Difference between revisions of "X-Cart:Configuring HTTPS"

From X-Cart 4 Classic
Jump to: navigation, search
(Created page with 'Firstly, you should obtain a SSL certificate. Basically most hosting companies offer help with purchasing SSL certificates or provide their own Shared SSL URLs. If your hosting c…')
 
 
(29 intermediate revisions by 7 users not shown)
Line 1: Line 1:
Firstly, you should obtain a SSL certificate. Basically most hosting companies offer help with purchasing SSL certificates or provide their own Shared SSL URLs. If your hosting company doesn't offer you such services you will have to choose a certificate yourself.
+
This article provides guidelines for configuring HTTPS for your X-Cart store.
We will be glad to help you with this matter. You can purchase SSL certificates from our company. We sell SSL certificates and TrustLogo seals provided by the world leading Certification Authority Comodo Group http://www.comodogroup.com. For details, conditions and prices please see http://www.x-cart.com/trustlogo.html and http://www.x-cart.com/ssl_certificates.html.
 
  
If you are on dedicate server we are able to offer you our service to analyze and configure your server and/or install the SSL Certificate. Please note we need have 'root' SSH access or 'Administrator' MS Remote Access Desktop to perform the tasks.
+
==Obtain an SSL certificate==
  
To configure HTTPS server in X-Cart, you need modify <xcart_dir>/config.php file:
+
To use HTTPS for your X-Cart store site, you need to obtain an SSL certificate and have it properly installed and configured on your web server. You also need to monitor your SSL certificate expiration date and be ready to renew it when necessary.  
  
<pre>
+
The majority of hosting companies help their customers to purchase SSL certificates or provide their own Shared SSL URLs. If your hosting company does not render such services, you will need to purchase a certificate on your own.
#
 
# X-Cart HTTP & HTTPS host
 
# and web directory where X-Cart installed
 
#
 
# NOTE:
 
# You should put here hostname ONLY without http:// or https:// prefixes
 
# Do not put slashes after the hostname
 
# Web dir is the directory in the URL, not the filesystem path
 
# Web dir must start with slash and have no slash at the end
 
# The only exception is when you configure for the root of the site,
 
# in which case you write single slash in it
 
#
 
# EXAMPLE 1:
 
# $xcart_http_host ="www.yourhost.com";
 
# $xcart_https_host ="www.securedirectories.com/yourhost.com";
 
# $xcart_web_dir ="/xcart";
 
# will result in the following URLs:
 
# http://www.yourhost.com/xcart
 
# https://www.securedirectories.com/yourhost.com/xcart
 
#
 
# EXAMPLE 2:
 
# $xcart_http_host ="www.yourhost.com";
 
# $xcart_https_host ="www.yourhost.com";
 
# $xcart_web_dir ="/";
 
# will result in the following URLs:
 
# http://www.yourhost.com/
 
# https://www.yourhost.com/
 
</pre>
 
  
If you are going to use secure server you should copy the whole X-Cart directory into HTTPS location (or secure server if it is different from HTTP server), then delete all files and directories from directory <xcart_dir>/templates_c on HTTPS location.
+
We will be glad to assist you with this issue. You can purchase SSL certificates from our company. We sell SSL certificates provided by the world's leading Certification Authority, [https://www.comodogroup.com Comodo Group]. For details, conditions and prices, please see https://www.x-cart.com/ssl/.
  
If both HTTP and HTTPS locations are located on the same Unix server you should just create symbolic link from HTTPS location to HTTP location of X-Cart. Contact your hosting administrators with this issue.
+
If you are on a dedicated server, we can offer you our service on analyzing and configuring your server and/or install an SSL Certificate on it. Please note that we will need the 'root' access to your server over SSH or the 'Administrator' access over MS Remote Access Desktop to complete these tasks.
  
Finally you can turn on the following options:
+
==Configure the HTTPS server in X-Cart==
- to set up secure checkout, go to admin area, "Payment methods" page and select HTTPS as protocol for payment methods which you are going to use
 
- "Use HTTPS for users' login and registration" ("General settings")
 
- "Use secure login form on a separate page (HTTPS)" ("General settings"). If you need secure certain php scripts you should add https scripts to <xcart_dir>/https.php file, 'https_scripts' array.
 
  
If you want to switch the whole x-cart to secure mode edit https.php file. Find the line
+
Once you have an SSL certificate for your store site installed and configured, you should adjust the HTTPS server settings in X-Cart. If your HTTPS host differs from your HTTP host, you will need to edit the file <xcart_dir>/config.php specifying your HTTPS host in the variable $xcart_https_host.  
  
<pre>
+
==Enable HTTPS for your store==
 +
 
 +
<div id="https_for_all_pages"> </div>
 +
===Enable HTTPS for the entire X-Cart store site===
 +
 
 +
====Method 1. Use for web servers with support for .htaccess, like apache====
 +
<div class="mw-collapsible">
 +
If you are using a web server of the above-named type, to set your entire X-Cart store to operate over HTTPS, you should add the following code to the .htaccess file after the line "RewriteBase":
 +
<nowiki>
 +
RewriteCond %{HTTPS} off
 +
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
 +
</nowiki>
 +
If the canonical URL of your site is known, it will be even better to add the rules as follows:
 +
<nowiki>
 +
RewriteCond %{HTTPS} off
 +
RewriteRule ^(.*)$ https://example.com/$1 [^] [R=301,L]
 +
</nowiki>
 +
(Be sure to replace "example.com" with your actual canonical URL).
 +
The above code should be added ''before'' the code for handling Clean URLs.
 +
 
 +
You can also use the following instructions:
 +
https://www.sslshopper.com/apache-redirect-http-to-https.html
 +
</div>
 +
<br />
 +
Enable the 'Use secure protocol (HTTPS)' option for X-Cart versions 4.7.9 and later.
 +
 
 +
 
 +
====Method 2. Use for servers like nginx.conf====
 +
<div class="mw-collapsible">
 +
Convert the rules cited in Method 1 above
 +
to nginx.conf
 +
as follows:
 +
<nowiki>
 +
server {
 +
    listen 80 default_server;
 +
    listen [::]:80 default_server;
 +
    server_name _;
 +
    return 301 https://$host$request_uri;
 +
}
 +
</nowiki>
 +
For more info, see:
 +
https://www.bjornjohansen.no/redirect-to-https-with-nginx
 +
</div>
 +
<br />
 +
 
 +
Enable the 'Use secure protocol (HTTPS)' option for X-Cart versions 4.7.9 and later.
 +
<br /><br />
 +
====Method 3. Use in addition to Methods 1 or 2 above or as a standalone method if Methods 1 or 2 cannot be used====
 +
<div class="mw-collapsible">
 +
'''X-Cart versions 4.7.9 and later:'''<br />
 +
To switch your entire X-Cart store to HTTPS:
 +
# In your X-Cart store's Admin area, go to the '<u>General settings/Security options</u>' page and scroll down to the '''HTTPS options''' section.
 +
# Enable the 'Use secure protocol (HTTPS)' option:<br />[[File:xc4_use_secure_protocol_479nlater.png|border|700px]]
 +
# Save the changes.
 +
 
 +
'''X-Cart versions prior to 4.7.9:'''<br />
 +
To switch your entire X-Cart store to HTTPS, edit the file https.php.
 +
Find the line:
 +
<nowiki>
 
function is_https_link($link, $https_scripts) {
 
function is_https_link($link, $https_scripts) {
</pre>
+
</nowiki>
 
 
 
and replace it with
 
and replace it with
 
+
<nowiki>
<pre>
 
 
function is_https_link($link, $https_scripts) {
 
function is_https_link($link, $https_scripts) {
 
return true;
 
return true;
</pre>
+
</nowiki>
 +
</div>
 +
 
 +
===Enable HTTPS for the login, registration, checkout and payment pages (X-Cart versions prior to 4.7.9)===
 +
If you do not wish to enable HTTPS for the entire store site but need HTTPS for the login, registration, checkout and payment pages:
 +
# In your X-Cart store's Admin area, go to the '<u>General settings/Security options</u>' page and scroll down to the '''HTTPS options''' section.
 +
# Enable the 'Use secure protocol (HTTPS)  for login, registration, checkout and payment pages' option:<br />[[File:xc4_use_secure_protocol_before479.png|border|700px]]
 +
# If you wish, enable the following HTTPS options on the same page:
 +
#* [[X-Cart:Security_Options#HTTPS_options | Use HTTPS for users' login and registration]]
 +
#* [[X-Cart:Security_Options#HTTPS_options | Use secure login form on a separate page (HTTPS)]] (Available in X-Cart versions 4.5.4 and earlier. Removed in X-Cart 4.5.5)
 +
# Save the changes.
 +
# If using X-Cart 4.5.4 or earlier, go to the Payment Methods configuration page and specify which payment methods should work using the HTTPS protocol. Save the changes.
 +
 
 +
===Enable HTTPS for specific php scripts===
 +
If you do not wish to enable HTTPS for the entire store site but just need to secure some php scripts in your X-Cart store so they can only be accessed via HTTPS, you should add the scripts that need to be secured to the 'https_scripts' array in the file <xcart_dir>/https.php. You can find some examples of how that can be done right in the file <xcart_dir>/https.php:
 +
 
 +
<nowiki>
 +
$https_scripts[] = 'login.php';
 +
$https_scripts[] = array(
 +
'cart.php',
 +
"mode=checkout",
 +
);
 +
</nowiki>
 +
 
 +
==HTTPS Proxy==
 +
If your web server does not use SSL certificates, and you are running an HTTPS Proxy instead, you may need to configure some additional settings to enable your X-Cart work over SSL (secure connection). In the file include/https_detect.php, specify the proxy IP address and set the $HTTPS variable to 'true':
 +
 
 +
<nowiki>
 +
if ($_SERVER['REMOTE_ADDR'] == '192.160.1.1') {
 +
$HTTPS_RELAY = true;
 +
$HTTPS = true;
 +
}
 +
</nowiki>
 +
 
 +
If you are not sure whether your web server uses SSL certificates or runs behind an HTTPS Proxy, contact your hosting service provider or server administrator or email our technical support - we will help you find that out.
 +
 
 +
==Troubleshooting==
 +
 
 +
If you experience problems with external services (payment / shipping) working over https while using curl/libcurl as the https module, try adding the following line to <u>top.inc.php</u>:
 +
 
 +
<nowiki>
 +
define('USE_CURLOPT_SSL_VERIFYPEER', 1);
 +
</nowiki>
 +
 
 +
after
 +
 
 +
<nowiki>
 +
$xcart_dir = rtrim(realpath($xcart_dir), XC_DS);
 +
</nowiki>
 +
<br /><br />
 +
 
  
 
[[Category:X-Cart user manual]]
 
[[Category:X-Cart user manual]]

Latest revision as of 17:41, 22 July 2020

This article provides guidelines for configuring HTTPS for your X-Cart store.

Obtain an SSL certificate

To use HTTPS for your X-Cart store site, you need to obtain an SSL certificate and have it properly installed and configured on your web server. You also need to monitor your SSL certificate expiration date and be ready to renew it when necessary.

The majority of hosting companies help their customers to purchase SSL certificates or provide their own Shared SSL URLs. If your hosting company does not render such services, you will need to purchase a certificate on your own.

We will be glad to assist you with this issue. You can purchase SSL certificates from our company. We sell SSL certificates provided by the world's leading Certification Authority, Comodo Group. For details, conditions and prices, please see https://www.x-cart.com/ssl/.

If you are on a dedicated server, we can offer you our service on analyzing and configuring your server and/or install an SSL Certificate on it. Please note that we will need the 'root' access to your server over SSH or the 'Administrator' access over MS Remote Access Desktop to complete these tasks.

Configure the HTTPS server in X-Cart

Once you have an SSL certificate for your store site installed and configured, you should adjust the HTTPS server settings in X-Cart. If your HTTPS host differs from your HTTP host, you will need to edit the file <xcart_dir>/config.php specifying your HTTPS host in the variable $xcart_https_host.

Enable HTTPS for your store

Enable HTTPS for the entire X-Cart store site

Method 1. Use for web servers with support for .htaccess, like apache

If you are using a web server of the above-named type, to set your entire X-Cart store to operate over HTTPS, you should add the following code to the .htaccess file after the line "RewriteBase":

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 

If the canonical URL of your site is known, it will be even better to add the rules as follows:

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://example.com/$1 [^] [R=301,L]

(Be sure to replace "example.com" with your actual canonical URL). The above code should be added before the code for handling Clean URLs.

You can also use the following instructions: https://www.sslshopper.com/apache-redirect-http-to-https.html


Enable the 'Use secure protocol (HTTPS)' option for X-Cart versions 4.7.9 and later.


Method 2. Use for servers like nginx.conf

Convert the rules cited in Method 1 above to nginx.conf as follows:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

For more info, see: https://www.bjornjohansen.no/redirect-to-https-with-nginx


Enable the 'Use secure protocol (HTTPS)' option for X-Cart versions 4.7.9 and later.

Method 3. Use in addition to Methods 1 or 2 above or as a standalone method if Methods 1 or 2 cannot be used

X-Cart versions 4.7.9 and later:
To switch your entire X-Cart store to HTTPS:

  1. In your X-Cart store's Admin area, go to the 'General settings/Security options' page and scroll down to the HTTPS options section.
  2. Enable the 'Use secure protocol (HTTPS)' option:
    Xc4 use secure protocol 479nlater.png
  3. Save the changes.

X-Cart versions prior to 4.7.9:
To switch your entire X-Cart store to HTTPS, edit the file https.php. Find the line:

function is_https_link($link, $https_scripts) {

and replace it with

function is_https_link($link, $https_scripts) {
return true;

Enable HTTPS for the login, registration, checkout and payment pages (X-Cart versions prior to 4.7.9)

If you do not wish to enable HTTPS for the entire store site but need HTTPS for the login, registration, checkout and payment pages:

  1. In your X-Cart store's Admin area, go to the 'General settings/Security options' page and scroll down to the HTTPS options section.
  2. Enable the 'Use secure protocol (HTTPS) for login, registration, checkout and payment pages' option:
    Xc4 use secure protocol before479.png
  3. If you wish, enable the following HTTPS options on the same page:
  4. Save the changes.
  5. If using X-Cart 4.5.4 or earlier, go to the Payment Methods configuration page and specify which payment methods should work using the HTTPS protocol. Save the changes.

Enable HTTPS for specific php scripts

If you do not wish to enable HTTPS for the entire store site but just need to secure some php scripts in your X-Cart store so they can only be accessed via HTTPS, you should add the scripts that need to be secured to the 'https_scripts' array in the file <xcart_dir>/https.php. You can find some examples of how that can be done right in the file <xcart_dir>/https.php:

$https_scripts[] = 'login.php';
$https_scripts[] = array(
'cart.php',
"mode=checkout",
);

HTTPS Proxy

If your web server does not use SSL certificates, and you are running an HTTPS Proxy instead, you may need to configure some additional settings to enable your X-Cart work over SSL (secure connection). In the file include/https_detect.php, specify the proxy IP address and set the $HTTPS variable to 'true':

if ($_SERVER['REMOTE_ADDR'] == '192.160.1.1') {
$HTTPS_RELAY = true;
$HTTPS = true;
}

If you are not sure whether your web server uses SSL certificates or runs behind an HTTPS Proxy, contact your hosting service provider or server administrator or email our technical support - we will help you find that out.

Troubleshooting

If you experience problems with external services (payment / shipping) working over https while using curl/libcurl as the https module, try adding the following line to top.inc.php:

define('USE_CURLOPT_SSL_VERIFYPEER', 1);

after

 
$xcart_dir = rtrim(realpath($xcart_dir), XC_DS);