Support

Admin Tools

#24310 Switch entire site to https - Best Practices

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Wednesday, 09 March 2016 17:20 CST

Thursday, 28 January 2016 06:59 CST

deeno
Do you suggest implementing the following when switching the whole site to https / what are the best practices / did I miss something out or is something not needed?

1. in configuration.php use this setting:
var $live_site = 'https://www.your-domain.com';

2. in .htaccess add this at the bottom of the file:
RewriteEngine On
RewriteCond %{HTTPS} OFF
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

3. in System > Global Configuration > Server > Server Settings set "Force SSL" to "Entire Site"

4. in AdminTools > .htaccess Maker > Optimisation and utility use the following settings to YES:
HSTS Header (for HTTPS-only sites)
Forbid displaying in FRAME (for HTTPS-only sites)

Thanks in advance!
Dee

Thursday, 28 January 2016 07:08 CST

nicholas
#1 is not necessary and not advisable. It may end up causing mixed content warnings in some rare cases. The advice is: if you don't absolutely require $live_site (as in: your site does not work without it) then always leave it blank.

#2 is not required unless you have third party, non-Joomla! scripts running on your site. If you only have Joomla! then #3 and #4 are more than adequate.

#3 and #4 are actually what you need to do. The former tells Joomla! to redirect all requests to the HTTPS site and the latter tells the browser to never even bother with HTTP requests. Essentially, #4 acts like #2 without the browser having to hit the server. With #2 the browser would hit the HTTP URL, receive a 302 redirect to HTTPS and then hit the HTTPS URL, for each and every HTML, CSS, JS, image etc file. With #4 the browser doesn't hit the HTTP URL at all; it converts it to HTTPS automatically, therefore being far more efficient and server-friendly.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 28 January 2016 08:51 CST

deeno
thanks for the quick reply!
does any of #3 or #4 write 301 or 302 redirects in the htaccess?

Thursday, 28 January 2016 10:31 CST

nicholas
No. #3 will issue a 302 using PHP. #4 is where all the money is :) It eliminates the need for a 302 redirection altogether. It literally tells the browser "Dude, NEVER use plain HTTP for this site. If you see a URL starting with http:// for my domain name ignore the idiot user who typed it and use https:// instead without even telling the user he's an idiot". I am one of those idiot users. Half of the time I'm typing a URL on my iPad I mistype http:// instead of https:// but thanks to the HSTS header my browser never makes an insecure HTTP contact with my server. Win :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 28 January 2016 10:53 CST

deeno
sorry for thwe possible stupid question:
why using #3 at all then???
(if #4 eliminates the need for a 302 redirection altogether)...as you wrote

Friday, 29 January 2016 00:16 CST

nicholas
For older browsers which don't support HSTS (e.g. Internet Explorer 9 or lower still in use in some corporate environments, old versions of Android / iOS, etc).

You can learn more about STS from this surprisingly technical and accurate WikiPedia page: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 29 January 2016 06:21 CST

deeno
so i guess, if both are implemented, they wouldnt interfere with each other, and on newer browsers #4 will be favored, so no 302-php-redirection from #3 will be executed at all?

Friday, 29 January 2016 09:50 CST

nicholas
Exactly!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 29 January 2016 09:52 CST

deeno
great stuff, thanks and take care!

Friday, 29 January 2016 12:04 CST

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 05 February 2016 10:11 CST

deeno
short follow-up:
does all that above apply as well for a 2.5.27 Joomla with AdminTools 3.4.4?
i cant find the setting "Forbid displaying in FRAME (for HTTPS-only sites)"

Friday, 05 February 2016 11:00 CST

nicholas
Well... Admin Tools 3.4.4 didn't have that option. However, you can add that option manually. Just add the following to the .htaccess code to add to the bottom of the file:
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 08 February 2016 03:57 CST

deeno
euxaristw!

Monday, 08 February 2016 07:06 CST

nicholas
You're welcome :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 09 March 2016 17:20 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!