setting up configure.php in front end and admin includes/

**travbacon** · 17 Dec 2021, 10:27 PM

* WE RECOMMEND THAT YOU USE SSL PROTECTION FOR YOUR ENTIRE ADMIN:
* To do that, make sure you use a "https:" URL for BOTH the HTTP_SERVER and HTTPS_SERVER entries:

define('HTTP_SERVER', 'https://www.domain.com');
define('HTTPS_SERVER', 'https://www.domain.com');
define('HTTP_CATALOG_SERVER', 'https://www.domain.com');
define('HTTPS_CATALOG_SERVER', 'https://www.domain.com');

above is in the admin, so that is what i did, used https on all four

in the front end, i did the same thing below for both

// Define the webserver and path parameters
// HTTP_SERVER is your Main webserver: eg-http://www.your_domain.com
// HTTPS_SERVER is your Secure webserver: eg-https://www.your_domain.com
define('HTTP_SERVER', 'https://www.domain.com');
define('HTTPS_SERVER', 'https://www.domain.com');

here's my question, should i add 'https://domain.com' also? since www is redundant?

tia

**travbacon** · 17 Dec 2021, 10:43 PM

just a quick update on my reasoning is that when i type in domain.com (without the www) the main page shows not secure, only when i click any link on the site, it redirects to www.domain.com/blahblahblah and shows secure.

also i noticed when i type in www.domain.com, it initially shows unsecure until i do the above and click on a link, is there a way to go straight to secure mode when someone types in www. or without the www?

tia

**swguy** · 18 Dec 2021, 12:59 AM

> when i type in domain.com (without the www) the main page shows not secure ...

Use an .htaccess file to fix this.

# Force https
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

**travbacon** · 18 Dec 2021, 01:28 AM

my apologies. I worded that wrong.

when i typed in www.mydomain.com or mydomain.com, it does that. so what you wrote still will work both ways?

**mc12345678** · 18 Dec 2021, 09:23 AM

Hmmm. How to word this... does it say not secure, mixed security or do you get a page that has absolutely no formatting, just text?

It is somewhat important because, 1) some SSL certificates require the "domain" to be written a specific way (e.g. To be with *or* to be without the www. prefix), 2) if a secure page is presented with content that is not presented in a secure way will appear as unsecure. (e.g. An html tag on the page that has a parameter of src with the value beginning with http: is one possible situation.), 3) without sharing enough information for a visitor of this forum to reproduce the issue at hand, those offering support can only do so by way of guesses.

The above provided htaccess code uses two methods to evaluate the provided web address, one is to evaluate if the secure flag (HTTPS} is off the other is to look at which port is being used to provide the communication because secure communication is expected to occur outside of that port. In both cases, the webpage is changed over to be a secure version of the current request. So not sure if that answers your question of it working "both ways" or not.