force SSL for all pages, but also set 301 redirects

1 2 >
Posted: September 21, 2016 at 2:51 AM Quote #175645
Because they want to make the Internet more secure, in mid-2016 Google began increasing the page rank of all websites that SSL encrypt their entire websites, and in 2017, they will begin penalizing those sites who do not.

I want to force SSL for my entire site and do not want to cause 404's for all my organic search traffic, so I am wondering if the best method is to change the value in the settings table as described in this post, or if just setting the "forceSSL" value to true in the web.config and defining my own redirect rule like below is the best choice.
     <rule name="Redirect to http" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
      <match url="*" negate="false" />
      <conditions logicalGrouping="MatchAny">
        <add input="{HTTPS}" pattern="off" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
    </rule>


I'm running version 3.40 of nopCommerce.
Any advice is welcome-

Thanks,
Steve
This post/answer is useful
1
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
Posted: September 21, 2016 at 3:00 AM Quote #175648
the "SecuritySettings.ForceSslForAllPages" setting is all that you need. If that is true, nopCommerce will do the redirect to https, if you access the page via http.
This post/answer is useful
1
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
nop-payments.com provides free payment plugins for nopCommerce.
Posted: September 21, 2016 at 4:42 AM Quote #175667
That much I understand, but is it also sending the 301 instruction for search engines so that they update my URL's in their index and do not continue listing my insecure URL's forever?
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
Posted: September 21, 2016 at 4:44 AM Quote #175668
embryo wrote:
That much I understand, but is it also sending the 301 instruction for search engines so that they update my URL's in their index and do not continue listing my insecure URL's forever?

I'm not sure about that, sorry. My SEO skills are quote low
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
nop-payments.com provides free payment plugins for nopCommerce.
Posted: September 21, 2016 at 5:14 AM Quote #175670
Also, it seems to me that it would be much slower and inefficient to allow the client to open the site and create the threads and create a connection to the database to query the settings table to see the forceSSL setting and then redirect the user back to https and start over again...than it would be to let IIS catch the visitor as they enter the domain(web.config) and do the permanent redirect immediately.
Right?
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
Posted: September 21, 2016 at 5:36 AM Quote #175672
embryo wrote:
Also, it seems to me that it would be much slower and inefficient to allow the client to open the site and create the threads and create a connection to the database to query the settings table to see the forceSSL setting and then redirect the user back to https and start over again...than it would be to let IIS catch the visitor as they enter the domain(web.config) and do the permanent redirect immediately.
Right?


If we assume thats how they implemented it.. I bet there's some sort of cache there.. no one can think of that approach as being a good idea
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
nop-payments.com provides free payment plugins for nopCommerce.
Posted: October 11, 2016 at 12:00 AM Quote #176875
nop-payments.com wrote:
Also, it seems to me that it would be much slower and inefficient to allow the client to open the site and create the threads and create a connection to the database to query the settings table to see the forceSSL setting and then redirect the user back to https and start over again...than it would be to let IIS catch the visitor as they enter the domain(web.config) and do the permanent redirect immediately.
Right?

If we assume thats how they implemented it.. I bet there's some sort of cache there.. no one can think of that approach as being a good idea


That's just it. I do not want to assume anything.

I'm hoping someone who knows for certain whether changing the setting in the admin area "Force SSL for all site pages:" ONLY updates the web.config here:

    <authentication mode="Forms">
      <forms name="NOPCOMMERCE.AUTH" loginUrl="~/login" protection="All" timeout="43200" path="/" requireSSL="TRUE" slidingExpiration="true" />
    </authentication>


..or if it ALSO adds something like this in the <rewrite> section:

     <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
      <match url="*" negate="false" />
      <conditions logicalGrouping="MatchAny">
        <add input="{HTTPS}" pattern="off" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
    </rule>


Anyone?.....anyone?....anyone?....Beuhler?
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
Posted: April 12, 2017 at 8:10 AM Quote #186425
I'm running 3.2 and it does not add anything to the <rewrite> node. I'm using rewritemaps and rules in that section and nothing changes.

The Force SSL works fine. However, it creates a 302 redirect. Our SEO consultant recommends using a 301 Permanent. My rule is below and it causes an infinite loop.

  <rule name="HTTP/S to HTTPS Redirect" enabled="true" stopProcessing="true">
        <match url="(.*)" />
        <conditions logicalGrouping="MatchAny">
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
  </rule>

My simple solution may be to create two sites, and the first is bound to http and it does a permanent redirect to the HTTPS site.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: April 12, 2017 at 1:57 PM Quote #186435
ppatel wrote:

My simple solution may be to create two sites, and the first is bound to http and it does a permanent redirect to the HTTPS site.


I ended up just adding my own rewrites node and it works fine...301's are issued to the engines.

     <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
      <match url="*" negate="false" />
      <conditions logicalGrouping="MatchAny">
        <add input="{HTTPS}" pattern="off" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
    </rule>
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
An upvote on a helpful post means "thank you" in every language. I believe in this community. For every question I ask, I try to answer at least five others.
Posted: April 14, 2017 at 11:04 AM Quote #186519
Did you keep the Force SSL to true? I had to uninstall a redirect plugin and it still did not work. I initially had Force SSL set to false and it still failed. I uninstalled the 301 redirects and set the Force SSL to true and now it works.

I'll reinstall the 301 plugins and confirm it still works.

Thanks for your help.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
1 2 >
Premium support services
  • Dedicated premium support services provided by core developers are intended for persons who run mission critical websites, work on projects with tight deadlines, or want to get dedicated support.
Professional services
  • Want to open a new store? Want to take your store to the next level? Need a custom extension? We can customize nopCommerce to fit your store perfectly. Request a quote to get started.