Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL on every page.


yomama360

Recommended Posts

I'm a little late in the game on this one. What is the easiest way to make every page switch to https?

It switches fine when people go to log in, just wondering if there is a quick, easy way to do it for all pages.
Thanks

"The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself.

Therefore, all progress depends upon the unreasonable man."

-- George Bernard Shaw

Link to comment
Share on other sites

Make sure you have done 2 things,

1) changed all http:// to https:// in both configure.php

2) Make sure your .htaccess file has been updated to include the re write rule, something like this.

RewriteEngine On
RewriteCond %{HTTPS} off
# this makes it a permanent redirect
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Then is ssl cert has been installed correctly on server all pages should be ssl 

 

Link to comment
Share on other sites

39 minutes ago, yomama360 said:

I'm a little late in the game on this one. What is the easiest way to make every page switch to https?

It switches fine when people go to log in, just wondering if there is a quick, easy way to do it for all pages.
Thanks

Read through this whole thread, it tells you everything you need to know

 

osCommerce user since 2003! :thumbsup:

Link to comment
Share on other sites

Very awesome thanks.

@frankl the linked forum also talked about forcing a redirect to www. Incidentally I want to force a redirect to non-www. How do I do that?
Thanks.

"The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself.

Therefore, all progress depends upon the unreasonable man."

-- George Bernard Shaw

Link to comment
Share on other sites

# Add www to any URLs that do not have them:
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

 

# Remove www from any URLs that have them:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]

 

Link to comment
Share on other sites

Awesome, thanks again. (I probably could have guessed that, but wanted to be sure).

Another ignorant question: you are using {HTTP_HOST}, is there a difference from {HTTPS_HOST} ?

If I want to make everything https and non-www I assume my code in the .htaccess should look like this: (and put it before other rewrites)

 

RewriteEngine On

# switch all to https
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Remove www from any URLs that have them:
RewriteCond %{HTTPS_HOST} ^www\.
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

Is this correct? Should I remove www first before switching to the https?
Would this kill subdomains?

"The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself.

Therefore, all progress depends upon the unreasonable man."

-- George Bernard Shaw

Link to comment
Share on other sites

Without knowing how you have setup your config files its hard to give specific advice. If your not sure post for help in the commercial section of the forum.

Assuming you have your config files pointing everything to https://www-mysite-com

then all you should need to see https://mysite-com is,

RewriteEngine On
RewriteCond %{HTTPS} off
# this makes it a permanent redirect
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

 

If you have subdomains then you will need to make changes to ensure the redirects are only effective on the main domain. I would strongly advise getting help with this! 

 

 

Link to comment
Share on other sites

13 mod_rewrite Examples, from blog by By DK Lyenn, https://www.sitepoint.com/apache-mod_rewrite-examples-2/

These are a guide only.

As always back up before making any changes.

 

1. Forcing www for a domain while preserving subdomains

RewriteCond %{HTTP_HOST} ^([a-z.]+)?example.com$ [NC]  
RewriteCond %{HTTP_HOST} !^www. [NC]  
RewriteRule .? http://www.%1example.com%{REQUEST_URI} [R=301,L]

This rule captures the optional subdomain using the %1 variable, and, if it doesn’t start with www., redirects with www. prepended to the subdomain. The domain and the original {REQUEST_URI} are appended to the result.

2. Eliminating www from a domain

RewriteCond %{HTTP_HOST} !^example.com$ [NC]  
RewriteRule .? http://example.com%{REQUEST_URI} [R=301,L]

3. Getting rid of the www but preserving a subdomain

RewriteCond %{HTTP_HOST} ^www.(([a-z0-9_]+.)?example.com)$ [NC]  
RewriteRule .? http://%1%{REQUEST_URI} [R=301,L]

Here, the subdomain is captured in %2 (the inner atom) but, since it’s optional and already captured in the %1 variable, all you need is the %1 for the subdomain.

4. Preventing image hotlinking

If some unscrupulous webmasters are leeching your bandwidth by linking to images from your site to post on theirs, you can use the following rule to block the requests:

RewriteCond %{HTTP_REFERER} !^$  
RewriteCond %{HTTP_REFERER} !^http://(www.)?example.com/ [NC]  
RewriteRule .(gif|jpg|png)$ - [F]

If the {HTTP_REFERER} value is not blank, or from your own domain (example.com), this rule will block the viewing of URIs ending in .gif, .jpg, or .png using the forbidden flag, F.

If you are upset enough at these hotlinkers, you could change the image and let visitors to the site know that you know that they’re hotlinking:

RewriteCond %{HTTP_REFERER} !^$  
RewriteCond %{HTTP_REFERER} !^http://(www.)?example.com/.*$ [NC]  
RewriteRule .(gif|jpg|png)$ http://www.example.com/hotlinked.gif [R=301,L]

Instead of blocking the URI, the above rule rewrites it to a specific image in our domain. What appears in this image is completely up to your imagination!

You can block specific domains using:

RewriteCond %{HTTP_REFERER} !^http://(www.)?leech_site.com/ [NC]  
RewriteRule .(gif|jpg|png)$ - [F,L]

This rule blocks all requests where the {HTTP_REFERER} field is set to the bad domain.

Of course, the above rules rely on the {HTTP_REFERER} value being set correctly. It usually is, but if you’d rather rely on the IP Address, use {REMOTE_ADDR} instead.

5. Redirecting to a 404 page if the directory and file do not exist

If your host doesn’t provide for a "file not found" redirection, create it yourself!

RewriteCond %{REQUEST_FILENAME} !-f  
RewriteCond %{REQUEST_FILENAME} !-d  
RewriteRule .? /404.php [L]

Here, -f matches an existing filename and -d matches an existing directory name. This script checks to see that the requested filename is not an existing filename or directory name before it redirects to the 404.php script. You can extend this script: include the URI in a query string by adding ?url=$1 immediately after the URI:

RewriteRule ^/?(.*)$ /404.php?url=$1 [L]

This way, your 404.php script can do something with the requested URL: display it in a message, send it in an email alert, perform a search, and so on.

6. Renaming your directories

If you’ve shifted files around on your site, changing directory names, try this:

RewriteRule ^/?old_directory/([a-z/.]+)$ new_directory/$1 [R=301,L]

I’ve included the literal dot character (not the "any character" metacharacter) inside the set to allow file extensions.

7. Converting old .html links to new .php links

Updating your web site but need to be sure that bookmarked links will still work?

RewriteRule ^/?([a-z/]+).html$ $1.php [L]

This is not a redirection, so it will be invisible to your visitors. To make it permanent (and visible), change the flag to [R=301,L].

8. Creating extensionless links

If your site uses PHP files, and you want to make your links easier to remember — or you just want to hide the file extension, try this:

RewriteRule ^/?([a-z]+)$ $1.php [L]

If you have a mixture of both .html and .php files, you can use RewriteCond statements to check whether the filename with either extension exists as a file:

RewriteCond %{REQUEST_FILENAME}.php -f  
RewriteRule ^/?([a-zA-Z0-9]+)$ $1.php [L]  
RewriteCond %{REQUEST_FILENAME}.html -f  
RewriteRule ^/?([a-zA-Z0-9]+)$ $1.html [L]

If the file name exists with the .php extension, that rule will be chosen.

9. Checking for a key in a query string

If you need to have a specific key’s value in your query string, you can check for its existence with a RewriteCond statement:

RewriteCond %{QUERY_STRING} !uniquekey=  
RewriteRule ^/?script_that_requires_uniquekey.php$ other_script.php [QSA,L]

The above code will check the {QUERY_STRING} variable for a lack of the key uniquekey and, if the {REQUEST_URI} is the script_that_requires_uniquekey, it will redirect to an alternative URI.

10. Deleting the query string

Apache’s mod_rewrite automatically passes through a query string unless you do either of the following:

  • Assign a new query string (you can keep the original query string by adding a QSA flag, e.g., [QSA,L]).

  • Add a ? after a filename (for example, index.php?). The ? will not be shown in the browser’s location field.

11. Redirecting a working URI to a new format

Here’s a curly one. Let’s say, for example, that we’ve got a set of working URLs that look like this: /index.php?id=nnnn. However, we’d really like to change them to /nnnn and make sure search engines update their indexes to the new URI format. First, we’d have to redirect the old URIs to the new ones so that search engines update their indexes, but we’d still have to rewrite the new URI back to the old one so that the index.php script would run. Have I got your head spinning?

The trick here is to place into the query string a marker code that will not be seen by visitors. We redirect from the old link to the new format only if the "marker" is not present in the query string. Then we rewrite the new format link back to the old format, and add a marker to the query string, using the QSA flag to ensure we’re not eliminating an existing query string. Here’s how it’s done:

RewriteCond %{QUERY_STRING} !marker  
RewriteCond %{QUERY_STRING} id=([-a-zA-Z0-9_+]+)  
RewriteRule ^/?index.php$ %1? [R=301,L]  
  
RewriteRule ^/?([-a-zA-Z0-9_+]+)$ index.php?marker&id=$1 [L]

Here, the original URI, http://www.example.com/index.php?id=nnnn, does not contain the marker, so it’s redirected by the first rule to http://www.example.com/nnnn with a HTTP 301 response. The second rule rewrites http://www.example.com/nnnn back to http://www.example.com/index.php?marker&id=nnnn, adding marker and id=nnnn in a new query string; then, the mod_rewrite process is started over.

In the second iteration, the marker is matched so the first rule is ignored and, since there’s a dot character in index.php?marker&id=nnnn, the second rule is also ignored … and we’re finished!

Note that, while useful, this solution does require additional processing by Apache, so be careful if you’re using it on shared servers with a lot of traffic.

12. Ensuring that a secure server is used

Apache can determine whether you’re using a secure server in two ways: using the {HTTPS}, or {SERVER_PORT}, variables:

RewriteCond %{REQUEST_URI} ^secure_page.php$  
RewriteCond %{HTTPS} !on   
RewriteRule ^/?(secure_page.php)$ https://www.example.com/$1 [R=301,L]

The above example tests that the {REQUEST_URI} value is equal to our secure page script, and that the {HTTPS} value is not equal to on. If both these conditions re met, the request is redirected to the secure server URI. Alternatively, you could do the same thing by testing the {server_port} value, where 443 is typically the secure server port:

RewriteCond %{REQUEST_URI} ^secure_page.php$  
RewriteCond %{SERVER_PORT} !^443$  
RewriteRule ^/?(secure_page.php)$ https://www.example.com/$1 [R=301,L]

13. Enforcing secure server only on selected pages

In situations where secure and unsecured domains share the web server’s DocumentRoot directory, you’ll need a RewriteCond statement to check that the secure server port isn’t being used, and then only redirect the request if the requested script is one in the list of those that require a secure server:

RewriteCond %{SERVER_PORT} !^443$  
RewriteRule ^/?(page1|page2|page3|page4|page5)$  https://www.example.com/%1 [R=301,L]

Here’s how you’d redirect requests for pages not requiring a secure server back to port 80:

RewriteCond %{ SERVER_PORT } ^443$   
RewriteRule !^/?(page6|page7|page8|page9)$ http://www.example.com%{REQUEST_URI} [R=301,L]

 

 

Link to comment
Share on other sites

On 8/2/2018 at 4:16 PM, yomama360 said:

Awesome, thanks again. (I probably could have guessed that, but wanted to be sure).

Another ignorant question: you are using {HTTP_HOST}, is there a difference from {HTTPS_HOST} ?

If I want to make everything https and non-www I assume my code in the .htaccess should look like this: (and put it before other rewrites)

 


RewriteEngine On

# switch all to https
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Remove www from any URLs that have them:
RewriteCond %{HTTPS_HOST} ^www\.
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

Is this correct? Should I remove www first before switching to the https?
Would this kill subdomains?

You should use %{HTTP_HOST} and %{HTTPS}, and not %{HTTPS_HOST}, which appears to be non-standard. Your code will produce two round trips (301's) if the original URL is http://www.example.com, for which search engines will penalize you. The following is better:

RewriteEngine On
RewriteCond  %{HTTPS} !on [OR]
RewriteCond  %{HTTP_HOST}  ^www\.
RewriteRule  ^(.*)$  https://example.com/$1  [R=301,L]

Now, if you have subdomains of the form SUB.example.com (not example.com/SUB/ at this point), and you want to preserve them but still switch to https for all of them, try

RewriteEngine On
RewriteCond  %{HTTPS}  !on
RewriteCond  %{HTTP_HOST} ^www\.
RewriteRule  ^(.*)$  https://example.com/$1  [R=301,L]
RewriteCond  %{HTTPS}  !on
RewriteRule  ^(.*)$  https://%{HTTP_HOST}/$1  [R=301,L]

should work. http://www.example.com should be the only thing to trigger the first rewrite, then it will come back through again as https://example.com, and not trigger either rewrite. http://SUB.example.com should skip the first rewrite because the domain does not start with www., and trigger the second rewrite  to https://SUB.example.com. Finally, https://SUB.example.com (whether original or after the second rewrite) should not trigger either rewrite. You should end up with only a single 301 round trip.

Link to comment
Share on other sites

OK, I think it needs to be extended a bit. I'm trying to catch all cases to do only a single R=301 redirect, rather than multiple 301's.

RewriteEngine On
# http[s]://www.example.com to https://example.com
RewriteCond  %{HTTP_HOST}  ^www\.
RewriteRule  ^(.*)$  https://example.com/$1  [R=301,L]
# http://[SUB.]example.com  to https
RewriteCond  %{HTTPS}  !on
RewriteCond  %{HTTP_HOST}  !^www\.
RewriteRule  ^(.*)$  https://%{HTTP_HOST}/$1  [R=301,L]

I rarely work with subdomains, so I didn't get it right the first time. I think this one will work.

Link to comment
Share on other sites

I was just working on this over the weekend. My first store was on 2.2MS2 back in 2004 and had to update it to OsC 2.3.4 manly because upgrades in PHP made my site crash.. anyways

First i edited catalog/includes/configure.php

define('HTTP_SERVER', 'https://www.mydomain.cl');
  define('HTTPS_SERVER', 'https://www.mydomain.cl');
  define('ENABLE_SSL', true);

and catalog/admin/includes/configure.php

  define('HTTP_SERVER', 'https://www.viareggio.cl');
  define('HTTPS_SERVER', 'https://www.viareggio.cl');
  define('ENABLE_SSL', true);
(...)
  define('HTTPS_CATALOG_SERVER', 'https://www.viareggio.cl');

 

leaving both variables with https. 

my htaccess looks like this:

RewriteEngine On 
RewriteBase /
RewriteCond %{SERVER_PORT} 80
RewriteRule ^$ https://www.mydomain.cl/ [R=301,L]

RewriteCond %{HTTPS} off
RewriteRule ^(extenal-images/.*)$ https://www.mydomain.cl/$1 [R=301,L]

RewriteCond %{HTTP_HOST} ^subdomain.mydomain.cl
RewriteRule ^(.*)$ https://www.mydomain.cl/$1 [R=301,L]

That should convert all visitors to the site to https, and because I have set up https throughout the config file -- (HTTP_SERVER) is also showing https -- now my entire store is running over secure protocol.  

I had to be careful into what to set up here because I am still using OsCommerce Product Manager by Mario Valdez, (Very old software that has helped me update my site up to this day).. and that program doesn't support https.... so I needed to make sure the program can access the server via an unsecured link.

most solutions I've seen have the following on their .htaccess

RewriteEngine On 
RewriteBase /
RewriteCond %{HTTP_HOST} ^mydomain\.cl
RewriteRule ^(.*)$ https://www.mydomain.cl/$1 [R=301,L]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.mydomain.cl/$1 [R=301,L]

My site is also using Ultimate SEO V2.2d, so the rest of the file had a ton of RewriteRule's to make it SEO-friendly

hope this helps 

Link to comment
Share on other sites

OK, but be careful that you don't end up causing two R=301 round trips, resulting in a severe search engine penalty. I think you're OK with this code, as both redirects end up with the same URL (with SSL and with www.), but it's easy to get crossed up and cause two separate redirects if you're not careful to coordinate the separate redirects. Personally, I prefer to use two RewriteCond's  and [OR] with one RewriteRule.

And caution: this works with www./non-www., but not with subdomains, so it's not applicable to the previous question.

Link to comment
Share on other sites

  • 1 month later...

Thank you very much Chris for posting your solution to this, works well for me. I went full SSL on our shop and could not use anymore the osc Product Manager which i badly need (over 20000 products to manage...).

However, I've deleted this part from the htaccess, i'm not sure for what is this for?

RewriteCond %{HTTP_HOST} ^subdomain.mydomain.cl
RewriteRule ^(.*)$ https://www.mydomain.cl/$1 [R=301,L]
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...