Using SSL over full site (not just on checkout)

[Odettes]

I prefer to run my site in SSL mode the whole time, not only on the checkout pages.
Is it enough to just change the Store URL in configure/security/system settings to https://mydomain.com or do I also have to select the SSL Enabled box?

Any known problem when using SSL all over the site(I read in some post there where some problems with custom urls that changed to like /category=15&product=12)?

[mazhar]

I think you will have to specify the secure path in App_data/ssl.config file. Try adding root directory to secure page like

Code: Select all

<directory path="/" />

[laramp]

If you use the method above it is fine for new sites. If you already have an indexed site with the search engines you need to get a 301 redirect response. Using the existing SSL feature in AbleCommerce gives you a 302 redirect response.
I just did this last week....
1. I had to disable SSL (uncheck SSL checkbox) in the admin of Able Commerce version 7.0.7,
2. change the URL to 'https' in the Domain box instead of http
3. Add this to the web.config:

Code: Select all

<rule name="HTTP to HTTPS Redirect" stopProcessing="true">  
<match url="(.*)" />  
<conditions>  
<add input="{HTTPS}" pattern="off" />  
</conditions>  
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />  
</rule>

4. Make sure all your internal links have https or use relative links,
5. check all styles sheets and images for references to http ...and change those to https
6. Make sure any CDN references have https or //:example.com
7. Change the Sitemap.xml URLs to https
8. If you hard coded Canonical refs change those to https
9. Go to Google webmaster tools and set up a new site definition for https... do this for Bing and Yahoo too
10. Submit a new Sitemap.xml to Google with the new https URLs.
11. Check robots.txt for http and change it to https... if need be.
12. Check your crawl for error with numerous free tools... watch for 301 redirects. that is what you want.
Within a few days it started switching over in Google and the page rank did not drop.
using IIS 7.5 windows 2008 R2 server

Hope it will help someone else!

[Katie]

Good info. Appreciate you taking the time to help anyone else with the same issue.

Thanks Larry!

[Odettes]

Very useful information, thanks laramp!

[laramp]

You are welcome.... One more thing.... If you have URL forwarding at the domain registrar in your DNS settings... make sure you change that to https too!

[rmaweb]

Thank you for the info! Over the next few years Google is probably going to be looking to have everyone use HTTPS all of the time. Especially with all of the hacking going on lately.

http://googlewebmastercentral.blogspot. ... ignal.html

[laramp]

You are right. They said over time that may be one of their factors in page / site rank. Good to get a jump on it. Check your server to make sure it is also protected and using TLS v1.1 and v1.2.
Ssllabs.com can test it for free... Here is their recommendations
https://www.ssllabs.com/downloads/SSL_T ... ctices.pdf

[jguengerich]

I think you will have to specify the secure path in App_data/ssl.config file. Try adding root directory to secure page like

Code: Select all

<directory path="/" />

I want to try using SSL on the whole site as well. If I change my ssl.config from this:

Code: Select all

		<directory path="api" />
		<directory path="admin" />
		<directory path="app_themes" state="Ignore" />
		<directory path="assets" state="Ignore" />
		<directory path="checkout" />
		<directory path="members" />
		<directory path="mobile/checkout" />
		<directory path="mobile/members" />
		<directory path="scripts" state="Ignore" />
		<directory path="webcharts" state="Ignore" />
		<file path="login.aspx" />
		<file path="mobile/login.aspx" />
		<file path="members/mywishlist.aspx" state="Ignore"/>
		<file path="passwordhelp.aspx" />

to just the line mazhar posted, SSL is not used anywhere. I even tried:

Code: Select all

<directory path="/" recurse="true" />

Is there something else I have to do?

EDIT: I should have mentioned that it works correctly with the individual directories and files I had originally; those directories (including subdirectories) and files use SSL. The "SSL Enabled" setting is checked.

[jguengerich]

Bump. Re: the previous post, I'm using R5.

[mazhar]

It seems like the suggestion I gave is not working in Gold. Can you try the solution posted by laramp?

[jguengerich]

It seems like the suggestion I gave is not working in Gold. Can you try the solution posted by laramp?

That solution works, but using ssl.config sure would be easier. Is there any source code change I could do to make it work? I looked around in the code some, but I wasn't able to find anything that looked like it was parsing the ssl.config file.

[Katie]

We've logged a feature request to see if we can add this to our next release without too much trouble. I believe the SSL code might be in the licensing module, because there is a separate licensed domain field if you have a different domain for your SSL certificate.

[jguengerich]

Thanks Katie, that's what I was guessing. Assuming it is in the licensing module, and you do change it so "/" works in ssl.config, would we have to upgrade the whole site to R11, or could we just use the new licensing module with R5? We have a heavily modified members-only site, and upgrading would be a significant task. (I've been keeping an eye on the release notes, and so far I've been able to implement the few security-related fixes I've seen mentioned that apply to features we are using by copying the appropriate web and source code from the respective release).

[Katie]

I'm not sure as of yet. In the request that was opened, we're going to investigate why the ssl.config isn't working the way it did in version 7. Any changes that are made in the licensing module would not be backwards compatible. This is the code that looks at versions and subscription dates, etc.

[jguengerich]

OK, I'll just wait to see what happens with the next release then. If it ends up being a licensing module change, we'll just have to use the solution above, or "bite the bullet" and upgrade.