Enable site encryption

[kcvv]

Does GetSimple CMS support complete site encryption? I see the release notes for 3.0 says the core supports it but I'm facing some issues when trying to enable https for my entire site.

The issue seems to be that some of the components are not encrypted - so both Firefox 9.0 and Chrome warn me that the site is only partially encrypted and some components are un-encrypted.

IE 8 gives me an option to disable insecure components and if I do, the resulting page has no background / no images and just a bunch of text.

The site is running on Amazon linux , Apache / php and GetSimple Version 3.1B.

I'm running the default them ( Innovation). Please let me know if there is any way of downloading and hosting all css/ js / image files locally so as t avoid this error?

[ccagle8]

If you could find out what is not being loaded securely, I would be happy to attempt to fix it in the core. Is there anyway you can find that out for me? (I don't have an SSL Cert to test with...)

[kcvv]

Thanks for such a quick response Chris! I've managed to resolve it (sort of) by making the following changes -

1. Set the base url under website settings to https://<sitename>/ instead of just the http://<sitename>

2. For the Innovation theme, edited the header.inc.php and changed url http://fonts.googleapis.com/css?family=Yanone+Kaffeesatz' to https://fonts.googleapis.com/css?family=Yanone+Kaffeesatz'

3. Edited the sidebar.inc.php file and changed the URLs - http://www.addthis.com/bookmark.php?v=250 and
http://s7.addthis.com/js/250/addthis_widget.js to https://www.addthis.com/bookmark.php?v=250 https://s7.addthis.com/js/250/addthis_widget.js respectively.

Thankfully, all 3 URLs did support the https version.

After these changes all 3 browsers displayed the https version of the with no errors.


It looks by design GS Core uses the "Website Base URL" to call resources - so now , even when I access the http version and look at the source, a lot of resources are being called from the https version. I'm wondering if this should be changed to use a relative URL.

Thanks!
Venky

Edit: Oh..if you want to get ssl certs for your website, check out startssl.com - they can do class 1 domain validation and provide ssl certs for free.


Edit 2: I'm not so sure if its the core or the theme to blame - Here are the resources that seem to be using absolute URLs instead of relative uri

/theme/Innovation/assets/css/reset.css
/theme/Innovation/style.css?v=3.1B
/theme/Innovation/assets/js/dd_belatedpng.js ( IE Only)
/theme/Innovation/assets/images/break.png
/theme/Innovation/assets/images/share.png


I'll try out few other themes and check.

Edit 4: All themes are calling the function get_site_url() which looks up variable $SITEURL , which is a static entry in websites.xml file. So as far as I can understand, there is no easy way to change the behavior of themes to use dynamic entries based on the accessed URL.

[kcvv]

Got tired of edits so replying as a new post -

I guess I will have to go through all the files to find #include / src / link / js files that are pointing to http and change them to https.

found one more in plugin_functions.php -
The culprit this time is

http://ajax.googleapis.com/ajax/libs/jqu...n.js?v=1.7

Will keep looking and report back any more issues.

[ccagle8]

thank you very much kcvv. We will attempt to get these all fixed by 3.1's release.

[kerry]

Has anyone found a way to encrypt just certain pages within the site such as forms, payment and login pages. My main concern is seo and I understand it is better to have the majority of your site using http:// and then just secure individual pages.

I'd like to find a way to do this and appreciate any comments on what it would take to do this.

Thanks,

[Carlos]

You could make two separate GS sites, one for http:// and the other for the SSL pages.

[shovenose]

You could make a site at secure.example.com and a normal ne at just example.com however why not just make the whole site https?

[E.Eliveld]

Got tired of edits so replying as a new post -

I guess I will have to go through all the files to find #include / src / link / js files that are pointing to http and change them to https.

found one more in plugin_functions.php -
The culprit this time is

http://ajax.googleapis.com/ajax/libs/jqu...n.js?v=1.7

Will keep looking and report back any more issues.

Maybe its a idea to create a site global for that(?).

[WebDevandPhoto]

When gathering the site's URL.. doing something LIKE this would solve the protocol problem:

PHP Code:

$url  = isset($_SERVER['HTTPS']) ? 'https://' : 'http://';
            $url .= $_SERVER['SERVER_NAME'];
            $url .= htmlspecialchars($_SERVER['REQUEST_URI']); 


the

PHP Code:

$url  = isset($_SERVER['HTTPS']) ? 'https://' : 'http://'; 


bit of code finds if the protocol is secure or not. Doing something to this effect may solve that problem for all urls.. and depending on the current protocol all URLs used in the core/themes can be adjusted accordingly by if statements.

[shawn_a]

What version, we use protocolless assets.