Search…

X3 Photo Gallery Support Forums

Search…
 
User avatar
EHRETic
Experienced
Topic Author
Posts: 116
Joined: 02 Feb 2011, 16:26

SSL/HTTPs best practice

26 Jun 2017, 08:22

Hello there,

I've looked a little bit, but I didn't find any general information about turning your imagevue website to HTTPS.

So I'm wondering how you just simply force SSL/HTTPS connection when your SSL certificate and website is already accessible with HTTPS...  :wink:
Of course, the simplest way the better...
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: SSL/HTTPs best practice

26 Jun 2017, 12:59

EHRETic wrote:I've looked a little bit, but I didn't find any general information about turning your imagevue website to HTTPS.
I assume you have already tested your X3 website with SSL/HTTPS url? X3 simply works nicely with SSL, and doesn't require any special settings to get it to work.

In your case, I assume you just want to FORCE the website to ALWAYS use SSL, by redirecting non-SSL requests? That is the right way to do it (you should never have BOTH ssl and non-ssl to same url), and is how we do it with all our own websites (including www.photo.gallery). It is NOT something we can manage from the X3 application itself though, since this is a server-feature related to your hosting.

From the Html5-boilerplate standard, they recommend this code:
Code
# ----------------------------------------------------------------------
# | Forcing `https://`                                                 |
# ----------------------------------------------------------------------

# Redirect from the `http://` to the `https://` version of the URL.
# https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
I would recommend this: Add the above code in a new/blank .htaccess file in the PARENT folder of your X3 directory. The .htaccess file should still apply, even if it is outside the public WWW area. By doing it like this, you can avoid having to modify the X3 .htaccess file, which is included in updates.

If the above did not work, you would have to add the rewrite code to the X3 .htaccess file.

Let me know how it goes ...
 
User avatar
GGANG
Experienced
Posts: 122
Joined: 02 Feb 2012, 11:01

Re: SSL/HTTPs best practice

02 Jul 2017, 16:13

Cloudflare Flexible SSL certificates works fine. 
https://pornsaknanakorn.com
Crypto.jpg
Crypto.jpg (123.55 KiB) Viewed 15424 times
Page Rules.jpg
Page Rules.jpg (56.03 KiB) Viewed 15424 times
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: SSL/HTTPs best practice

02 Jul 2017, 17:27

GGANG wrote:Cloudflare Flexible SSL certificates works fine. https://pornsaknanakorn.com
Indeed it does :thumbsup: Cloudflare has the option to "Always use HTTPS" without having to create a redirect in your .htaccess, and you can even use HTTPS without your server having SSL. It's best if you can set "full" instead of "flexible", but that requires that your server supports SSL.
Image
GGANG wrote:Page Rules.jpg
  • You can delete rule #2. X3 already instructs Cloudflare what to cache from /panel.
  • You can remove "SSL: Flexible" in rule #3. Your website is already always on SSL.
These are the only page-rules you need for a perfect Cloudflare setup:
Image
 
Eightkiller
Experienced
Posts: 116
Joined: 15 Jul 2012, 14:34

Re: SSL/HTTPs best practice

04 Jul 2017, 13:36

Hy,

It's strange, since I moved my website to Fastcomet, I reinstalled an SSL self-signed certificate on my server (which is working nicely), I can access my website with https. 
Then I linked my website with Cloudflare, and configured for an automatic HTTPS redirection and always use HTTPS (as u were talking above). Unfortunately, I'm not redirected automatically in HTTPS mode. I also tried to create a "Page rule" with a "always use HTTPS" for " www.insightspirit.com/* " ( I thought it was not necessary to do that as long as u had activated the option ?)

You can check it here : http://www.insightspirit.com

Before going with Cloudflare, I was using some rules in my .htaccess file which was workin flawlessly :
Code
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L,NE]
It was causing a problem since I started using cloudflare, I was having a "too many redirect" error. So i removed those rules, and only configured the redirection with Cloudflare, but as I said it is not redirecting ! Maybe I have to wait more time in order for my modification to be taken into account ?

Thanks for your help.
 
User avatar
GGANG
Experienced
Posts: 122
Joined: 02 Feb 2012, 11:01

Re: SSL/HTTPs best practice

04 Jul 2017, 13:46

@Eightkill Your website SSL certificate works for me.  https://www.insightspirit.com

@Karl my server doesn't support SSL self-signed certificate. That's why I use the Flexible SSL. 
It's absolutely free by Cloudflare.

I've changed page rules setting. 
Thank you for update.
Attachments
page-rules-ps.jpg
page-rules-ps.jpg (28.01 KiB) Viewed 15382 times
ssl-insightspirit.jpg
ssl-insightspirit.jpg (43.8 KiB) Viewed 15383 times
insightspirit.jpg
insightspirit.jpg (11.93 KiB) Viewed 15384 times
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: SSL/HTTPs best practice

04 Jul 2017, 16:00

Eightkill wrote:You can check it here : http://www.insightspirit.com
Works fine here. It often takes 30-60 min for an SSL certificate to activate for a new Cloudflare website.

To make everything perfect, you should also setup a rule to always redirect to www or non-www. Currently, I can access your website with BOTH www and non-www, which is non-productive.
 
Eightkiller
Experienced
Posts: 116
Joined: 15 Jul 2012, 14:34

Re: SSL/HTTPs best practice

05 Jul 2017, 03:51

Yes it was indeed a matter of "time to wait" :), I've added a permanent redirection in order to always go with www.
You can check if it works for you  http://insightspirit.com

Thanks for the answer and see you ;-)
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: SSL/HTTPs best practice

05 Jul 2017, 06:09

Eightkill wrote:Yes it was indeed a matter of "time to wait" :), I've added a permanent redirection in order to always go with www.
You can check if it works for you  http://insightspirit.com
Works nicely :star:
 
User avatar
EHRETic
Experienced
Topic Author
Posts: 116
Joined: 02 Feb 2011, 16:26

Re: SSL/HTTPs best practice

02 Apr 2019, 13:45

Hi there,

Finally (after 2 years !!!) found some time to look at this more closely... :D
I looked at .htaccess at root folder and it seems it is already one customized by X3.

So, in which section should I add the code of https redirect ? 
Wouldn't be nice to have one section written by yourself to harmonize it ? 
:wink:

Anyway, tendency goes to have everything HTTPS in a near future.
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: SSL/HTTPs best practice

03 Apr 2019, 00:28

Hi Franck,
EHRETic wrote:Finally (after 2 years !!!) found some time to look at this more closely... :D
I looked at .htaccess at root folder and it seems it is already one customized by X3.
The .htaccess file in root is entirely 100% FROM X3 (not really customized). The rules there allow virtual page urls to work and image resize url's. This file is required for X3 to work properly.
EHRETic wrote:So, in which section should I add the code of https redirect ? 
Ideally, your non-SSL to SSL redirects should be setup in your Apache config, although that is unlikely to expect on shared servers. Also, there is an option Panel Settings > Advanced > Force Url, which basically allows you to set the HTTPS version of your website, and X3 will always redirect to that.

If you need to add to X3's .htaccess, you would just add your custom redirect rule at the top of the file, inside the following tags, so that your rules are inherited into the file after X3 updating:
Code
# custom rules start
... your rules ...
# custom rules end
I have not included the redirect rule, because this may vary from server to server, and I assume you already have a specific rule to add?

EHRETic wrote:Wouldn't be nice to have one section written by yourself to harmonize it ?
Not quite sure what you mean. The entire .htaccess is written by me, and contains all rules necessary for running X3 and a few other strongly recommended rules. We can't include the SSL redirect by default, because most websites still don't have SSL, and those that do will often have the redirect rule set from either Apache or Cloudflare.
EHRETic wrote:Anyway, tendency goes to have everything HTTPS in a near future.
Indeed, and it is strongly recommended for all X3 websites. However, X3 does not have any say in if a website has SSL or not.
 
User avatar
EHRETic
Experienced
Topic Author
Posts: 116
Joined: 02 Feb 2011, 16:26

Re: SSL/HTTPs best practice

03 Apr 2019, 05:39

Hi,

Thanks a lot, I understand now that you can't put your "suggestions" for SSL in your own .htaccess because it might not work on all the different platforms.

I've tried the .htaccess with the custom rules and it works fine but the force URL in settings seems also to be a convenient way to do so. ;-)

Which one would you recommend performance wise ? 
Is the custom section saved when you do updates (I've seen there is several backed up versions of .htaccess on my root folder)
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: SSL/HTTPs best practice

03 Apr 2019, 11:01

EHRETic wrote:I've tried the .htaccess with the custom rules and it works fine but the force URL in settings seems also to be a convenient way to do so. ;-)

Which one would you recommend performance wise ? 
X3's "force URL" is convenient, and it gets the job done. However, it can only redirect requests that are passed through the X3 application (eg. X3 pages), which in turn will serve all assets/images on SSL also of course ... If someone, for some reason, makes a request to a static file http://website.com/file.jpg directly in their browser, it will not redirect to SSL, because X3 does not control that request. Not critical, but just so you know that X3's "force url" setting only affects X3.

To force ALL requests on your website to redirect to SSL, you would need to use .htaccess method. It's a bit technical, and I don't think there is much difference in performance, but it's the most correct way if you want your entire website to always be served on SSL.
EHRETic wrote:Is the custom section saved when you do updates (I've seen there is several backed up versions of .htaccess on my root folder)
Yes, as long as you wrap it inside the #custom tags as in my example. The backups are there simply as precautions, in case the website owner has custom stuff added to their .htaccess files. You can go ahead and delete all the backup versions.