Page 1 of 1

Enable SSL for product pages (all pages)

Posted: Wed May 16, 2018 2:20 am
by owain.jones@cmc.ca
Chrome will start marking all sites "not secure" over HTTP (more detail https://security.googleblog.com/2018/02 ... -stay.html)

How can AbleCommerce GOLD be configured to server all pages over HTTPS?

I would like one folder exclude for internal API integrations, but all pages that a user can visit I would like https.

Thanks,

Owain

Re: Enable SSL for product pages (all pages)

Posted: Wed May 16, 2018 5:28 am
by jguengerich
GOLD R11 and higher has a "Secure All Pages" check box at Admin/Store/Security/Default.

Re: Enable SSL for product pages (all pages)

Posted: Wed May 16, 2018 5:50 am
by owain.jones@cmc.ca
Hi Jay,

I should have mentioned, that we are running GOLD R8. If we are not upgrading within that time is there a workaround? Do you know what that setting does (maybe it can be done manually)?

Thanks,

Owain

Re: Enable SSL for product pages (all pages)

Posted: Wed May 16, 2018 6:15 am
by jguengerich
Not sure what would be involved, here's a thread with the same question regarding R10:
viewtopic.php?f=65&t=19077

Re: Enable SSL for product pages (all pages)

Posted: Wed Jun 06, 2018 10:23 am
by Odettes
Put this in your web.config and it will force your whole site to go under SSL.

Code: Select all

<rewrite>
      <rules>
        <rule name="HTTP to HTTPS Redirect" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>

Re: Enable SSL for product pages (all pages)

Posted: Thu Jun 07, 2018 12:01 am
by owain.jones@cmc.ca
Hi Thomas,

Thanks for the snippet. I have used rewrite to force other sites to https, but because Able does its own checks and lookups on page load I think this would cause a redirect loop. For example the home page defaults to http (e.g. http://products.cmc.ca), if I put in https manually (https://products.cmc.ca/) it automatically redirects back to http.

Do you know if we can use the Able managed way by editing App_Data\ssl.config so it applies to all pages? If not all pages at least product pages?

Thanks,

Owain

Re: Enable SSL for product pages (all pages)

Posted: Thu Jun 28, 2018 6:39 am
by Odettes
owain.jones@cmc.ca wrote:Hi Thomas,

Thanks for the snippet. I have used rewrite to force other sites to https, but because Able does its own checks and lookups on page load I think this would cause a redirect loop. For example the home page defaults to http (e.g. http://products.cmc.ca), if I put in https manually (https://products.cmc.ca/) it automatically redirects back to http.

Do you know if we can use the Able managed way by editing App_Data\ssl.config so it applies to all pages? If not all pages at least product pages?

Thanks,

Owain
With the snippet I gave you there will not be any looping.
It's running on my site: traileronline.se with no problems.

Re: Enable SSL for product pages (all pages)

Posted: Fri Jun 29, 2018 6:16 am
by owain.jones@cmc.ca
Hi Thomas,

I appreciate your help, but there must have been some change between R8 (what we are running) and R11 (what you are running from your signature).

I tried this and it looped as I suspected it would. Below is the Firefox console output if I request http or https, infinite loop:

http://products.cmc.ca/
[HTTP/1.1 301 Moved Permanently 0ms]
[Show/hide message details.] GET
http://products.cmc.ca/
[HTTP/1.1 301 Moved Permanently 0ms]
[Show/hide message details.] GET
https://products.cmc.ca/
[HTTP/1.1 200 OK 11ms]
The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. products.cmc.ca
Navigated to http://products.cmc.ca/
[Show/hide message details.] GET
http://products.cmc.ca/
[HTTP/1.1 301 Moved Permanently 0ms]
[Show/hide message details.] GET
https://products.cmc.ca/
[HTTP/1.1 200 OK 3ms]
The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. products.cmc.ca
Navigated to http://products.cmc.ca/
[Show/hide message details.] GET
http://products.cmc.ca/
[HTTP/1.1 301 Moved Permanently 0ms]
.............

Do you know if you made any other configuration change to stop the Able http/https processing?

Thanks,

Owain