I agree and I'm holding off to see what others report back. You can still get great results without full SSL and this is only a small % of the rating factors.cgchris99 wrote:So what has more weight, the fact that your site is slower because of the SSL or the added security from SSL. Enabling SSL on your whole site will slow it down.
DL
This account is inactive. Look for us under the name 'EvolveWebHosting' and contact us under that username.
Thanks!
Hi guys,
I'm new to OC, just installed the lastest stable version after I had to give up on Prestashop for various reasons.
Can someone please show, what has to be done to achieve a full SSL multi-store capable setup with URL-rewriting in case the "www" is missing?
On another (single-domain) site I have solved the problem as follows, but that one does not work with multi-store capability in mind if sub-domains are used as well:
So the plan is:
Greetings,
M.
I'm new to OC, just installed the lastest stable version after I had to give up on Prestashop for various reasons.
Can someone please show, what has to be done to achieve a full SSL multi-store capable setup with URL-rewriting in case the "www" is missing?
On another (single-domain) site I have solved the problem as follows, but that one does not work with multi-store capability in mind if sub-domains are used as well:
Code: Select all
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{HTTP_HOST} !^www.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]- all access to the OC installation with all configured multi-store domains has to be SSL encrypted
- in case the "www" is missing (e.g. http://example.tld or https://example.tld) it should be rewritten to https://www.example.tld
- in case a sub-domain (other than "www") is used it should not get the "www" added of course but only taken care of that it's using "https" (e.g. from http://sub.example.tld to https://sub.example.tld)
Greetings,
M.
Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com
I run all my sites under ssl, there is no slowdown when compared with gtmetrix.comcwswebdesign wrote:I agree and I'm holding off to see what others report back. You can still get great results without full SSL and this is only a small % of the rating factors.cgchris99 wrote:So what has more weight, the fact that your site is slower because of the SSL or the added security from SSL. Enabling SSL on your whole site will slow it down.
DL
so ssl does add that little bit more, in fact i run ssl for quite some years and i think google has used it for quiet some time now but only recently communicated it to the outside world.
Must say, i pretty well optimized my sites for speed, and still in that process, next release of sites will score 96% pagespeed when checked wth gtmetrix
Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com
The problem I'm trying to solve with the above rewrite rule is, that you don't want someone trying to access your site by https://example.tld if the SSL cert is issued for https://www.example.tld
On the other hand it of course should not rewrite something like https://sub.example.tld to https://www.sub.example.tld
I'm not really fluent in regular expressions and writing rewrite conditions and rules, so can it be done that it only gets the www. added if there is no 3rd level domain found by the condition?
I'm also completely convinced that going full SSL is the the way to go, I'm not worried about any slowdowns.
On the other hand it of course should not rewrite something like https://sub.example.tld to https://www.sub.example.tld
I'm not really fluent in regular expressions and writing rewrite conditions and rules, so can it be done that it only gets the www. added if there is no 3rd level domain found by the condition?
I'm also completely convinced that going full SSL is the the way to go, I'm not worried about any slowdowns.
To address the speed thoughts above, you must be running software from something like....2004.....If your site slows down from SSL you should first update openssl+http2 and prob go read how to set up TLS1.2->SPDY properly.
I dont even use SPDY yet and there is 0 difference in speed or VPS load even under traffic of ~1k new (non-cached) SSL sessions a day. 5 multistores running SSL.... Yes it makes more handshakes, but thats where http2 and SPDY would come into play.
So lets use a standard shared server like most folks use - not even our VPS, its not optimized in any way and without good spec. Its 1 second more load time. Optimizing would make it something like 60% less.
I totally agree that it slows it down, perhaps significantly on 2g phone internet, but i feel the competitive benefits of a fully encrypted site are better than rolling like the rest of the pack.
I dont even use SPDY yet and there is 0 difference in speed or VPS load even under traffic of ~1k new (non-cached) SSL sessions a day. 5 multistores running SSL.... Yes it makes more handshakes, but thats where http2 and SPDY would come into play.
So lets use a standard shared server like most folks use - not even our VPS, its not optimized in any way and without good spec. Its 1 second more load time. Optimizing would make it something like 60% less.
I totally agree that it slows it down, perhaps significantly on 2g phone internet, but i feel the competitive benefits of a fully encrypted site are better than rolling like the rest of the pack.
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
Dhaupin wrote: 5 multistores running SSL....
Could you let us know what type of SSL certificate you have? I have a single SSL that account for store1.com but using multi-store store2.com would need a different SSL certificate and store3.com, etc.
Would I need to purchase 3 ssl certificates and have my host install the 2nd and 3rd like they did for the first ssl certificate?
Mike
cue4cheap not cheap quality
Yes you need a cert for each domain, unless you spend more on wildcard SSL. We just use standard GlobalSign DV certs since they are dirt cheap through our host (less than $50/yr). Really all you need is a 2048 bit cert from anywhere, it doesnt matter. Make sure you register on the domain with WWW even if it doesnt need it. Here is ours: https://www.globalsign.com/ssl/domain-ssl/Cue4cheap wrote: Could you let us know what type of SSL certificate you have? I have a single SSL that account for store1.com but using multi-store store2.com would need a different SSL certificate and store3.com, etc.
-- Keep in mind each subdomain is considered a seperate site, so if you want an SSL blog or something without spending more on certs/wildcard/enterprise, put it under the domain like http://www.yoursite.com/blog
-- Although organization certs (OV) are technically better, there isnt much besides marketing. And unless you are in need of wildcard or multi-domain certs, dont spend the money on enterprise level.
-- Oh and also, you can run multiple certs on 1 IP in 1 server on as many addon domains as you like by using SNI support. True ancient browsers dont understand it but honestly who cares. We are all tired of catering to whiners who never run updates
You can run it through qualys once its set up to make sure your server is running SSL ok: https://www.ssllabs.com/ssltest/index.html
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
Blady expensive, i pay € 9 a year about $ 13 same certificate.
Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com
Dhaupin wrote:Yes you need a cert for each domain, unless you spend more on wildcard SSL. We just use standard GlobalSign DV certs since they are dirt cheap through our host (less than $50/yr). Really all you need is a 2048 bit cert from anywhere, it doesnt matter. Make sure you register on the domain with WWW even if it doesnt need it. Here is ours: https://www.globalsign.com/ssl/domain-ssl/Cue4cheap wrote: Could you let us know what type of SSL certificate you have? I have a single SSL that account for store1.com but using multi-store store2.com would need a different SSL certificate and store3.com, etc.
-- Keep in mind each subdomain is considered a seperate site, so if you want an SSL blog or something without spending more on certs/wildcard/enterprise, put it under the domain like http://www.yoursite.com/blog
-- Although organization certs (OV) are technically better, there isnt much besides marketing. And unless you are in need of wildcard or multi-domain certs, dont spend the money on enterprise level.
-- Oh and also, you can run multiple certs on 1 IP in 1 server on as many addon domains as you like by using SNI support. True ancient browsers dont understand it but honestly who cares. We are all tired of catering to whiners who never run updates
You can run it through qualys once its set up to make sure your server is running SSL ok: https://www.ssllabs.com/ssltest/index.html
I may have to try this with the help of our webhost. I have been using Multi-store and it works, but when I set it up it seemed like it would be store1.maindomain.com, store2.maindomain.com, etc. But if I attempt to go to store2.maindomain.com it doesn't do as I might expect (going to store2.com). What it does is go to maindomain.com with the URL still saying store2.maindomain.com.
I can accept it, in how it works, but I think it would be good to understand the 'whys' behind why it works the way it does.
Because of the way it work I think I might buy second certificate through my web host and beg them if it doesn't work to refund it.
Mike
cue4cheap not cheap quality
Nice, thats a sweet deal. Through a partner or something?victorj wrote:Blady expensive, i pay € 9 a year about $ 13 same certificate.
@Cue4Cheap - Multistore is pretty easy when you get a tactic down. Heres an overview that should work for you even with multiSSL:
1) Install OC on your primary domain (we use shop.mydomain.com in order to keep www as a corp portal in future). Make sure its homepage is by nothing after the .com (dont show the install folder in url).
2) Take note of the install folder location in ftp, you will need to attach subdomains this way. Enter folder and turn on htaccess by removing the .txt in file name.
3) Install each domain as an "addon domain" which will make a subdomain for itself. Name its subdomain the same as store such as "myaddondomain.mydomain.com". This is what the addon (multistore) will route through, its a keystone.
4) *important* During the process, point the root folder of the subdomain into your stores install directory. For example, /public_html/store/. It needs to live as the "store" folder. So myaddondomain.mydomain.com would take the form of /public_html/store/.
5) This should set up an addon domain. If your addon isnt ready to switch, such as on another store still, you can still make its subdomain live in the store folder in preperation. This will give you a temp utility url to work on it.
6) If you are ready to roll on the real domain, we need to protect it some by disallowing those temp subdomain url routes. Here is an example htaccess snippet that should do that for you and force www mode:
Code: Select all
RewriteCond %{HTTP_HOST} ^myaddondomain\.mydomain\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.myaddondomain\.mydomain\.com$ [OR]
RewriteCond %{HTTP_HOST} ^myaddondomain\.com$
RewriteRule ^(.*)$ "http\:\/\/www\.myaddondomain\.com\/$1" [R=301,L]
RewriteCond %{HTTPS_HOST} ^myaddondomain\.mydomain\.com$ [OR]
RewriteCond %{HTTPS_HOST} ^www\.myaddondomain\.mydomain\.com$ [OR]
RewriteCond %{HTTPS_HOST} ^myaddondomain\.com$
RewriteRule ^(.*)$ "https\:\/\/www\.myaddondomain\.com\/$1" [R=301,L]
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
Dhaupin,
Thank you for the explanation but I have multi-store setup and working on the main and 3 subdomains. I was just curious about the mechanism that is at work where the myaddondomain.mydomain.com doesn't show the add on domain just the mydomain.com. I think the key is that everything (main and sub domains) are pointed to the same folder.
Thank you again for taking the time to type that out.
Mike
Thank you for the explanation but I have multi-store setup and working on the main and 3 subdomains. I was just curious about the mechanism that is at work where the myaddondomain.mydomain.com doesn't show the add on domain just the mydomain.com. I think the key is that everything (main and sub domains) are pointed to the same folder.
Thank you again for taking the time to type that out.
Mike
cue4cheap not cheap quality
@Mike awesome man, that folder "subdomain home" very well may be the hangup. Just wanted to lay it out from the start. There is 1 last mechanism to it if youre curious. The HT enabled in step 2 has a directive/rule called "RewriteBase /". This is saying:Cue4cheap wrote: I think the key is that everything (main and sub domains) are pointed to the same folder.
Code: Select all
When i access this app -> define a path to the correct folder -> relative to the current URL accessing it.
As far as SSL goes though, use as few HT redirects as possible -- the sub right into the folder is def the best route
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
Who is online
Users browsing this forum: No registered users and 35 guests
