Forcing HTTPS

Hello

Can anyone advise us with the following please?

We host two modx sites to which we have just applied ssl certificates.

They are acting slightly differently.

The first appears fine as both http and https and is here:

http://restauranttwenty2.co.uk
and
https://restauranttwenty2.co.uk

For this site we are struggling to get the code right which we add to the .htaccess file to force the site to redirect to the https version.
We have tried various but get "too many redirects" amongst other errors.

The second site appears different for the https than it does for the http version as there is an issue with the mixed content and is here:

http://edgarhouse.co.uk/
and
https://edgarhouse.co.uk/

For this site we are struggling to address the missed content issue and as with the first site to get the code right which we add to the htaccess file to force the site to redirect to the https version.
We have tried various but get "too many redirects" amongst other errors.


Any advice with these issues would be much appreciated.

Many thanks

Be sure the server_protocol System Setting is set to https. Also, remember that Apache makes multiple passes through the .htaccess file.

The "Too Many Redirects" error usually means that you have a rewrite rule that undoes another rewrite rule. Or that the rewrite condition above a rule is still met after the rewrite rule is applied.

Putting the [L] flag after a rule means that no rules below it will be applied on that pass.

This is what I have to force https (it assumes that your server uses port 447 for secure requests):



I have that just above the "Friendly URLs" section of .htaccess.

Hello Bob

Thanks very much for your reply, I appreciate it.

The server_protocol setting is set to https in the database

I added the code below just above friendly url section:

# Rewrite
secure requests properly to prevent SSL cert warnings, e.g. prevent
# https://www.domain.com when your cert only allows
https://secure.domain.com
RewriteCond %{SERVER_PORT} !^443
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI}
!^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule (.*) https://restauranttwenty2.co.uk/$1 [R=301,L]

I get an error on the front end of the site:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.
Apache/2.4.37 (Unix) Server at restauranttwenty2.co.uk Port 80

My .htaccess would now look like this with the code:

# MODX supports Friendly URLs via this .htaccess file. You must serve web
# pages via Apache with mod_rewrite to use this functionality, and you must
# change the file name from ht.access to .htaccess.
#
# Make sure RewriteBase points to the directory where you installed MODX.
# E.g., "/modx" if your installation is in a "modx" subdirectory.
#
# You may choose to make your URLs non-case-sensitive by adding a NC directive
# to your rule: RewriteRule ^(.*)$ index.php?q=$1 [L,QSA,NC]

RewriteEngine On
RewriteBase /

# Rewrite www.domain.com -> domain.com -- used with SEO Strict URLs plugin
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} !^example-domain-please-change\.com [NC]
#RewriteRule (.*) http://example-domain-please-change.com/$1 [R=301,L]
#
# or for the opposite domain.com -> www.domain.com use the following
# DO NOT USE BOTH
#
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} !^www\.example-domain-please-change\.com [NC]
#RewriteRule (.*) http://www.example-domain-please-change.com/$1 [R=301,L]



# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent
# https://www.domain.com when your cert only allows https://secure.domain.com
#RewriteCond %{SERVER_PORT} !^443
#RewriteRule (.*) https://restauranttwenty2.co.uk/$1 [R=301,L]

# Rewrite
secure requests properly to prevent SSL cert warnings, e.g. prevent
# https://www.domain.com when your cert only allows
https://secure.domain.com
RewriteCond %{SERVER_PORT} !^443
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI}
!^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule (.*) https://restauranttwenty2.co.uk/$1 [R=301,L]

# The Friendly URLs part
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]



# Make sure .htc files are served with the proper MIME type, which is critical
# for XP SP2. Un-comment if your host allows htaccess MIME type overrides.

#AddType text/x-component .htc



# If your server is not already configured as such, the following directive
# should be uncommented in order to set PHP's register_globals option to OFF.
# This closes a major security hole that is abused by most XSS (cross-site
# scripting) attacks. For more information: http://php.net/register_globals
#
# To verify that this option has been set to OFF, open the Manager and choose
# Reports -> System Info and then click the phpinfo() link. Do a Find on Page
# for "register_globals". The Local Value should be OFF. If the Master Value
# is OFF then you do not need this directive here.
#
# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS :
#
# Your server does not allow PHP directives to be set via .htaccess. In that
# case you must make this change in your php.ini file instead. If you are
# using a commercial web host, contact the administrators for assistance in
# doing this. Not all servers allow local php.ini files, and they should
# include all PHP configurations (not just this one), or you will effectively
# reset everything to PHP defaults. Consult www.php.net for more detailed
# information about setting PHP directives.

#php_flag register_globals Off



# For servers that support output compression, you should pick up a bit of
# speed by un-commenting the following lines.

#php_flag zlib.output_compression On
#php_value zlib.output_compression_level 5



# The following directives stop screen flicker in IE on CSS rollovers. If
# needed, un-comment the following rules. When they're in place, you may have
# to do a force-refresh in order to see changes in your designs.

#ExpiresActive On
#ExpiresByType image/gif A2592000
#ExpiresByType image/jpeg A2592000
#ExpiresByType image/png A2592000
#BrowserMatch "MSIE" brokenvary=1
#BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
#BrowserMatch "Opera" !brokenvary
#SetEnvIf brokenvary 1 force-no-vary

Thanks again for your reply and advice.

Hello Bob

Please ignore my last post as I have made some progress.

The hosting company suggested adding:

RewriteEngine On
RewriteBase /

RewriteEngine On
RewriteCond %{ENV:HTTPS} !=on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

After which the restauranttwenty2.co.uk/ site seems to redirect fine.

The only issue I have left is that although the http://edgarhouse.co.uk/ now redirects to https I still have the mixed content.

I have changed the server_protocol setting is set to https in the database but must be missing something.

Thanks again or your help.

Hello Bob

Sorry for a further post.

It seems the issues with the mixed content are as below:

Hard Failure
A script with an insecure url of "http://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js" was loaded via the javascript file: https://edgarhouse.co.uk/assets/js/modernizr.js on line 3. The insecure URL may not be directly contained in the script file and may exist elsewhere.
You may need to contact your web hosting provider for assistance. This URL will need to be updated to use a secure URL for your padlock to return.

Soft Failure
A script with an insecure url of "http://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js" was loaded on line: 261 of https://edgarhouse.co.uk/special-offers-2.
This URL will need to be updated to use a secure URL for your padlock to return.

I am unsure how to fix this, the hosting company says it is beyond there scope.

Appreciate you may not be able to help but and advice would be appreciated.

Thanks again.

Hi,
You should cut off protocol notation, just use next simpler url prefixes (are indifferent and work for both http and https websites), there are some examples according to your code from above:


instead

and

instead


This will help with mixed content issue, just check all external urls for styles, scripts, images etc.

Hello

Thanks very much for the replies I appreciate it.

I now have no mixed content, which is great - thanks.

The site is still missing some content though, this being the main image on each page.

According to the console in firefox the following errors are present:

Loading failed for the <script> with source “https://use.typekit.net/fni3wgl.js”. edgarhouse.co.uk:34:1

ReferenceError: Modernizr is not defined[Learn More] edgarhouse.co.uk:225:1

<anonymous> https://edgarhouse.co.uk/:225

Thanks again for helping with these issues

Sorry just to add it is the fonts on the site and the gallery / images on the left hand side of each page that are not working / not appearing.

Thanks again for your help, I appreciate it.

According to this page it seems you have to call the regular js file (something like theme-min.js) before the Modernizr


https://stackoverflow.com/questions/38082814/modernizr-is-not-defined

However this link https://use.typekit.net/fni3wgl.js seems wrong, the Modernizr is possibly looking to the wrong place for the js file...

Hello

Thanks for your reply and sorry for the delay.

Does seem the type kit link no longer exists.

I will keep trying.

Thanks again for taking the time to help.