2010/11/16 7:02:09
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSDavid
Where does that code go? Into what file? An .htaccess file or an ICMS file? If htaccess, I assume I have to apply that code to the stuff posted by Vaughn in the reply previous to this? Getting terribly confused now |
2010/11/16 10:25:23
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSDoing a little trolling, Erol? Is that really necessary?
|
2010/11/16 15:03:56
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSTed: It's in the htaccess file.
|
2010/11/18 19:24:49
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSBy the way, if anyone is looking for free/cheap SSL certificates:
* Startcom offers free certificates, but I've had problems installing their intermediate certificates on the server. * Comodo has a free 3 month trial, which is relatively painless to get going. * Namecheap resells RapidSSL certificates for $11. Kind of shocked at how much some companies want for what is essentially a text file full of random junk, blessed by their text file full of random junk :) |
2010/11/19 13:26:18
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSI am in the process of buying one from InstantSSL - their intermediate certificates are about £50-90 a year. I'm buying one for two years to start with at a cost of £150 or so.
Ted |
2010/11/19 16:05:08
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSGuys
Whilst going through the task of buying a proper SSL Cert, I've created a self-signed one on my beta for testing of the long term aim of converting my whole site to https. I've discovered two things : 1) Changing the path in mainfile.php from http://www.mysite.com to https://www.mysite.com doesn't appear to be working. All the menu links etc still point to http://... Have tried deleting cache and templates_c but no change? Am I doing something wrong or is the http bit generally ignored and only the domain actually used? 2) (and more worryingly) - when a site is turned off, the "Site closed..." message appears fine for http://www.mysite.com, but all an anonymouse user has to do to access the 'closed' site is change http to https and they are shown the whole thing! Again, is this me or is this deliberate? I guess a site without a https cert will give an invalid page, but any site that does have one, it seems that this is a way to bypass the "Site closed" setting? Ted |
2010/11/19 17:59:00
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSRe. 1, there's a hard-coded http in the file theme_blocks.php that needs to be changed, see this thread
For the second thing, see the .htaccess stuff in post #16 and 20, that bounces people back onto https if they try to access the site via http. I have it installed and can't reproduce the problem. Might be worth checking your site preferences too in case the anonymous user group is set as allowed to access the site when it is turned off. |
2010/11/23 9:25:28
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSGuys
OK - I've copied the latest theme_blocks.php file overwriting my older version (as it's obviously been added to the latest ICMS ver and yes, I will upgrade from .2 to .3 soon). I've changed the path in mainfile to https... and that works a treat. All the URLs automatically go to https. Trouble is I am struggling applying the htaccess stuff that David posted so users can still access http versions of https content, including, for example, when they get to the site from Google that links to http version so the homepage at least is, by default, set to http until they click on one of the links on the site - I can't rely on users to do that. I share the server with Brashquido and I'm sure he has enabled ISAPI-rewrite but I don't know how to use it. I will ask him via e-mail unless you guys know an easy way to apply that code using IIS7 and Win 2008. Ta Ted |
2010/11/23 10:24:11
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSGive this a look http://bit.ly/d9wDYj
|
2010/11/23 11:46:37
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSThanks mate - a very useful and in depth article.
I have just searched Brashquido's own website in fact and found, ironically enough, an article titled "Redirect HTTP to HTTPS with IIS 7": http://www.iis-aid.com/articles/how_to_guides/redirect_http_to_https_iis_7 Looks quite straight forward and easier solution than the htaccess file system, perhaps? I will try it later when I can get an FTP connection. Ted |
2010/11/23 13:39:59
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSnice. not heard from brash in a long while. let us know how u get on with it in case others want to achieve this on iis.
|
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together! |
2010/11/23 13:48:39
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSHaving had a go at Brashquidos way, I got nothing but 500 errors so I must have been doing something wrong somewhere. I tried adding extra tags (<rewrite><rules><rule></rule></rules><rewrite>) but nothing worked.
I found another way having Googled a bit more. I read that the URL Rewrite feature of IIS7 can accept Apache .htaccess files. So I copied the .htaccess code provided by you guys and edited it for mysite site as follows :
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.mysite.org.uk/$1 [R,L]
RewriteCond %{HTTP_HOST} ^mysite\.org.uk
RewriteCond %{HTTPS} =on
RewriteRule .* https://www.%{SERVER_NAME}%{REQUEST_URI} [R,L]
RewriteCond %{HTTP_HOST} ^mysite\.org.uk
RewriteCond %{HTTPS} !=on
RewriteRule .* http://www.%{SERVER_NAME}%{REQUEST_URI} [R,L]
I pasted it into the URL Rewrite system for my website in IIS7. Got all ticks. Now, if you try to visit a http part of mysite you get redirected to https. I've now re-added php file from the new version of ICMS (class/theme_blocks.php) so that my site uses https by default anyway, but now, in theory, if anyone tries to use the non https site they should be forced back to https? Seems to be the case. I will report back once I've tested it all. I do have one question though. IE reports that my home page contains both secure and non-secure items and asks the user if they want to display the non-secure items. Firefox has a red exclamation mark over the padlock. Yet I visited the TT Soft website owned by a fellow ICMS user of this thread who has done similar thing but his website does not get that warning ( http://community.impresscms.org/modules/smartsection/item.php?itemid=490). How come? If both sites use ICMS, why does mine use some non-secure content even when visited entirely over https? I might add that if a user navigates to any other area of the site the blue approved certificate light lights up in Firefox, whereas when accessing the homepage, it does not. Have I not applied the certificate correctly? Maybe you guys could look for me? It's HERE Ted |
2010/11/23 14:19:47
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSMight be wrong - but could it be some of the links go to http:// pages ? such as the wf-channel one in the top paragraph?
Try changing all the links for the same site to the https version |
2010/11/23 14:21:47
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMS(must be tired - had to retype the above text about 4 times before it made any sort of sense!)
|
2010/11/23 17:20:58
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSDo you have any images or scripts being pulled from an external non-https site, like Adsense or some other bit of javascript? That will give you that kind of warning.
|
2010/11/24 0:46:42
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSYes guys - it was due to the xhld0 RSS News Feed module. I had a recent news block on the homepage. Since removing that, it all seems to be OK and the error is only received if the user chooses to navigate to that module from the menu.
So, I think I'm there - https all the way! Many thanks for all your helps guys - couldn't have done it without you Ted PS - if anyone wants the IIS URL Rewrite code as interpreted by it of Davids htaccess code, just PM or e-mail me and I'll paste it back. |
2010/11/24 11:26:14
|
---|
|
Re: Concerns about the use and lack of use of HTTPS with ICMSCredit to Aphex for the original htaccess code
|