Mixed content - SSL Problem or Opencart?

seo google https mixed-content-security

6,174

Solution 1

I found this link that points to some configuration changes: http://www.inmotionhosting.com/support/edu/opencart/setting-up-payment-gateways/how-to-enable-ssl-connection-in-opencart

In it you will see some edits to config.php.

Original:

define('HTTPS_SERVER', 'http://opencart.inmotiontesting.com/');
define('HTTPS_IMAGE', 'http://opencart.inmotiontesting.com/image/');

define('HTTPS_SERVER', 'http://opencart.inmotiontesting.com/admin/');
define('HTTPS_CATALOG', 'http://opencart.inmotiontesting.com/');
define('HTTPS_IMAGE', 'http://opencart.inmotiontesting.com/image/');

New:

define('HTTPS_SERVER', 'https://opencart.inmotiontesting.com/');
define('HTTPS_IMAGE', 'https://opencart.inmotiontesting.com/image/');

define('HTTPS_SERVER', 'https://opencart.inmotiontesting.com/admin/');
define('HTTPS_CATALOG', 'https://opencart.inmotiontesting.com/');
define('HTTPS_IMAGE', 'https://opencart.inmotiontesting.com/image/');

You will notice that the only thing that changes is HTTP to HTTPS. I checked another site and it agrees with the settings.

Solution 2

I realize this question is solved, but to answer you: Its OpenCart side. Here are tips in case anyone else runs into something like this when trying to go SSL everywhere:

-- As mentioned make sure both config.php and admin/config.php point to both http and https variants. Also make sure any mods that use a copied config (a la vTiger sync) have the proper updated urls. Remember there are always at least 2 configs to update in OC.

-- A warning about htaccess forced 301: Make sure that your theme, any modules, or any vQmods do not call strict http:// assets. This is a common error in OC, especially in themes or poorly crafted mods that re-invent the wheel and call their own JS/fonts. If you find strict assets, change them to relative URLs (//) in the source(s). This is the preferred means to repairing the insecure items, htaccess will only skoot around or mask the issue and won't work with HSTS after the first page access (since it is client side 307 & blocks). Most likely you want to use HSTS, it's a great header....but your insecure items above still wouldnt work.

-- You should repair the file manager to use native relative URLs (//) when it attaches media. This would prevent insecure items in the future. The fix is beyond the scope of this writeup, but it involves editing admin/controller/common/filemanager.phpand replacing $this->data['directory'] = HTTP_CATALOG . 'image/data/'; with something like $this->data['directory'] = str_replace('http:', '', HTTP_CATALOG) . 'image/data/'; (or its HTTPS_ counterpart).

-- If you are using HTTPS mode always, its wise to mod the system/library/url.php to include strict HTTPS self-gen assets (like images, menus, links, scripts, etc). Its a very easy fix (1.5.5 to 1.5.6.4), just jump in that file and find $url = $this->url; then change it to $url = $this->ssl;. The magic asset fix.

-- Another route: There is an "SSL everywhere manager" for OpenCart that helps with this stuff and more without the need for htaccess or manual coding. Has 301, HSTS 307, preload, assets, relatives, proxies, etc.

There are more things, but that stuff seems to be what people run into most with SSL always in OpenCart. Hope that helps people in the future!

6,174

Isleno Ituriel

A curious webmaster, developer and enterprising that loves learn new things and to get the hands dirty :)

Updated on September 18, 2022

Comments

Isleno Ituriel over 1 year
This question is related with: Duplicated content www on subdomain and SSL

My actual HTACCESS:
```
RewriteBase /

# this redirects example.com and www.example.com to https - thanks closetnoc @webmasters-stackexange
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^loja\.genesiseries\.com$ [NC,OR]
RewriteCond %{HTTP_HOST} ^www\.loja\.genesiseries\.com$ [NC]
RewriteRule ^(.*)$ https://loja.genesiseries.com/$1 [R=301,L]

RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^www\.loja\.genesiseries\.com$ [NC]
RewriteRule ^(.*)$ https://loja.genesiseries.com/$1 [R=301,L]

#Now start the normal rules
RewriteRule ^sitemap.xml$ index.php?route=feed/google_sitemap [L]
RewriteRule ^googlebase.xml$ index.php?route=feed/google_base [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]
RewriteCond %{QUERY_STRING} ^route=common/home$
RewriteRule ^index\.php$ https://loja.genesiseries.com? [R=301,L]
# Tentativa de prevenir erro headers sent
#RewriteCond %{HTTP_HOST} !^loja\.genesiseries\.com
#RewriteRule ^(.*)$ http://loja.genesiseries.com/$1 [R=301,L]
```
Using these rules I am getting the following error(s): Original Screenshot

Mixed Content: The page at 'https://example.com/admin' was loaded over HTTPS, but requested an insecure script 'http://example.com/admin/.../script.js'. This request has been blocked; the content must be served over HTTPS.
:
:
etc.

Problem of opencart config or SSL rules?
- Admin over 9 years
  
  I up-voted this question too! Next time we can go into chat. ;-) @dan is a great guy. I don't want to make his work harder. BTW- it is after 4am. I will have to go to bed soon. If we need to continue this, I will be here tomorrow. I am here everyday.
- Admin over 9 years
  
  What was the "error" you were getting? Your link to an image of this error now returns a 404 (and it was just over a week ago). In the future please embed as much information in the question itself to avoid these issues of external resources disappearing. Unfortunately, as it stands, your question is now inviting deletion.
- Admin over 9 years
  
  Hi @w3d the issue has been solved by closetnoc. Thank you so much! PS: The image still accessible, probably was a temporary error
Isleno Ituriel over 9 years

Worked, try login yourself now! :) finally we got it. I really appreciate your help. Just for make sure, you think that 3 redirects will not affect my ranking on google?
closetnoc over 9 years

@IslenoIturiel I don't think the redirects will hurt. It is that some bots/browsers (at least they used to) limit the number of redirects they will follow.
Isleno Ituriel over 9 years

I accepted your answer but wanted to take a doubt, in a case that the subdomain.example.com doesn't need HTTPS redirect and just www. to subdomain.example.com what rules i need use?
closetnoc over 9 years

@IslenoIturiel I am not sure I understand. But if I read you right, the line in question is RewriteCond %{HTTP_HOST} ^loja\.genesiseries\.com$ [NC,OR] in which case, I would tell you that it is redirecting HTTP requests to ^loja\.genesiseries\.com$ to HTTPS ^loja\.genesiseries\.com$. Did I get that right?
Isleno Ituriel over 9 years

I don't know how to rephrase my question to be clarified but it's not a big deal! The most important is that the problem was solved. I really appreciate all what you do for me, thank you!
closetnoc over 9 years

@IslenoIturiel Anytime! I am glad I was able to help!!
closetnoc over 9 years

It's good to hear another voice on this one. One up-vote!
dhaupin over 9 years

@closetnoc Thanks my friend. OpenCart is a bit of a passion lately, its a fun platform that works with alot of stuff thrown at it. To make this a valid comment: Upon further testing, 301 assets before 307 HSTS may work sometimes, in some places...still wrapping my head around that hah. It may be due to how you incorporate the header (native PHP vs OC method)