Magento – After Enabling SSL magento still loads default Javascript and CSS files with unsecure URLs

magento-1.9ssl

I enabled SSL in magento through following system configuration settings:

System > Configuration > General > Web > Secure > Use Secure URLs in Frontend > Yes

System > Configuration > General > Web > Secure > Use Secure URLs in Admin > Yes

System > Configuration > General > Web > Secure > Offloader header > SSL_OFFLOADED

System > Configuration > General > Web > Secure > Base JavaScript URL > {{secure_base_url}}js/

Above setting completely breaks the frontend and gives the error Blocked loading mixed active content because all the Javascript and CSS files are being loaded through unsecure URLs using http. My {{secure_base_url}} is having https and a trailing slash.

These settings also leave the admin panel inaccessible as it gives the error "This page is not redirecting properly" when accessing backend.

I am aware, similar questions have been asked here before and I tried all the solutions, but none of it is working.

I can make it work temporarily by forcefully changing unsecure URLs to secure ones. But this is not the best way. Ideally, when the request is on https, Magento automatically takes the secure Javascript and CSS URLs.

Any idea why this is happening ?

Best Answer

Please also update

System > Configuration > General > Web > Unsecure > Base URL

It should be https://www.example.com/ And add this code in .htaccess

#enable website to run https 
        RewriteCond %{HTTPS} off
        RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

And flush your Magento cache. For "Blocked loading mixed active content" open firebug console, it will tell which file is causing this error. If you are using static URL then you need to change it manually from http:// to https:// for more information on this visit here.

Related Solutions

Magento – Run entire website on https, except API URLs under http

Ok, didn't test this but should work. Since the API doesn't work on a store level (it uses 0) you could set the base urls to https on all websites but leave it as http on global scope.

Please find attached some amazing artwork that explains what I mean.

HTTPS with Cloudflare – Secure Your Website

The first issue you mention is the mixed content. There's a couple things it could be.

The first is make sure you're scope is correct in the admin panel. When you go to System->Configuration->Wed, are you viewing on the default scope or the website scope? If you're viewing on the default scope, switch to the website scope and see if it's inheriting from the default. If so, switch to the store scope check the same thing. It's possible the website scope isn't inheriting from the default scope and the default scope is where you made your initial change to HTTPS.

The second possibility for the mixed content could be due to the fact that you're site isn't using 100% HTTPS. When you type HTTPS into the browser, you're manually loading an HTTPS page which can cause issues if you're unsecure base URL ins't HTTPS. I've seen lots of times when I do that and none of my CSS, images, JS, etc load because of mixed content. For some reason, when you type HTTPS for a page that's "normally" just HTTP, Magento builds the URLs necessary to pull in the resources using just HTTP because that's what the unsecure base URL is. Try flipping your unsecuire base URL to HTTPS and reload the site and see if those errors go away. If so, then you'll know what it is.

The last option that it could be is you could have just plain old hardcoded URLs in your template files. I'm not 100% sure how custom your shop is, but if someone hardcoded a URL in the page, then nothing you do in the admin panel will fix that. You'll have to track down the problematic URL in your code and fix it there.

For you're redirect loop issue, I had the exact same issue a few weeks back when I was plugging one of my stores into Cloudflare for the first time. To fix the issue, we had to add the following block of code to our index.php file before the Mage::run command in order to get rid of the redirect loop:

foreach (array(
    'SERVER_PORT' => 443,
    'HTTP_X_FORWARDED_PROTO' => 'https',
    'HTTP_CF_VISITOR' => '{"scheme":"https"}'
    ) as $key => $value) 
{
    if (isset($_SERVER[$key]) && $_SERVER[$key] == $value) {
        $_SERVER['HTTPS'] = 'on';
        break;
    }
}

Essentially what that block is doing is it's telling Magento that the SSL termination already happened (in Cloudflare) and even though the request is coming across port 80, or via HTTP, that it should treat the request as if it's a HTTPS request. I've had to do similar things with my store from day one since it lives behind a load balancer that does the SSL termination. But the principle is pretty much the same.

Best Answer

Related Solutions

Magento – Run entire website on https, except API URLs under http

HTTPS with Cloudflare – Secure Your Website

Related Topic