

should be "https"

 

ergo:

 

#Deals with the .index in the url
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ https://www.thebestcandles.com/ [R=301,L]
#
#Deals with the www or no www in the url

RewriteCond %{HTTP_HOST} ^thebestcandles.com [NC]
RewriteRule ^(.*)$ https://www.thebestcandles.com/$1 [L,R=301] 

 

Do I have that right? :)

Share this post


Link to post
Share on other sites

The idea is to end up with a site which is 100% SSL (https) usage, with no non-SSL (http) left. In a nutshell:

  1. Get an SSL certificate for your domain, and have it installed. Many hosts now offer free private SSL certs. Note exactly what domain names that it covers.
  2. Update your configure.php files to use https:// everywhere, with no http:// left anywhere. Watch out that you have the correct domain name format.
  3. Check for (and fix) any hard-coded http:// in your code and database, including banner ads and such. They will upset browsers.
  4. Put a statement in your .htaccess to redirect incoming http:// to https:// and if necessary non-www to www (or vice-versa).

Note that being under SSL protects your site and user data from snooping by hackers while in transit between the server and browser, and back. It otherwise does nothing to prevent someone from breaking into and modifying your site. It won't help you if someone installed a keystroke logger on your PC, or has your database ID and password. Major search engines (especially Google) also prefer SSL sites over non-SSL sites.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×