Copy link to clipboard
Copied
Years ago I created my business website using Dreamweaver CS5. I've purchased an SSL certificate and my website host now tells me I have work to do my end in order to finish the implementation. I have absolutely no idea how to do this and I'm not finding anything when I try to search for an answer online. My web address is http://www.heritageceilings.com.au .
Could some dear soul please help me? I'm not very smart with technical things so simple terminology will be most appreciated.
Thanks in advance.
Your server now requires SSL/TLS to function, this is assuming that the login details and the FTP Address is the same as before.
Try the following settings
Copy link to clipboard
Copied
My host has two options to include a certificate, namely the free of charge 'Let's Encrypt' or purchased SSL/TLS Certificates.
Choosing the former involves ticking a checkbox, the latter involves uploading your Certificate.
After you have done that, you will need to ensure that the site is directed to HTTPS://. I have done that using .htaccess as per
# ----------------------------------------------------------------------
# Start rewrite engine
# ----------------------------------------------------------------------
# Turning on the rewrite engine is necessary for the following rules and features.
# FollowSymLinks must be enabled for this to work.
<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine On
</IfModule>
# ----------------------------------------------------------------------
# Rewrite "www.example.com -> example.com"
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
</IfModule>
The above code tells the browser, if HTTPS is not used in the address, to remove the 'www.' part of the address after which it automatically chooses HTTPS://
Copy link to clipboard
Copied
Thank you Ben. I'm not sure I understand a lot of it so far but I will endeavour to figure it out over the weekend.
Mine was a paid certificate organized by my site host. I checked with them, they have uploaded the certificate and they told me I have a Windows server. Does that make any difference to the ,htaccess file that I must write please?
Copy link to clipboard
Copied
In that case you cannot use .htaccess, for Windows you will need a file called web.config.
Having said that, your Parallels Panel will probably negate having to use web.config. In the panel, go to IIS Settings
and tick the Require SSL box
As far as I can see and judging by the info that you have supplied, this is all you have to do.
Copy link to clipboard
Copied
At the risk of sounding even dumber where do I find this colourful panel that you have included in your two replies please?
Copy link to clipboard
Copied
When you log into your hosting account, you should be confronted with said panel. Who is your web host?
Copy link to clipboard
Copied
I ended up ringing my host company. The fellow I spoke to said there is no setting (per se ) for IIS/with a box to check for SSL.
He has done something his end which now results in my website showing up as https://www....... but the information thingee at the side of it says the "site is not fully secure'. The man I spoke to said I now need to go through the whole website and put an 's" at the end of every single http which is a very daunting task because there are so many links.
I had hoped there was an easier way to do this. What do you think please? My host is a company called Westnet.
Copy link to clipboard
Copied
jeanmorrison wrote
I ended up ringing my host company. The fellow I spoke to said there is no setting (per se ) for IIS/with a box to check for SSL.
He has done something his end which now results in my website showing up as https://www....... but the information thingee at the side of it says the "site is not fully secure'. The man I spoke to said I now need to go through the whole website and put an 's" at the end of every single http which is a very daunting task because there are so many links.
I had hoped there was an easier way to do this. What do you think please? My host is a company called Westnet.
I've just gone through the same process for one of my clients sites and yes its a pain in the backside changing the links. You can do a sitewide find and replace. Find http:// replace with https://
It was much quicker and easier than I thought. The certificate was already set up by the hosting company, which of course helped.
I would back-up your site-folder before you carry out any updates just incase anything goes wrong, then you have a 'clean' folder to work from again.
Once you have changed your links from http:// to https:// then upload your updated files to your server.
Copy link to clipboard
Copied
Create a file in the same directory as your home page (root directory) called web.config. In that file, place the following contents
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
This will save you having to rename all of your links.
Copy link to clipboard
Copied
Thanks to both of you. So, I copy the code, substitute my (new) url into line 10 and save it, maybe in notepad, as web.config and then upload it. Hopefully I can manage that.
it's 7 pm here so I'll do this tomorrow with a fresh mind to the job. I'll report back my success.
Copy link to clipboard
Copied
jeanmorrison wrote
Thanks to both of you. So, I copy the code, substitute my (new) url into line 10 and save it, maybe in notepad, as web.config and then upload it. Hopefully I can manage that.
it's 7 pm here so I'll do this tomorrow with a fresh mind to the job. I'll report back my success.
Personally Id rather have the correct code in my actual pages rather than using Bens method but if it works, then it works. I do things properly, others just paper over the cracks and hope the cracks dont start to show.
Copy link to clipboard
Copied
osgood_ wrote
Personally Id rather have the correct code in my actual pages rather than using Bens method but if it works, then it works. I do things properly, others just paper over the cracks and hope the cracks dont start to show.
What happens when you Google the site, before Google has caught up with the change, and it sends you to HTTP instead of HTTPS? Do you call that proper?
Edit: Adding the redirect using web.config, will give you time to change the code as @osgood_ suggested. Even if you miss a few links, web.config will catch those. I'd hate to think that this is not classified as proper coding as suggested by the ill-informed.
Copy link to clipboard
Copied
BenPleysier wrote
osgood_ wrote
Personally Id rather have the correct code in my actual pages rather than using Bens method but if it works, then it works. I do things properly, others just paper over the cracks and hope the cracks dont start to show.
What happens when you Google the site, before Google has caught up with the change, and it sends you to HTTP instead of HTTPS? Do you call that proper?
Edit: Adding the redirect using web.config, will give you time to change the code as @osgood_ suggested. Even if you miss a few links, web.config will catch those. I'd hate to think that this is not classified as proper coding as suggested by the ill-informed.
Was you NOT suggesting to leave the http:// links in the pages as they were, nothing about Google caching the pages which would also need to be addressed. Rather than go about it half-assed as you always seem to do, do it properly.
Copy link to clipboard
Copied
jeanmorrison wrote
it's 7 pm here so I'll do this tomorrow with a fresh mind to the job. I'll report back my success.
Perth by any chance?
Copy link to clipboard
Copied
I see your post said you copied the file provided by BenPleysier - Your pages still aren't secure and they won't be because its a redirect. You still need to fix the mixed content issue. A redirect will not fix this.
You need to change your links, images and css file yourself to https.
Your site still shows this
<link rel="stylesheet" type="text/css" href="style.css" />
instead of this
<link rel="stylesheet" type="text/css" href=" https://www.heritageceilings.com.au/style.css" />
If you have CS5 you should have the find and replace feature. If you don't know how to use it, see this link. Please make a backup of your site first.
Once you've changed your links, scan using Screaming Frog for broken links and insecure content.
If you don't want to change the urls over, then don't change your site to SSL. Its one or the other, not both.
1 - Change urls / images and css to use absolute links - eg. http://www.mysite.com/page/ instead of <a href="../../page/">
2 - Find and replace http://www.mysite.com/ and replace with https://www.mysite.com/
3 - Add http to https rewrites in .htaccess file (basically what Ben was trying to tell you to do but different)- make sure to include either www or non-www rewrite.
4 - scan site to check for broken links / insecure content
5 - request sites that link to you also change to https. Most will have no problem.
Copy link to clipboard
Copied
Have a look at the code at bunchokids.org. I have done none of what you are saying.
Copy link to clipboard
Copied
Yes and your site is indexed in google using both https and no https. Image attached.
Google site:bunchokids.org
Copy link to clipboard
Copied
Correct and it will stay that way until Google has finished doing the updates. The site was changed about a week ago to accommodate the secure socket layer (SSL)
Edit: All the more reason for using the redirect.
Copy link to clipboard
Copied
Copy link to clipboard
Copied
Could you please explain the "why" for your first list item?
I have routinely observed the opposite of that advice given to those moving from http to https in a multitude of forums and articles. And from my own development of secure sites, I have never seen a security-based reason for converting from document relative to absolute paths for image and page links within the same site.
I'm curious to see if there is some other valid reasoning I've been missing for doing that.
Copy link to clipboard
Copied
OP could use a protocol relative url. I am referring to his file path as <a href="filename.php"> Regardless of which method OP uses, OP's links still need to be updated.
Copy link to clipboard
Copied
kaus1979 wrote
...1 - Change urls / images and css to use absolute links - eg. http://www.mysite.com/page/ instead of <a href="../../page/">
2 - Find and replace http://www.mysite.com/ and replace with https://www.mysite.com/
3 - Add http to https rewrites in .htaccess file (basically what Ben was trying to tell you to do but different)- make sure to include either www or non-www rewrite.
4 - scan site to check for broken links / insecure content
5 - request sites that link to you also change to https. Most will have no problem.
I'm sorry, I guess I missed the non-numbered items in your list. I'm looking the "why" of #1 on your list of 5 specifically.
What is the reasoning behind changing document relative paths to absolute paths within your secure site?
Copy link to clipboard
Copied
I've always used absolute to prevent duplicate content issues.
Absolute specifies the exact url you want indexed. A relative url does not. With a relative url you have multiple versions of your website available. Rewrite rules help but for https, I would rather ensure that the correct protocol is served to avoid any possibility of canonicalization issues.
WP sites will also add a canonical tag in the header. This is another solution as it specifically states what the correct url is.
Here's a good link on the topic
Should I Use Relative or Absolute URLs? - Whiteboard Friday - Moz
Copy link to clipboard
Copied
Darn, now there is a lot of stuff going on here today so I won't be able to start tackling this issue till tomorrow.
Ben I'm in the same time zone as Perth but i live two hours south of Perth.
kaus1979 I don't have an .htaccess file. I think this may be because I have a Windows server. Would this be right?
Copy link to clipboard
Copied
I had another look at your site and it is nicely redirected to HTTPS, so in that area there is no need to worry about that, i.e. .htaccess (unix) or web.config (windows)
The problem is contained in this notice
The reason why the site is not fully secure is because the site uses absolute paths that point to HTTP as in
<p class="page-top-links"><a href="http://www.heritageceilings.com.au/index.php" title="Pressed tin budget priced walls, ceilings and splashbacks">Home</a></p>
There are two ways to overcome the issue, namely
The difference between absolute paths and relative paths is entirely a choice of the web developer. The advantage that a relative path has is that you would not have had to change anything in your document for the site to be fully secure. Some argue that absolute paths are better for SEO, but nothing is further from the truth.
As osgood_ has stated, you can do a search and replace on the whole site to make the changes.
osgood_ I see that you made mention of the fact that I suggested keeping http instead of changing to https. It was quite late at night after a hard day's toil and I did not understand what you were saying. I have always used relative paths so I did not think that there were those that used absolute paths. I did not have to change anything in my documents to get the full security working. To keep a document portable it is always best to use relative paths.