AbleCommerce Team --
We have a very customized AC installation of Gold R6 and we've been waiting for the new release of the next version before updating.
However, due to the impending Google Chrome "SSL Everywhere" enforcement, we're looking for a good way to "force" SSL throughout the whole website.
Any recommendations on best-practices for doing this on R6??
Thanks!
R6 - FORCE SSL
Re: R6 - FORCE SSL
Sorry, there is no easy way to switch the store to SSL without running into the same issues we fixed when adding the feature to Gold R11, which is also PA-DSS certified by the way.
Here is a short post where the feature is discussed - viewtopic.php?f=65&t=18963&p=83512&hili ... ssl#p83512
The version you are using was released on 09/17/2013. I would not recommend waiting to upgrade.
Thanks
Katie
Here is a short post where the feature is discussed - viewtopic.php?f=65&t=18963&p=83512&hili ... ssl#p83512
The version you are using was released on 09/17/2013. I would not recommend waiting to upgrade.
Thanks
Katie
Thank you for choosing AbleCommerce!
http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
-
- Lieutenant Commander (LCDR)
- Posts: 102
- Joined: Wed Apr 02, 2008 11:00 am
- Location: Stockholm, Sweden
- Contact:
Re: R6 - FORCE SSL
This works great for me:sfeher wrote:AbleCommerce Team --
We have a very customized AC installation of Gold R6 and we've been waiting for the new release of the next version before updating.
However, due to the impending Google Chrome "SSL Everywhere" enforcement, we're looking for a good way to "force" SSL throughout the whole website.
Any recommendations on best-practices for doing this on R6??
Thanks!
Code: Select all
<rewrite>
<rules>
<rule name="HTTP to HTTPS Redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
Re: R6 - FORCE SSL
Yes, Odettes -- that's similar to what we were doing in our web.config files too....
The 'magic' was found when we eliminated the "SSL Enabled" checkbox on the Store security settings.
For some reason, in R6, that disallows SSL on regular pages. By eliminating that checkbox and using these web re-write rules we accomplished our goal.
Of course, you must ensure that all the URLs inside the site are using relative links or explicit https: calls, but that's already done in our case.
Thanks,
Steve
The 'magic' was found when we eliminated the "SSL Enabled" checkbox on the Store security settings.
For some reason, in R6, that disallows SSL on regular pages. By eliminating that checkbox and using these web re-write rules we accomplished our goal.
Of course, you must ensure that all the URLs inside the site are using relative links or explicit https: calls, but that's already done in our case.
Thanks,
Steve
Re: R6 - FORCE SSL
This sounds like just the thing we're looking for. Search rankings are getting hammered by Google and probably others partly because of this.
So you
1 - add the rewrite rules to your web config
2 - Uncheck the "SSL Enabled" box in Configure - Security - System Settings
Did you
3 - Change the "Store URL" on the System Settings page to use HTTPS?
This will basically disallow any http traffic to your site right? The problem we found was that (some, maybe all) crawlers were not able to access our sitemap or robots.txt file over HTTPS because it was being redirected to the HTTP URL but the crawler was actually interpreting the redirect command and was not looking for HTML or Javascript so it would just throw an invalid format error on both files.
Not sure how big of hit that was but it was definitely flagged.
We are running Gold R10 by the way... one version too early to the party. Also heavily customized so not easy to upgrade.
So you
1 - add the rewrite rules to your web config
2 - Uncheck the "SSL Enabled" box in Configure - Security - System Settings
Did you
3 - Change the "Store URL" on the System Settings page to use HTTPS?
This will basically disallow any http traffic to your site right? The problem we found was that (some, maybe all) crawlers were not able to access our sitemap or robots.txt file over HTTPS because it was being redirected to the HTTP URL but the crawler was actually interpreting the redirect command and was not looking for HTML or Javascript so it would just throw an invalid format error on both files.
Not sure how big of hit that was but it was definitely flagged.
We are running Gold R10 by the way... one version too early to the party. Also heavily customized so not easy to upgrade.