[SOLVED] Enabling HTTPS
How Do I?
Hi,
I’m really no expert at this stuff, so forgive me if this is a stupid question.
I have configured a certificate for my website, and if I try to access using https in URL, it works…partially. Pages load, but CSS (and I suspect JS) files do not. I’m using what I think is standard EE syntax, e.g:
<link rel=”stylesheet” type=”text/css” media=”screen” href=”{stylesheet=sn_css/sng_style}” />
But this serves up a non-secure URL (e.g. href=”http://domain/index.php?css=sn_css/sng_style.v.123435677”) which apparently cannot be found. It works fine for non-secure.
the two versions are:
http://www.snowhenge.net https://www.snowhenge.net
you can see that on the secure version resources such as images load fine, as do page templates, but style templates do not.
I’d be incredibly grateful if somebody could give me a clue
Thanks, David
Well that is definitely wrong. No URL should be using HTTP:// on a secure page, or the browser will block the request.
You probably have harcoded http: in your templates or code.
I checked your site and styles definitely have HTTP:
Change them to https and it will solve your problem.
You should do the same for everything actually, including images and links.
Just open the code or template and do a simple find and replace
http://
to
https://
Loading mixed content is not allowed on secure pages. It does not hurt to load https:// on insecure pages but the opposite is not true. If a browser detects a single insecure link or resources in a secure page it will be blocked for security reasons.
Make sure your main URL in your EE settings is also a secure HTTPS url under URL and Path Settings.
If your default configured URL in your EE installation is http:// then it will default to that, hence your styles are loading insecure.
Ok, thanks, I will try changing the main URL to https. I hesitated before doing it as I did not want to lose control of the site…
(I already had one scare yesterday when trying an auto update for the first time on a Production site triggered a mod_security rule and blocked my domain. It’s quite a while since I got out of coding professionally, so keeping up with the tech just to run my silly amateur website is a little stressful 😊 )
Great, thanks very much, that worked fine.
All I need to do now is find the correct incantation for mod_rewrite. That’s going to take some coffee….
Don’t worry about that, even if your certificate is invalid or expired, you can still access a page. Just ignore the browser warning and click accept. That way you can always access the control panel, even with an invalid certificate and fix the error.
My advice is just to use HTTPS for everything in your code and forget about HTTP all together. Don’t try to have both http and https, as browsers will clearly warn the user about HTTP being insecure. You don’t want HTTP anymore, and from a search engine perspective there is a slight preference for HTTPS pages. Browsers will actually default to HTTPS in the future when someone types a domain manually and HTTPS everywhere is the web default for years now.
As for mod security, unless you run other software which you are not completely sure they are patched or run custom programming code you can get as being secure, you don’t need mod security in your website. It’s not actually a solution to a security problem, its just gives you time to patch things if there is a zero-day exploit. But its more designed for script kiddies or automated attacks, any experience attacker will have no problem by passing mod security. Same is true for things like CloudFlare, anyone with some programming experience will bypass those firewalls rather quickly if they know what they need to exploit.
Assuming you keep your Expression Engine updated with security patches and don’t run third party modules that are unsafe, you don’t need the Mod Security 1web firewall. Mod Security is ok when you run software you cannot patch or are not sure that it has vulnerabilities, like legacy software or outdated scripts. But even then its quite useless unless you run custom paid rules. The basic rules work ok but don’t do anything if your site is already secure and if you are using Expression Engine it already takes care about the security aspects, like POST requests in forms and other exploitable things.
Mod Security will actually make your site slower as there is a performance impact while it tries to analyze every request, and it will certainly will and can cause troubles with some add-ons. Don’t bother with it, just disable it. Mod Security is very hard to get right and as I said, unless you write your own custom regex modules, most providers actually buy the commercial rules because it’s not an easy task to keep up with all the security holes daily and write the proper rules to detect them. If you absolutely want to run it, just run it with the top 10 WAF rules.
Looking at your website, I don’t think its one that will be attacked either or targeted by malicious actors. Those usually look to compromise e-commerce websites or that hosts users data.
It can certainly be a bit stressful to start, but once you have it right, your site will look and perform just like you want and need. Only the initial part is a bit of work, then its just keeping EE up to date and then adding content as you want or fixing little things here and there over time. Starting is always the hardest part, but it seems you already passed that point.