ahjeff Posted June 3, 2020 Share Posted June 3, 2020 Conclusion to setting SSL Certificates in oscommerce v2.3.3.1 Most copy from others and I keep on try and error to test. Feel free to correct . 1. You need to set a Certificates some hosting provide free cert. ( in cPanel , icon “SSL Certificates”, one need to make sure to check if there is "Force SSL with https redirect” is checked. ) 2. change in "includes/configuration.php", ( and remember to set the permission back to 444 after modify ) define('HTTP_SERVER', 'https://www.domain.com'); // eg, http://localhost - should not be empty for productive servers define('HTTPS_SERVER', 'https://www.domain.com'); // eg, https://localhost - should not be empty for productive servers define('ENABLE_SSL', true); define('HTTP_COOKIE_DOMAIN', 'www.domain.com'); define('HTTPS_COOKIE_DOMAIN', 'www.domain.com'); 3. change in “admin/includes/configuration.php” to : define('HTTP_SERVER', 'https://www.domain.com'); // eg, http://localhost - should not be empty for productive servers define('HTTP_CATALOG_SERVER', 'https://www.domain.com'); define('HTTPS_CATALOG_SERVER', 'https://www.domain.com'); define('ENABLE_SSL_CATALOG', 'true'); 4. Change inside of the store admin panel go to Configuration ->> Sessions: and change to theses values: Force Cookie Use True Check SSL Session ID True Check User Agent True Check IP Address True Prevent Spider Sessions True Recreate Session True 5. Change .htaccess: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header unset X-Powered-By Header unset Server Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$"> Header unset X-XSS-Protection </FilesMatch> </ifModule> ============================================= Remark : A. Here is the what many people find problem When you go to https site, but the browser will show your site is not secure. Funny is Microsoft Edge will show secure but NOT for Chrome or Opera. Most sites do not mention changing in "includes/configuration.php" “define('HTTP_SERVER', 'http://www.domain.com') “ to “define('HTTP_SERVER', 'https://www.domain.com') “ Some because the site have external insecure http link . ( e.g. image link to http://xx ) But what I working on is a simply shop. No such error but still have the above ‘your site is not secure.’ This is because inside your page those link still link to insecure http ( e.g. your products link ). Funny is when you click this product, it will go to a secure https site. But when you copy the link , it shows insecure http. Thus just simply make all to https . B. Or losing the CSS, images and layout ( copy from user gassko ) clear the browser cache. ============================================= Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.