CODEWITHSUNDEEP
phpsslhttpstypo3
Jason A. Lefkowitz
Jason A. Lefkowitz

Reputation: 966

Delivering static resources over SSL in TYPO3

I have a TYPO3 Web site that needs to have its home page (and only its home page) served over SSL.

My first stab at dealing with this was to install the HTTPS Enforcer extension, which lets you specify particular pages in your TYPO3 site that should be forced to HTTPS. At that level, the extension works as advertised. But the problem is that while requests for one of those pages are indeed handled over SSL, resources included inline in the page (like images) are not delivered over SSL. So you get a warning in your browser (which, depending on the browser, can range from a quiet information message to a full-out screaming warning page) telling you that the page isn't completely secure, which (understandably) freaks people out.

So my question is -- how do you get TYPO3 to deliver a complete page over SSL, including static resources? Is there some way to configure/extend HTTPS Enforcer to do that? Is there another extension that's better in this scenario? Or am I just completely out of luck?

Upvotes: 1

Views: 1268

Answers (2)

kraftb
kraftb

Reputation: 655

I guess it should be:

[globalVar = IENV:TYPO3_SSL = 1]
config.baseURL = https://ssl.example.com/
[global]

Note the "IENV": This is TYPO3 specific. "ENV" would only use the normal PHP variables in $_ENV or $_SERVER where TYPO3_SSL is not a valid key.

But what this does is only the following: Set a tag in the output so content of relativ links i.e. <img src="uploads/pics/image.jpg" /> will get fetched over SSL.

If you have asset links (images, css, etc.) to absolute URLs in your site this wont help. In such a case you could give the extension "https" a try (merge of https_enforcer and another extension) or stfl_replace to make some regex replacing "http://" links to "https://".

Upvotes: 1

konsolenfreddy
konsolenfreddy

Reputation: 9671

HTTPs Enforcer does a good job.

If it's just one page, you can create a condition to change the baseUrl:

[PIDinRootline = 123]
config.baseURL = https://www.example.com/
[global]

if it should work for a whole subdomain (e.g. ssl.example.com), your condition looks like this:

[globalString = ENV:HTTP_HOST=ssl.example.com]
config.baseURL = https://ssl.example.com/
[global]

With the second way, you can choose on a per page basis if the page should be encrypted or not.

A pitfall might be externally loaded ressources (like Facebook API etc.). They might not offer a SSL encrypted service.

EDIT (from @cascaval's comment) This might be the preferred solution:

[globalString = _SERVER|HTTPS=on]
config.baseURL = https://ssl.example.com/
[global]

EDIT (from @konsolenfreddy's comment)

[globalString = ENV:TYPO3_SSL=1]
config.baseURL = https://ssl.example.com/
[global]

Upvotes: 4

Related Questions