Jump to content
Latest News: (loading..)
frankl

Time to get secure (if you haven't already)

Recommended Posts

If you want SSL sitewide, you have to change http://... to https://... in all places in both config.php files. That's as a minimum. As John said, if the warning still pops up, you have a hard coded http://... or two somewhere you'll need to find.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozen or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

@tightwad

Look in your admin template_top.php for where that css is called and change it to this.

<link rel="stylesheet" href="../ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css">

 


I'm not really a dog.

Share this post


Link to post
Share on other sites
5 hours ago, John W said:

@tightwad

Look in your admin template_top.php for where that css is called and change it to this.


<link rel="stylesheet" href="../ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css">

 

That error was one of many related to the CSS/jquery.  I have this in my admin/template_top.php.  I'm not sure how to make the change you suggest:

<base href="<?php echo ($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_ADMIN : HTTP_SERVER . DIR_WS_ADMIN; ?>" />
<!--[if IE]><script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/excanvas.min.js', '', 'SSL'); ?>"></script><![endif]-->
<link rel="stylesheet" type="text/css" href="<?php echo tep_catalog_href_link('ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css', '', 'SSL'); ?>">
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/jquery-2.2.3.min.js', '', 'SSL'); ?>"></script>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/ui/jquery-ui-1.10.4.min.js', '', 'SSL'); ?>"></script>
6 hours ago, MrPhil said:

If you want SSL sitewide, you have to change http://... to https://... in all places in both config.php files. That's as a minimum. As John said, if the warning still pops up, you have a hard coded http://... or two somewhere you'll need to find.

 

11 hours ago, BrockleyJohn said:

@tightwad the oscommerce code was designed only to make the checkout process secure (the enable SSL toggle just affects that bit).

For the whole site secure, set the HTTP_SERVER values to https: as well as the HTTPS_SERVER values

If you still get mixed content warnings then http:// is hard-coded and you'll have to track down exactly where

I tried changing the config.php files to:

  define('HTTP_SERVER', 'https://www.mysiteURL.com');
  define('HTTPS_SERVER', 'https://www.mysiteURL.com');

I still get errors on:

Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.mysiteURL.com/ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css'. This content should also be served over HTTPS.
index.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/jquery/jquery-2.2.3.min.js'. This content should also be served over HTTPS.
index.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/jquery/ui/jquery-ui-1.10.4.min.js'. This content should also be served over HTTPS.
index.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure script 'http://wwwmysiteURL/ext/flot/jquery.flot.min.js'. This content should also be served over HTTPS.
index.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL/ext/flot/jquery.flot.time.min.js'. This content should also be served over HTTPS.
6Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure image '<URL>'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.
index.php:221 Mixed Content: The page at 'https://www.mysiteURL.com/admin/index.php' was loaded over HTTPS, but requested an insecure image 'http://www.mysiteURL/images/stars_5.gif'. This content should also be served over HTTPS.

I appreciate the help and responses...I feel it's so close to working right, I'm looking forward to moving forward with template/UI changes!

Share this post


Link to post
Share on other sites

Simple fix find

http://www.mysiteURL.com/ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css'

and change to

https://www.mysiteURL.com/ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css'

find

http://www.mysiteURL/images/stars_5.gif'

  and change to 

https://www.mysiteURL/images/stars_5.gif'

any url used in a SSL site must come from a SSL site.


 

Share this post


Link to post
Share on other sites

@jcMagpie the URLs don't exist in that manner, the calls being made are building the URLs out from the Config files etc

Share this post


Link to post
Share on other sites

Post your template_top.php from your admin and we'll help you fix this.


I'm not really a dog.

Share this post


Link to post
Share on other sites

Ok so make sure your config is all pointing to https://  and make sure all your .htaccess redirects are all to https. 😂 and what JW just said as he beat me to it


 

Share this post


Link to post
Share on other sites
1 hour ago, John W said:

Post your template_top.php from your admin and we'll help you fix this.

<?php
/*
  $Id$

  osCommerce, Open Source E-Commerce Solutions
  http://www.oscommerce.com

  Copyright (c) 2014 osCommerce

  Released under the GNU General Public License
*/
?>
<!DOCTYPE html>
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<meta name="robots" content="noindex,nofollow">
<title><?php echo TITLE; ?></title>
<base href="<?php echo ($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_ADMIN : HTTP_SERVER . DIR_WS_ADMIN; ?>" />
<!--[if IE]><script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/excanvas.min.js', '', 'SSL'); ?>"></script><![endif]-->
<link rel="stylesheet" type="text/css" href="<?php echo tep_catalog_href_link('ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css', '', 'SSL'); ?>">
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/jquery-2.2.3.min.js', '', 'SSL'); ?>"></script>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/ui/jquery-ui-1.10.4.min.js', '', 'SSL'); ?>"></script>

<?php
  if (tep_not_null(JQUERY_DATEPICKER_I18N_CODE)) {
?>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/jquery/ui/i18n/jquery.ui.datepicker-' . JQUERY_DATEPICKER_I18N_CODE . '.js', '', 'SSL'); ?>"></script>
<script type="text/javascript">
$.datepicker.setDefaults($.datepicker.regional['<?php echo JQUERY_DATEPICKER_I18N_CODE; ?>']);
</script>
<?php
  }
?>

<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/jquery.flot.min.js', '', 'SSL'); ?>"></script>
<script type="text/javascript" src="<?php echo tep_catalog_href_link('ext/flot/jquery.flot.time.min.js', '', 'SSL'); ?>"></script>
<link rel="stylesheet" type="text/css" href="includes/stylesheet.css">
<script type="text/javascript" src="includes/general.js"></script>
</head>
<body>

<?php require('includes/header.php'); ?>

<?php
  if (tep_session_is_registered('admin')) {
    include('includes/column_left.php');
  } else {
?>

<style>
#contentText {
  margin-left: 0;
}
</style>

<?php
  }
?>

<div id="contentText">

 

There is an .htaccess at the root(catalog) level as well as the Admin level, both contain at the top:

 

RewriteEngine On

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

 

Share this post


Link to post
Share on other sites

Okay, change this line

<link rel="stylesheet" type="text/css" href="<?php echo tep_catalog_href_link('ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css', '', 'SSL'); ?>">

to this

<link rel="stylesheet" href="../ext/jquery/ui/redmond/jquery-ui-1.10.4.min.css">

Let us know if you still have a problem.


I'm not really a dog.

Share this post


Link to post
Share on other sites

Thanks!  That appears to have resolved the issue with that call.  I have these as well, but the format is different so I wasn't able to apply the exact same treatment:

orders.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/orders.php?page=1&oID=4736&action=edit' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/jquery/jquery-2.2.3.min.js'. This content should also be served over HTTPS.
orders.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/orders.php?page=1&oID=4736&action=edit' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/jquery/ui/jquery-ui-1.10.4.min.js'. This content should also be served over HTTPS.
orders.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/orders.php?page=1&oID=4736&action=edit' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/flot/jquery.flot.min.js'. This content should also be served over HTTPS.
orders.php:1 Mixed Content: The page at 'https://www.mysiteURL.com/admin/orders.php?page=1&oID=4736&action=edit' was loaded over HTTPS, but requested an insecure script 'http://www.mysiteURL.com/ext/flot/jquery.flot.time.min.js'. This content should also be served over HTTPS.

 

Share this post


Link to post
Share on other sites

For the first two change to

<script type="text/javascript" src="../ext/jquery/jquery-2.2.3..min.js"></script>
<script type="text/javascript" src="../ext/jquery/ui/jquery-ui-1.10.4.min.js"></script>

Your other two should work as long as your config is correct.


I'm not really a dog.

Share this post


Link to post
Share on other sites

You might need to play around with that some.  It works for me.


I'm not really a dog.

Share this post


Link to post
Share on other sites
19 hours ago, John W said:

<script type="text/javascript" src="../ext/jquery/jquery-2.2.3..min.js"></script>

this it should be 
 

<script type="text/javascript" src="../ext/jquery/jquery-2.2.3.min.js"></script>

there is an extra (.) after (jquery-2.2.3.)

Share this post


Link to post
Share on other sites

Good catch!  I have a different version, so I changed it for his.  Didn't see the extra ".".


I'm not really a dog.

Share this post


Link to post
Share on other sites

Thanks!  That fixed it, and I was able to take the same fix to the other 2 jquery rows as well.  WhyNoPadlock now tells me I have no mixed content (but they see an SSL cert problem I don't understand).  Most of the console warnings are gone.   Thanks so much for the help!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×