[HOW TO] SSL, htaccess, and Menu Setup for Joomla
-
-
- Ben Lee
- Elite Rocketeer
- Posts: 4193
- Thanks: 42
-
One of the more confusing aspects of setting up a site that requires some pages to be SSL enabled is how to force "https" on those pages and still have the other pages only use "http://". The following is a quick tutorial on htaccess, how the rules work, and what the code in there really stands for.
The first step in making this easy for yourself is to set up your menu and url aliases in an organized fashion. The strategy we will be using to secure pages will secure the menu item page as well as everything under it. The reason for this approach to to make sure we also include any "Thank You" pages for forms, any sub-pages, and any other "site to user" and "user to site" information transactions that need to be secured.
I suggest using Joomla's core url rewrite system as it works very well and is less likely to cause confusion down the road.
The order for the following rules is important, so map out what you want to achieve first, then apply the rules you need accordingly.
Joomla's core htaccess file (version 1.5) has a section for custom rules and redirects. Everything we add will go under these lines:
########## Begin - Custom redirects # # If you need to redirect some pages, or set a canonical non-www to # www redirect (or vice versa), place that code here. Ensure those # redirects use the correct RewriteRule syntax and the [R=301,L] flags.
Joomla's core htaccess file also already designates the rewrite engine as turned on using this line:
RewriteEngine On
As long as your rules following this line in the htaccess file, things should work fine.
The first line we are going to use will rewrite anything that is "https" but does not need to be, to "http":
RewriteCond %{HTTPS} !=off RewriteRule ^(mainmenu-item-one.*|mainmenu-item-two.*|mainmenu-item-three.*)$ http://www.mysite.com/$1 [NC,R=301,L]
In this rule the first line reads as: "if https is not off"...or in other words... "if https is on".
The rewrite rule lists three menu items which is really what the url reads after your domain:
www.mysite.com/mainmenu-item-one
www.mysite.com/mainmenu-item-two
www.mysite.com/mainmenu-item-three
There is a " .* " after each of these.
-
A dot (or period) indicates any single arbitrary character.
-
Asterisk matches zero or more of the preceding character. e.g., use “.*” as a wildcard.
This lets us say that anything including the menu items and anything after these menu items will be rewritten to NOT include "https".
The last items between the square brackets are "flags" and the definitions of what they do are as follows:
The up arrow " ^ " and the dollar symbol " $ " denote the beginning and end of the regex expression.
So, using what we know about these definitions, the approach we're using is:
^domain.*
which, defines a string that begins with the term “domain”, which then may be followed by any number of any characters.
The vertical bar " | " lets you continue your list of urls that you are writing this rule for.
Now for the next line which writes items that are not secured (http) to a secured (https) url:
RewriteCond %{HTTPS} !=on RewriteRule ^(mainmenu-item-four.*|contact-us)$ https://www.mysite.com/$1 [NC,R=301,L]
Everything under " www.mysite.com/mainmenu-item-four " and including " www.mysite.com/mainmenu-item-four " will be rewritten to use "https".
Notice for "contact-us" there is no "dot asterisk" following it. This is because we only want to secure the actual Contact Us page and not anything underneath it.
We also have the same use of the "flags" discussed before.
Now we would like to have canonical urls sorted so that everything always reads with a "www." in front.
# Redirect non-canonical hostname requests to canonical domain RewriteCond %{HTTP_HOST} !=www.mysite.com RewriteCond %{HTTPS}>s ^(on>(s)|[^>]+>s)$ RewriteRule ^(.*)$ http%2://www.mysite.com/$1 [R=301,L]
This expression will rewrite anything not including a "www." in the url to a url including the "www.". This is true whether it's "http" or "https".
Please refer to the outstanding resource on htaccess code " Stupid htaccess Tricks " which is where I studied up to sort out this strategy.
Additional reference links:
http://magazine.joomla.org/issues/Issue-Oct-2010/item/214
https://akeeba.assembla.com/code/master-htaccess/git/nodes/htaccess.txt
The full code used in this example as it would be placed in the .htaccess file:
RewriteCond %{HTTPS} !=off RewriteRule ^(mainmenu-item-one.*|mainmenu-item-two.*|mainmenu-item-three.*)$ http://www.mysite.com/$1 [NC,R=301,L] RewriteCond %{HTTPS} !=on RewriteRule ^(mainmenu-item-four.*|contact-us)$ https://www.mysite.com/$1 [NC,R=301,L] # Redirect non-canonical hostname requests to canonical domain RewriteCond %{HTTP_HOST} !=www.mysite.com RewriteCond %{HTTPS}>s ^(on>(s)|[^>]+>s)$ RewriteRule ^(.*)$ http%2://www.mysite.com/$1 [R=301,L]
Other Notes:
When using url rewrite components, be cautious of what is being rewritten, why, and how. It's possible to created rewrite loops where one rule just redoes the one before it and the browser never finishes.
If you run into issues, try using this strategy with all other rewrite extensions turned off and just using Joomla's core rewrite engine.
-
-
-
- Brian Peat
- Elite Rocketeer
- Posts: 679
- Thanks: 5
- Joomla and Wordpress site developer
-
Any idea how to do this if you already have the redirect from www to non www in place, and all you want to do is set SPECIFIC menu items (not the whole top level menu item, just one of the subs) to be secure?
I tried the stock Joomla menu switch (turning ssl on for that item) and it just gets ignored. Is RokNavMenu not doing something it should be doing? Seems a whole lot easier if the built-in joomla ssl function for single menu items worked... - Brian Peat
Peat Creative
peatcreative.com
-
-
-
- Ben Lee
- Elite Rocketeer
- Posts: 4193
- Thanks: 42
-
Sorry for the late reply here.
Joomla's core SSL feature is really not a working feature and takes a fair amount of work in htaccess before it does what you want it to do.
I'm not sure what menu set up you're looking at and what might end up overriding other rules, but one work around for this might be the following:
-
Create a "hidden" menu. Publish this to a module position that doesn't exist.
-
Create a menu link to the page you need to secure.
-
Use the "alias" to get to that link and set that url as secured.
-
In your main menu or wherever you have the displayed link, use and "external" link and point it to the new SSL link.
The only drawback here is that the menu link being external will not show as the "active" link.
htaccess is pretty confusing so I try to stick with the rules I know and sometimes use a workaround like this to avoid trying too many new things at once.
-
-
-
- Brian Peat
- Elite Rocketeer
- Posts: 679
- Thanks: 5
- Joomla and Wordpress site developer
-
As it turns out, in Joomla 1.7, you MUST keep the stock Redirect component active for this to work. I had turned it off since I was using ReDJ. Once I enabled it, the function DOES work as expected (setting a menu item to secure forces it to load with https), at least in my few tests it worked.
thanks!
Edit: Actually, I looked back through the site and remembered that I had installed a plugin called SSL redirect. THAT is what broke when I had disabled the Redirect component from joomla. So, I have no idea if the stock menu option even works actually. - Brian Peat
Peat Creative
peatcreative.com
-
-
-
- ironlion37
- Sr. Rocketeer
- Posts: 235
- Thanks: 0
-
This doesn't seem to be working for me at all. Can you see anything obviously wrong?
########## Begin - Custom redirects RewriteCond %{HTTPS} !=off RewriteRule ^(mainmenu-item-fifteen.*|mainmenu-item-sixteen.*|mainmenu-item-seventeen.*|mainmenu-item-eighteen.*|mainmenu-item-nineteen.*)$ http://www.tribaltraditions.org/$1 [NC,R=301,L] RewriteCond %{HTTPS} !=on RewriteRule ^(Hidden-item-twentynine.*)$ https://www.tribaltraditions.org/$1 [NC,R=301,L] # Redirect non-canonical hostname requests to canonical domain RewriteCond %{HTTP_HOST} !=www.tribaltraditions.org RewriteCond %{HTTPS}>s ^(on>(s)|[^>]+>s)$ RewriteRule ^(.*)$ http%2://www.tribaltraditions.org/$1 [R=301,L]
My problem is that when someone goes to the checkout screen, and then they navigate back into the site, the address retains the "https" and throws security errors in IE. I'm trying to force http on every page except the checkout (hidden menu id 29).
-
-
-
- oj09
- Hero Rocketeer
- Posts: 395
- Thanks: 0
-
Does the above Tutorial from 2011 still work as is above for Joomla 3.1.x at all?
I've purchased an SSL cert from my hosting company and now need to implement it on the site but can't start till I locate as up to date tutorial as possible, to help me not make a hash of it having never done this element before.
Regards,
-
-
-
- Ben Lee
- Elite Rocketeer
- Posts: 4193
- Thanks: 42
-
I haven't tried it with the newest version of Joomla yet, but this is really just lines in your .htaccess file, so give it a try, if it doesn't work, just delete the lines and all is back to normal.
Joomla's "redirects" and their option for setting to use SSL or no SSL, really just designates it for that particular menu item link but doesn't actually redirect to it. This means that both links can still be reached.
The .htaccess files for 2.5 and 3.1 are the same as well, so I would expect things to work alright.
-
Time to create page: 0.093 seconds