here goes-
I have a Zen Cart store on Linux. I have noticed on major e-commerce sites that certain rewrites exist for several simple behaviors. Here it is in a nutshell, followed by code I’ve put together that solves all the behaviors, but causes mixed encryption on secure pages, so I lose the padlock.
Goals-
- http to https if for whatever reason the ‘s’ is missing from the request (actually need secure page).
- https to http if for whatever reason the ‘s’ is included in the request (actually do not need secure page).
- addition of www wherever it is missing, for both protocols.
- no loss of padlock due to mixed encryption resulting from rewrite rules, specifically second rule below.
So, that is really all there is to the goals. Below is the code, but first a brief explanation of why the padlock – possibly due to mixed encryption – is seemingly getting lost.
On the second rule below, all is well with the URL in the browser address bar after testing the behaviors, but apparently some page elements are making their way through the second rule, and thus getting http instead of https, and thus causing mixed encryption leading to loss of padlock in IE. In FF, it is a warning padlock. This is my guess at this point about why there is an encryption problem with the second rule. I have not been able to determine if this is exactly true (mixed encryption), or which elements might be causing it, but I’m pretty sure ‘img src’ references are properly calling with relative references in the site directories, so maybe images are not the problem. There are some scripts on the secure pages, but I have not been able to determine if they are going through the second rule and thus causing the problem. I have pinned down that the query_string filter in the second rule seems to be ‘letting something through,’ which is why I figured it must be page elements.
One final note – it may be that major commerce sites use an entirely different method of achieving the behaviors outlined above, but I thought I would be able to do this all in the site’s root htaccess. After three days, this is where I am at, with all behaviors working but loss of padlock, possibly due to mixed encryption resulting from the second rule. So, here goes, and all help is, of course, profoundly appreciated. PS: I have to use QUERY_STRING for filtering because Zen Cart is php.
RewriteEngine On
#
# Do not apply following rules to admin area of Zen Cart.
RewriteRule ^(zc_admin) - [L]
#
# Redirect to https (port 443) and/or add www, when needed, for all secure pages in QUERY_STRING list.
RewriteCond %{SERVER_PORT} !^443$ [OR]
RewriteCond %{HTTP_HOST} !^(www\\.example\\.com)?$
RewriteCond %{QUERY_STRING} (log(in|off)|account|checkout|contact|address|time_out|password)
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
#
# Redirect to http (port 80) and/or add www, when needed, for all pages other than those in QUERY_STRING list.
RewriteCond %{SERVER_PORT} ^443$ [OR]
RewriteCond %{HTTP_HOST} !^(www\\.example\\.com)?$
RewriteCond %{QUERY_STRING} !(log(in|off)|account|checkout|contact|address|time_out|password)
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
#
Thank you anyone for checking this code and/or offering advice. Hopefully, it might be something simple to fix it, as I’m not an experienced coder.
Jim