Issue with secure and nonsecure - server not indicating that it's in SSL mode

**rdklein** · 5 Jul 2008, 12:32 AM

First of all, I am not a noob. Second, I have tried to find a matching post for the issue I am having to no avail.

On a clean install of zc, albeit my first time with zc, using a wildcard ssl cert, I get the secure/nonsecure error when going to checkout. ALL of the images on the checkout page are using the nonsecure link. Here is the site:

http://www.ichee.com

Here is the first part of my includes/configure.php file:

Code:

// Define the webserver and path parameters
  // HTTP_SERVER is your Main webserver: eg-http://www.your_domain.com
  // HTTPS_SERVER is your Secure webserver: eg-https://www.your_domain.com
  define('HTTP_SERVER', 'http://www.ichee.com');
  define('HTTPS_SERVER', 'https://ichee.sslrx.com');
  // Use secure webserver for checkout procedure?
  define('ENABLE_SSL', 'true');

// NOTE: be sure to leave the trailing '/' at the end of these lines if you make changes!
// * DIR_WS_* = Webserver directories (virtual/URL)
  // these paths are relative to top of your webspace ... (ie: under the public_html or httpdocs folder)
  define('DIR_WS_CATALOG', '/');
  define('DIR_WS_HTTPS_CATALOG', '/');

  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
  define('DIR_WS_DOWNLOAD_PUBLIC', DIR_WS_CATALOG . 'pub/');
  define('DIR_WS_TEMPLATES', DIR_WS_INCLUDES . 'templates/');

  define('DIR_WS_PHPBB', '/');

// * DIR_FS_* = Filesystem directories (local/physical)
  //the following path is a COMPLETE path to your Zen Cart files. eg: /var/www/vhost/accountname/public_html/store/
  define('DIR_FS_CATALOG', '/usr/local/apache2/vhosts/ichee.com/htdocs/');

  define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
  define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');
  define('DIR_WS_UPLOADS', DIR_WS_IMAGES . 'uploads/');
  define('DIR_FS_UPLOADS', DIR_FS_CATALOG . DIR_WS_UPLOADS);
  define('DIR_FS_EMAIL_TEMPLATES', DIR_FS_CATALOG . 'email/');

For some reason zc is not substituting https://ichee.sslrx.com for the image url's.

I would really appreciate some advice on how to resolve this.

**LissaE** · 5 Jul 2008, 01:35 AM

Code:

  define('HTTP_SERVER', 'http://www.ichee.com');
  define('HTTPS_SERVER', 'https://ichee.sslrx.com');

Try taking of the www. from the HTTP_SERVER and see if that helps, that turned out to be my issue, and possibly may be yours as well :)

And um, I just noticed that you can reach your store on both http://ichee.sslrx.com and http://ichee.com so I guess I am confused as to which one actually is the store LOL or are they both?

**bigbadboy** · 5 Jul 2008, 01:47 AM

You might find that because you are using a base href of www.domain, all your files are being referenced as www.domain.com/images/image.gif

What actual domain is the cert issued to?
domain.com and www.domain.com are 2 entirely different places as far as the cert is concerned.

**rdklein** · 5 Jul 2008, 03:27 AM

Thanks BBB and Christon --

Still no love

I tried changing the http reference to ichee.com instead of www.ichee.com. The only affect was that zc wrote all non-http urls as ichee.com instead of www.ichee.com. When I checked out, I got the same secure/nonsecure and all of the links to the images were still referenced like this:

http://ichee.com/includes/templates/...mages/logo.gif

It seems to me that zc should be changing those links to use ichee.sslrx.com.

I do see that https://ichee.sslrx.com is the top browser url when I go to check out, so it does at least know to use ichee.sslrx.com as the url for ssl pages.

Finally, BBB, you asked who the cert is issued to -- it is a wildcard certificate *.sslrx.com, so any canonical (such as ichee.sslrx.com) can be mapped to the same directory that ichee.com is mapped to.

Grrrrr--- this is perplexing! I have reinstalled twice and the same thing happens. Perfectly clean installations each time.

**DrByte** · 5 Jul 2008, 04:06 AM

If you look more carefully, you'll see that the image link is actually this:

HTML Code:

   <div id="logo"><a href="http://ichee.com/"><img src="includes/templates/classic/images/logo.gif" alt="Powered by Zen Cart :: The Art of E-Commerce [home link]" title=" Powered by Zen Cart :: The Art of E-Commerce [home link] " width="192" height="64" /></a></div>

Zen Cart can only switch between SSL modes successfully if you use "relative" links, and not "absolute" links. That is, when you are specifying the path to an image, you should NOT include the domain name in the SRC tag. Just use the relative path, ie: /images/blah.gif or /includes/templates/your_template/images/blah.gif etc.

Your login page, which is SSL, doesn't seem to be reporting the non-secure message right now. Thus, if your checkout pages *are* giving non-secure warnings, that means that *you* have added something to those pages that is using a hard-coded full URL path to some image(s) on those pages. Those are what you'll have to fix.

Related FAQ: http://tutorials.zen-cart.com/index.php?article=150

**rdklein** · 5 Jul 2008, 05:09 AM

DrBryte,

Thanks for the reply.

No, there were no changes made by me whatsoever beyond the installation script and chmod'ing the configure.php files (admin/includes and includes).

Also, I AM getting the secure/nonsecure when I browse to the login page from the top-of-the-page link from http://ichee.com.

Looking at the browser source of the login page after I opted to display both secure and nonsecure pages, I found the following references to src pointing the the non-ssl ichee.com:

Code:

<base href="http://ichee.com/" />

and

Code:

<script language="javascript" type="text/javascript"><!--
function session_win() {
  window.open("http://ichee.com/index.php?main_page=info_shopping_cart&amp;zenid=68faq6lec2s38r2isqamicksn0","info_shopping_cart","height=460,width=430,toolbar=no,statusbar=no,scrollbars=yes").focus();
}
//--></script>

The check-out page source code has only the following src references to the non-ssl ichee.com:

Code:

<base href="http://ichee.com/" />

and

Code:

<script language="javascript" type="text/javascript"><!--
function session_win() {
  window.open("http://ichee.com/index.php?main_page=info_shopping_cart&amp;zenid=68faq6lec2s38r2isqamicksn0","info_shopping_cart","height=460,width=430,toolbar=no,statusbar=no,scrollbars=yes").focus();
}
//--></script>

Which is basically the same thing as we see on the login page.

Does this help?

**DrByte** · 5 Jul 2008, 07:00 AM

Originally Posted by rdklein

Code:

<base href="http://ichee.com/" />

If you're getting non-SSL URL in the base href tag, then you're running on a server that's unable to properly communicate to Zen Cart that it's operating in SSL mode.

Two hosting companies who are notorious for having that problem are network solutions and fasthosts.

Zen Cart v1.3.x currently checks for the following conditions based on $_SERVER variables available to PHP. If any of these tests passes, Zen Cart treats the page as SSL:

HTTPS = 'on' or '1'
HTTP_X_FORWARDED_BY = 'SSL'
HTTP_X_FORWARDED_HOST = 'SSL' (and v1.4 and newer will check whether this matches the HTTPS_SERVER name too)
SCRIPT_URI is passed and contains 'https:'
SERVER_PORT = 443

(this all depends on ENABLE_SSL being set to 'true' in your configure.php file, which you've already confirmed to be the case)

Your server is clearly not passing those tests. Your hosting company will have to identify what the required test is for *their* bizarre server configuration.

**rdklein** · 5 Jul 2008, 06:49 PM

DrByte,

Thank you very much for your assistance! I solved the issue with your help.

My hosting company sets it Apache VirtualHost blocks like this:

Code:

<VirtualHost *:80 *:443>                                                         
  ServerName ichee.com
  ServerAlias www.ichee.com
  ServerAlias ichee.sslrx.com
  ServerAdmin webmaster@ichee.com
  TransferLog /usr/local/apache2/vhosts/ichee.com/logs/access_log
  ErrorLog /usr/local/apache2/vhosts/ichee.com/logs/error_log
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
  DocumentRoot /usr/local/apache2/vhosts/ichee.com/htdocs
  ScriptAlias /cgi-bin/ /usr/local/apache2/vhosts/ichee.com/cgi-bin/
  <Directory "/usr/local/apache2/vhosts/ichee.com/htdocs">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>
  <Directory "/usr/local/apache2/vhosts/ichee.com/cgi-bin">
    Options ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
 </Directory>
</VirtualHost>

By separating the *:80 and *:443 into to paragraphs and adding an "SetEnv HTTPS 1" directive in the *:443 paragraph, I now get the env variable HTTPS when I need it for ssl enabled pages:

Code:

<VirtualHost *:80>
  ServerName ichee.com
  ServerAlias www.ichee.com
  ServerAdmin webmaster@ichee.com
  TransferLog /usr/local/apache2/vhosts/ichee.com/logs/access_log
  ErrorLog /usr/local/apache2/vhosts/ichee.com/logs/error_log
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
  DocumentRoot /usr/local/apache2/vhosts/ichee.com/htdocs
  ScriptAlias /cgi-bin/ /usr/local/apache2/vhosts/ichee.com/cgi-bin/
  <Directory "/usr/local/apache2/vhosts/ichee.com/htdocs">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>
  <Directory "/usr/local/apache2/vhosts/ichee.com/cgi-bin">
    Options ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
 </Directory>
</VirtualHost>

<VirtualHost *:443>                                                  
  ServerName ichee.sslrx.com
  ServerAdmin webmaster@ichee.com
  SetEnv HTTPS 1
  TransferLog /usr/local/apache2/vhosts/ichee.com/logs/access_log
  ErrorLog /usr/local/apache2/vhosts/ichee.com/logs/error_log
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
  DocumentRoot /usr/local/apache2/vhosts/ichee.com/htdocs
  ScriptAlias /cgi-bin/ /usr/local/apache2/vhosts/ichee.com/cgi-bin/
  <Directory "/usr/local/apache2/vhosts/ichee.com/htdocs">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>
  <Directory "/usr/local/apache2/vhosts/ichee.com/cgi-bin">
    Options ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
 </Directory>
</VirtualHost>

I sincerely appreciate the time you spent assisting me in this matter.

Regards,

Richard

**DrByte** · 6 Jul 2008, 07:36 AM

Excellent!

And thanks for sharing your solution. For others who have such low-level control of their server configuration, that information could be a big help.