How to force SSL on certain pages?

Permalink
I want to install SSL on an existing 5.7 site, (I have an SSL certificate). I only really need it on a couple of pages with forms/payment buttons but I'm not sure of the pros/cons of forcing the whole site to be https. I guess it is no big deal if everything is https, but is it necessary or recommended?

I've read a few posts on the forum but none are simple and idiot-proof, it seems this question has been asked by several people but there's not a consensus on the answer! There's a 'Force SSL' add-on available for versions prior to 5.7 which looks like it would do what I want, but no 5.7 version

Could someone please tell me in words of one syllable what I should add to the htaccess, or the canonical URL fields to get this to work? I would hate to end up breaking the site layout etc. - other people seem to have struggled.

Most relevant post seems to be this one but maybe there's a better one?
https://www.concrete5.org/community/forums/5-7-discussion/concrete5....

Many thanks

prestressed
 
CMSDeveloper replied on at Permalink Best Answer Reply
CMSDeveloper
Hello,

The problem with SSL on certain pages is indeed mixed content errors.
The is because some files/images are cached on page 1 as http, and the same cached files has to be served on page 2 as https.

It has (or is it already?!) become standard to secure a (whole) site with SSL certificate.
Google (and other) ranks you higher when using a secured site.

Canonical URLs setting:
Dashboard > System & Settings > URLs and Redirection.

use : https:// (www.yourdomain.io)
prestressed replied on at Permalink Reply
prestressed
As mentioned by other posters, that won't work as you just get an error saying
The canonical URL provided must start with "http://".
CMSDeveloper replied on at Permalink Reply
CMSDeveloper
Hmmm... I installed a subdomain to test this.
http://<removed>
Just works out of the box, no problems!
I did not set a "Canonical (or SSL) URL" in my setup.

Did first setup the domain with a SSL certificate (Directadmin) and than used Installatron
to install Concrete5 in the subdomainhttp://<removed>
Maybe Apache sets some extra rules in the VirtualHost settings for the domain.

To force site from http to https
Added a htaccess(.zip) file example:
https://www.concrete5.org/download_file/-/99089/htacces.zip...
Or copy and paste this code blok to your .htaccess file.
Do not forget to set the right domain name first!!

##############################################################################
# For Concrete5  v5.6.x.x / v7.x.x /  v8.x.x 
# Last updated: 11/11/2017
# Add/remove "#" to Enable/disable a rule!
# Question? / Help?
# Post here:https://www.concrete5.org/community/forums/customizing_c5/how-to-for...
###############################################################################
<IfModule mod_rewrite.c>
RewriteEngine On
# Force www. in url.      
#RewriteCond %{SERVER_PORT} ^80$
#RewriteCond %{HTTP_HOST} ^domain.com$ [NC] #EDIT
#RewriteRule ^.*http://www.domain.com%{REQUEST_URI}... [R=301,L] #EDIT
# Force global SSL.
RewriteCond %{SERVER_PORT} !^443$



Do you have a url? to have a look at your site?

btw.
Is your C5 installation in the root or subdirectory?
prestressed replied on at Permalink Reply
prestressed
Thanks, I really appreciate your reply.
(though your code block is for Concrete5 v8.2.x and I'm on 5.7?)

I ended up just editing the /application/config/generated_overrides/concrete.php
as suggested on the other thread, like this:

'seo' => array(
        'canonical_url' => 'https://www.mysiteurl.org.uk',
        'canonical_ssl_url' => 'https://www.mysiteurl.org.uk',
        'redirect_to_canonical_url' => 1,
        'url_rewriting' => 1,
    ),


but I didn't edit the .htaccess at all, and as far as I can tell it seems to be working fine. Everything now appears with https in the browser.
If the canonical URLs are set through concrete.php, is there any need to add any lines to the .htaccess?
My .htaccess still just reads

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}/index.html !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
RewriteRule . index.php [L]
</IfModule>
CMSDeveloper replied on at Permalink Reply
CMSDeveloper
Hi, real nice to hear, you worked it out:)

The .htaccess you are using is the standard rules for "Pretty URL's", there good:)

The codeblock i provided has not changed from v7 to v8.
In case you not get the auto redirect to https:// and orhttp://www.
You can use the redirect rules for www / SSL for your version without problems.

.
cmerritt replied on at Permalink Reply
cmerritt
I have found one small issue with this htaccess.
*https://mydomain.com does not redirect to *https://www.mydomain.com
This has been cause for concern from a clients SEO specialist.

Colin
jasteele12 replied on at Permalink Reply
jasteele12
www. may actually dilute your brand name, but as long as the 301 (permanent) redirect is there and you have a sitemap.xml generated Google will have no problem with the changeover.

If they insist, here's where the magic happens (change domain.com of course):
# Force www. in and SSL     
RewriteCond %{SERVER_PORT} ^80$
RewriteCond %{HTTP_HOST} ^domain.com$ [NC]
RewriteRule ^.* https://www.domain.com%{REQUEST_URI} [R=301,L]
Maybe you are missing the space between ^.* and https

You also need this to happen *before* the concrete5 pretty URLs.

Here's what I do to remove www. and force SSL on *any* domain name (portable):
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
    # -- force SSL and remove wwww
  RewriteCond %{HTTP_HOST} ^www\. [NC,OR]
  RewriteCond %{HTTPS} off
  RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
  RewriteRule ^ https://%1%{REQUEST_URI} [R=302,L,NE]
    # concrete5 Pretty URLs
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME}/index.html !-f
  RewriteCond %{REQUEST_FILENAME}/index.php !-f
  RewriteRule . index.php [L]
</IfModule>
The last RewriteRule above may be different depending on your hosting.
juddc replied on at Permalink Reply
juddc
Hey there - are you saying that if the Pretty URLs redirect is in the .htaccess file BEFORE the HTTPS rewrite rule then concrete will serve up mixed content?

I'm having a ton of trouble on one site with mixed content and can't figure it out.

From my error console I get:
Mixed Content: The page at 'https://www.mydomain.com/our-creations/turnkey-backyards/family-fun' was loaded over HTTPS, but requested an insecure image 'http://www.mydomain.com/application/files/cache/65bd7bd2446f74dc20c5152e12593443.jpg'. This content should also be served over HTTPS.

Edit - This is happening on concrete 8.1