Admin not working after adding custom mod_rewrite to .htaccess

[quit]

I got someone to help me with my .htaccess file because I was getting security warnings or an open index when someone would type in http://mysite.com and similar.

This was added to my htaccess:

RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule (.*) https://secure.mysite.com/ [R]

I had some serious problems with even getting SSL on my site because I used a free SSL cert (DV class 1 from StartCom) that apparently does things a little weird. (That is what my hosting company said anyhow, but I don't know if that is relevant).

I had followed one guide that says in order to be PCI compliant you need to change the HTTP_SERVER line in configure.php to your https address. This was before doing any changes to the htaccess file, and my admin pages after logging in would still end up going to http...

Now, after doing the htaccess changes my shop appears to work fine and stay in https, the login and first admin page work fine and are in https, but when I try to do anything in the admin I get redirected to my shop's main page.

We had tried doing the htaccess a different way at first and only later realized that I was putting the htaccess in the wrong folder... so the only thing I can think of now would be to go try that method.. but it seemed like my Zen Cart setup was wrong int he first place. This is what my /admin/includes/configure.php file looks like now and the /includes/configure.php is similar

define('HTTP_SERVER', 'https://secure.mysite.com');
define('HTTPS_SERVER', 'https://secure.mysite.com');
define('HTTP_CATALOG_SERVER', 'https://secure.mysite.com');
define('HTTPS_CATALOG_SERVER', 'https://secure.mysite.com');

// Use secure webserver for catalog module and/or admin areas?
define('ENABLE_SSL_CATALOG', 'true');
define('ENABLE_SSL_ADMIN', 'true');

Maybe I could add those three lines above to the different htaccess in the admin folder too..

Thanks all for help =)

[Website Rob]

Your 'https' in the /admin/includes/configure.php file are correct and all you need for what you want. Remove the redirection from the Admin .htaccess file and problem should be solved.

[quit]

I never added anything to the admin .htaccess and I don't see it redirecting, but then the code doesn't make much sense to me.

I was more thinking that I might have to add the 3 lines ModRewrite from the other htaccess to it.

edit: For some reason it is working now and I didn't change anything. I wasn't sure if I should have both of the ENABLE_SSL_.. lines set to true because it was not addressed in whatever guide I had read so thanks for the help.

[DrByte]

The RewriteRule you've used is forcing your ENTIRE site into https ... even the pages that don't need it. That generally slows down the visitor's experience, and can be confusing if they're not understanding why all the pages are encrypted. That's something one would normally only see if there was highly confidential data being displayed at all times, or on a bank website. If that's not your situation, then you should probably reconsider the approach you've taken, as it's highly unconventional.

[quit]

I see your point, but I have no clue how to get my admin panel to work otherwise. I expected the whole admin panel to stay in https when I put in the https URL into HTTP_SERVER but that didn't work.

My pages are loading fast at least before I have much in the way of images. Since I have no clue how to get it to work otherwise, it seems better than spending even more days on just getting SSL to work.

These horrid links like https://secure.mysite.com/index.php?...enid=xxxxxxxxx are driving me crazy too. I see a canonical links module but it says it is for 1.3.8a

Actually I just found this guide: ksblog.org/index.php?q=zen-cart-seo-canonical-tag-support so apparently I should be able to easily fix that.

I don't know.. I don't think people pay attention to much related to SSL besides.. getting an untrusted error or maybe noticing that a lock icon either does or does not appear in their browser.

I doubt many people are really going to investigate what class of SSL certificate I have or put thought to why all of my pages are secured. Things like gmail and facebook are all in https, so it doesn't seem to me that people will take it as that weird. Thanks for the advice though and I would like to fix this if there is an easy way.

[schoolboy]

You seem to have spent scores (if not hundreds) of hours fiddling about with this.

If you install your site on a reputable host, buy a dedicated IP and SSl cert, you can get on with the more important task of running your business, selling products and making profits.

To me, this is more important than messing about with dubious code solutions to a problem that would not be there if things were being done properly.

[DrByte]

I expected the whole admin panel to stay in https when I put in the https URL into HTTP_SERVER but that didn't work.

Indeed it does work, provided that you supplied the appropriate paths etc. If you're getting non-https URLs after specifying only https then clearly the changes you made didn't get saved properly. It's very common that people find their settings aren't "working" simply because the file was set to read-only before they tried to save their changes to it, and they didn't notice that the changes did not actually get saved ... and then they say it didn't work.

Additionally, if you've got incorrect rewrite rules setup in .htaccess then you're going to have unpredictable results. And, as I said previously, I think you've got a weak set of rewrite rules ... and they're all potentially completely unnecessary.

These horrid links like https://secure.mysite.com/index.php?...enid=xxxxxxxxx are driving me crazy too.

"horrid links"? Please explain.

I see a canonical links module but it says it is for 1.3.8a

Canonical links are built-in to v1.3.9

[quit]

I have a dedicated IP and domain verified Class1 SSL cert from StartCom (recognized in 99%+ of browsers I believe). They happen to give free basic DV certs vs. most companies that charge at least $8/yr. As an afterthought yes I wish that I just signed up for a $8/yr cert because my hosting company had trouble installing the cert. My company is pretty reputable AFAIK and helpful (Midphase/ANHosting).

It's working fine for me at this point besides the perceived problem of serving every page in SSL. If I am not having slow page loads I don't see how "looking too much like a bank website" or whatever is really an issue.

I had the file permissions set correctly and verified that changes were made to my configure.php files as I saved and reopened them several times. It still didn't work. I'm thinking that whatever changes my hosting company had to make to get my cert working maybe had something to do with my weird problem, so maybe having my htaccess the way it is is the only solution. Got me.

Maybe canonical URL's are part of the 1.3.9h I have installed and I just need to follow the guide I linked earlier to make them work with my theme (allbusiness from picaflor_azul). As of right now it is still spitting out gibberish URLs.

[Vger]

Oh, maybe I'm just an old cynic, but whilst everyone loves to get a good review to get 114 out of 116 reviews with 5 Stars smells fishy to me - and one of the other two got 4 Stars. I am referring to the SSL Cert provider you used. And the reviews were so sentimentally gushing that I'd be amazed if the review providers didn't wet their pants whilst writing the reviews.

Either they genuinely are, as one reviewer said, "The best thing since sliced bread!", or they have a team of people writing and submitting some not very creative reviews.

As we always have spare domains for testing on our servers I may well get one of their free Class 1 Certs (when I have the spare time) and give it a road test.

Until then I'd recommend you get a certificate from a well-known and well-established provider of SSL Certificates.

Vger

[DrByte]

As of right now it is still spitting out gibberish URLs.

What exactly does "gibberish" mean in your dictionary?

If you're talking about the &zenid=xxxxxxxx at the end of the URL, that should normally disappear after the customer's first click. If it doesn't, then you've got a cookies/sessions/ssl configuration problem on your server that you need to fix ... which of course would be understandable given the rest of the conversation context above.