SSL suggestion

Hi,
may be these are dumb questions but I really can't find proper answers around.
I have v1.5.4 with ssl configured.
SSL works and gets activated when logging in or checking out but is not active when browsing.

I see many sites that are automatically redirect to https even at the home page.

The questions are:
1) Is it better for some reason (and if so why) to run under https starting from home page?
2) To activate https immediately when accessing the site should I mod the includes/configure.php so that
define('HTTP_SERVER', 'http://www.mysite.it');
reads
define('HTTP_SERVER', 'https://www.mysite.it');
3) If I apply what in point 2) would this have any consequence aboutn google indexing and or adwords google merchant settings?

Thanks.
ciao from Italy
enzo

There is actually no reason that I can think of for your site to be under SSL the whole time as only sensitive information requires encryption and ZenCart is smart enough to envoke it when required

But the answer to your question of "How" is correct

Code:

---

define('HTTP_SERVER', 'https://www.mysite.it');

---

Will cause your site to be under SSL the whole time

This is exactlywhat I thought.
Thanks

Nevertheless, some search engines, including the big G, give better search-result ranking to sites which are entirely SSL.

If you want to make your site run entirely under SSL, there are two pieces to that:

a) Zen Cart side:
- HTTP_SERVER should use your https:// address instead of an http:// address
- ENABLE_SSL should be set to 'false' (because ENABLE_SSL is only set to 'true' when you want ZC to switch back and forth between http and https for certain secured pages)
*NOTE: Some people have reported that setting ENABLE_SSL to 'false' in this case may cause confusion to some payment module configurations which expect SSL and rely on the ENABLE_SSL setting to confirm it. Thus, in some cases it may still be wise to leave ENABLE_SSL set to 'true' even when using https on all pages.

b) Server side:
You might want to also make some Apache configurations to redirect any non-SSL URLs to the SSL equivalent. Often this is done in .htaccess. Consult your hosting company for the best way to do this on your particular server. (There are lots of possible approaches posted all over the internet, but your hosting company knows the best way for your particular server.)

WOW!
Thank a lot!
Ciao from Italy

I did it, and I added this to the .htaccess

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]

It seems to work prefectly.
May be is too much, but I pay for the ssl so why not use it?
Thanks again.
ciao from Italy
enzo

I found a little problem with ssl on admin.
CKEDITOR is not loaded, whle HTML area is.
How can I fix this?
I can use HTML area, but I am used to ckeditor, so....

What is in your 2 configure.php files?

Here they are.
Thanks
enzo

Quote:

---

/*************** NOTE: This file is similar, but DIFFERENT from the "admin" version of configure.php. ***********/
/*************** The 2 files should be kept separate and not used to overwrite each other. ***********/

// Define the webserver and path parameters
// HTTP_SERVER is your Main webserver: eg-http://www.your_domain.com
// HTTPS_SERVER is your Secure webserver: eg-https://www.your_domain.com
define('HTTP_SERVER', 'https://www.mysite.it');
define('HTTPS_SERVER', 'https://www.mysite.it');
define('HTTP_SERVER_ALTERNATIVE', 'http://www.m.mysite.it');
define('HTTPS_SERVER_ALTERNATIVE', 'https://www.m.mysite.it');
// Use secure webserver for checkout procedure?
define('ENABLE_SSL', 'false');

---

Quote:

---

/*************** NOTE: This file is similar, but DIFFERENT from the "store" version of configure.php. ***********/
/*************** The 2 files should be kept separate and not used to overwrite each other. ***********/

/**
* WE RECOMMEND THAT YOU USE SSL PROTECTION FOR YOUR ENTIRE ADMIN:
* To do that, make sure you use a "https:" URL for BOTH the HTTP_SERVER and HTTPS_SERVER entries:
*/
define('HTTP_SERVER', 'https://www.mysite.it');
define('HTTPS_SERVER', 'https://www.mysite.it');
define('HTTP_CATALOG_SERVER', 'https://www.mysite.it');
define('HTTPS_CATALOG_SERVER', 'https://www.mysite.it');

// secure webserver for admin? Valid choices are 'true' or 'false' (including quotes).
define('ENABLE_SSL_ADMIN', 'true');

// secure webserver for storefront? Valid choices are 'true' or 'false' (including quotes).
define('ENABLE_SSL_CATALOG', 'true');

---

What about the rest of these files??

And where did these come from??

Quote:

---

define('HTTP_SERVER_ALTERNATIVE', 'http://www.m.mysite.it');
define('HTTPS_SERVER_ALTERNATIVE', 'https://www.m.mysite.it');

---

Further I thought DrByte suggested turning off the ENABLE_SSL_ settings, which you've currently only done at this point on the catalog side.

If you tell me what you want to see it is easyer.
The lines you quoted are there because of google.
They will disappera as soon as I will switch to 1.5.5 responsive.
However they have nothing to do with ssl and the admin side.
Ciao

Quote:

---

Further I thought DrByte suggested turning off the ENABLE_SSL_ settings, which you've currently only done at this point on the catalog side.

---

Thanks.
I did not realize that DrByte suggested to do it also on the admin config. I did it now, but nothing changed. CKEDITOR still does not get loaded, while HTMLAREA does.
In my opinion is a matter of configuration on CKEDITOR, but I have no idea of how to change it.
ciao
enzo

Quote:

---

Originally Posted by enzo-ita

I did it, and I added this to the .htaccess

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]

---

Which .htaccess file did you put this in?

Quote:

---

Originally Posted by soxophoneplayer

Which .htaccess file did you put this in?

---

The one in the Root

Quote:

---

Originally Posted by enzo-ita

I found a little problem with ssl on admin.
CKEDITOR is not loaded, whle HTML area is.
How can I fix this?
I can use HTML area, but I am used to ckeditor, so....

---

I've never had an SSL problem with using CKEditor.
Perhaps you're missing some language files for your CKEditor or it didn't fully upload to your server?

Quote:

---

Originally Posted by DrByte

I've never had an SSL problem with using CKEditor.
Perhaps you're missing some language files for your CKEditor or it didn't fully upload to your server?

---

It did work perfectly before switching to ssl.
If I do not use ssl it start working again.
:dontgetit
ciao
P.S: I switched to english langiage in admin but nothing changes.

Use your browser's javascript console to look at what errors javascript is encountering. Also use the browser's error-reporting to see what errors it's encountering related to SSL on those pages. Those will give you clues about how to fix whatever is not loading properly and why.

Thank again for your help.
This is what happened.
I used the console and found that the php handler was giving errors. (ckeditor.php)
I uploaded the handler from 1.5.4. but nothing changed.
Always using the console, I then found another error in the ckeditor.js
Uploaded ckeditor.js from 1.5.4
Nothing changed, but it got even worse because also the editor's frame disappeared and ckeditor did not work anymore even without ssl.
Uploaded from a back up on one day before the whole editor folder and magically both editors started working again with ssl active.
Probably the problem was a corrupted file, but:
It sounds very strange to me that the file got corrupted right after setting ssl for the admin.
It sound even strange that the file corruption interested only the ssl setting and not the plain setting given that it did work perfectly switching form ssl to plain.
Software mistery....:shocking:
P.S. While typing my brain was knocking at me and I realized that it could be a cache problem. I can not tell exactly but I am shure I cleaned the cache at a point in the process above, but I am also sure I cleaned it even before starting using the console.
Opinions welcome!!!!
Ciao from Italy
enzo

Thanks for reporting back that re-uploading the plugin's files resolved the problem.

I have added also what follows to avoid continuous requests to change admin passwords at login.
RewriteCond %{REQUEST_URI} !^/youradmin(/|$)
so, all in all the .htaccess, in order to have everything working correctly, got the following lines:

#Redirect all to https but anyotherfoldertoexclude and youradmin
RewriteCond %{REQUEST_URI} !^/anyotherfoldertoexclude(/|$)
RewriteCond %{REQUEST_URI} !^/youradmin(/|$)
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]

Ciao from Italy
enzo

Quote:

---

Originally Posted by enzo-ita

I have added also what follows to avoid continuous requests to change admin passwords at login.

---

If using SSL is causing you to get password-change required repeatedly then your site is NOT properly using "only SSL" for the Admin ... which suggests that you've got incorrect rewrites that are switching it incorrectly into non-SSL before going to the actual URL.

And with v1.5.5 the admin operates entirely in SSL if you give it an SSL URL ... doesn't flip back and forth with any NON-SSL at all. (same as setting HTTP_SERVER to an https URL and setting ENABLE_SSL_ADMIN to 'false')

TKS.
By now I will live with the .htaccess mods I made.
Soon I will switch to 1.5.5 (as soon as I will be happy with the FEC plugin mods that I am doing) and I think alla theproblems will disappear because I am plannig to go to 1.5.5 treating it as new install.
Ciao ciao
enzo

DONE!
I am very happy to tell you all that finally 1.5.5a is on line!
For a small business like mine and considering I do no use any web agency neither programmer or graphic (I do all on my own, with the precious help of this forum) it is a real success.
I still have a problem though and it is related to ssl

I have set HTTP server as https and to false in both store and admin.
I did not like the fact that if I call http://www.acquat ua.it it does not go directly to https://www.acquat ua.it so I mde a mod to the htaccess like follows
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
This actually did the job and also non https request is redirected to https Yeah! but...
If I let the htacces as above, livelizza would not allow to login, if I disable the two lines livezilla will login perfectly.
Now for the questions:

As far as the big G and others are involved, is it important that http is redirected to https since the first page?
If what above is true, how can I make livezilla login even with http redirected to https?

Note that in the livezilla serve admin I have set the server to be https and the port 443.

It is not a mjor problem but I have started this migration with the ami to create the best possible setting and this is bothering me.

Thanks for help.

ciao from Itlay
enzo

No problem I solved also the livezilla incident.
I had two servers configuration set and it was trying to login to the http while htacce was redirecting to https therefore trowing an error.
Deleted the http and set the https as default now it works.
However, thanks again to everyone for the precious help.
I'll be waiting 1.6.0....:cool::laugh::lookaroun

All-in-all congratulations on getting setup and going. Good work!

Hopefully you will continue to visit and support others on their journey!

Thanks for the congrats.
I do not feel that I am capable to support anyone since I need support myself!
However I will certainly be visiting the forum regularly.
Ciao ciao
enzo

Quote:

---

Originally Posted by enzo-ita

Thanks for the congrats.
I do not feel that I am capable to support anyone since I need support myself!
However I will certainly be visiting the forum regularly.
Ciao ciao
enzo

---

We all do at one time or another need support. Wouldn't be much of a community if that didn't exist. I'm sure there is something you have learned along this journey that could help the next individual with similar ttroubles. A link to a post or FAQ, how you resolved the same thing, maybe even a gentle nudge to provide more related information. In the long run such assistance is likely to help you get to know ZC even more. :)

Hope you have a good weekend and keep reading!

Hi guys.
I am bringing u this thread because I am desperate.
Since when I switched to SSL for the whoel site my sales dropped to about 30% of last year after seve year of constant sales increase year over year but even month to month.
I know this may sound dumb and it should be impossible but I have really watched out all I know, checked and checked twice, statistics, adwords, analytcs and alla the other tools available. The only real connection to this drop seems to be the switch from non ssl to ssl (ssl for check out was there also before)
I wonder if I may have done something wrong.
Please let me know your opinion about.
Thanks

Quote:

---

- ENABLE_SSL should be set to 'false' (because ENABLE_SSL is only set to 'true' when you want ZC to switch back and forth between http and https for certain secured pages)

---

I don't find this nugget documented ANYWHERE else...in fact after spotting it last week it took me ages to find this post again to recheck it (doing this on my site caused a bug to surface https://www.zen-cart.com/showthread....93#post1319093).
The faq/tutorial needs to be updated with this info.

BUMP

Quote:

---

ENABLE_SSL should be set to 'false' ...
The faq/tutorial needs to be updated with this info.

---

Although I knew this nugget of information existed it still took me too long to find it again.

It should be referenced in the other common places Google throws up for SSL searches:

https://www.zen-cart.com/showthread....25#post1325325
https://www.zen-cart.com/entry.php?8...Back-and-Front
https://www.zen-cart.com/content.php...alled-zen-cart

As a result of discussions in a handful of other threads not quoted here, I've updated my earlier post with an additional note:

*NOTE: Some people have reported that setting ENABLE_SSL to 'false' in this case may cause confusion to some payment module configurations which expect SSL and rely on the ENABLE_SSL setting to confirm it. Thus, in some cases it may still be wise to leave ENABLE_SSL set to 'true' even when using https on all pages.