Magento2: Enabling SSL settings forces SSL in admin, but not frontend.

Created on 19 Oct 2016  路  15Comments  路  Source: magento/magento2

It seems like the config Secure URLs on Storefront does not force SSL to be used in storefront. But Use Secure URLs in Admin does enforce SSL in admin. The problem with this is that when people writes the url in the browser, e.g. "yoursite.com/catalog/y-x-z" they will get the http version and not redirected to https.

Preconditions

  1. Magento 2.1.2 + Nginx + PHP 7 + Mysql 5.6
  2. Varnish enabled
  3. Terminate SSL before varnish (in my case, i terminate SSL in the load balancer).
  4. Enable Stores -> Configuration -> General -> Web -> Use Secure URLs on Storefront and Use Secure URLs in Admin
  5. Add to nginx default config for magento:
    location ~ (index|get|static|report|404|503)\.php$ {
        # ....
        fastcgi_param  HTTPS on;
       # ...
    }

Steps to reproduce

  1. Go into yourdomain.com/admin
  2. You will get redirected to https://yourdomain.com/admin (like expected)
  3. Go into yourdomain.com

  4. You will NOT get redirected to the HTTPS version.

    Expected result

  5. When going to yourdomain.com you should get redirected to https://yourdomain.com when "Use Secure URLs on Storefront" is enabled.

    Actual result

  6. No redirect to https is happening.

All urls from admin/* will get redirected from http to https. But urls in frontend does not enforce SSL.

I think it relates to this function ( which seems to have kind of where logic, forgot parantheses? ) :
https://github.com/magento/magento2/blob/develop/app/code/Magento/Store/Model/PathConfig.php#L60

And in adminhtml it's quite a bit different:

Backend Clear Description Confirmed Format is valid Ready for Work Reproduced on 2.2.x Reproduced on 2.3.x bug report
Source
picture peec
👍2

Most helpful comment

Workaround for NGINX (behind AWS ELB), SSL termination..:

Modify the nginx configuration ... 

location / {
    if ( $http_x_forwarded_proto != 'https' ) {
        return 301 https://$host$request_uri;
    }
    try_files $uri $uri/ /index.php?$args;
}

Basically says that if the load balancer does not forward from HTTPS, we redirect accordinly.

picture petterkj on 16 Mar 2017
1 🎉1 😄1 👍1

All 15 comments

Visitors get redirected to HTTPS when logging in and checking out. I think It's always been the case on any version of Magento.
If you want to force HTTPS on any front-end page, you have to enter an https URL in Store >> Settings >> General >> Web >> Unsecure base URL.

pitangaweb picture pitangaweb on 19 Oct 2016

The reason is that when enabling Use Secure URLs on Storefront magento 2 will produce all links as https (also form actions). But you can just remove https from the checkout url and try entering as HTTP. You then access the checkout page with normal http protocol. The workaround URL in Store >> Settings >> General >> Web >> Unsecure base URL doesn't seem to work. It still doesn't seem to force redirect from http to https.

It think, when first enabling Use Secure URLs on Storefront it's in-fact intended to force https as the protocol being used (just as it does with admin). It's concise behavior as apposed to Use Secure URLs in Admin.

peec picture peec on 19 Oct 2016

This is the correct expectation. This setting should set HTTPS across all storefront urls as part of the push by Google to move all pages to HTTPS.

pboisvert picture pboisvert on 19 Oct 2016

I had the same problem, what I did was add the following to my .htaccess file (I am using Apache)
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

shanevbg picture shanevbg on 21 Oct 2016
👎1

This is a problem. Switching between http and https... Urls in https version are cached as http. Meaning you get mixed content warnings when visiting the store..

Issue reported october 2016, and SSL not working correct for frontend.

petterkj picture petterkj on 9 Feb 2017

You can fix that easily with a Nginx rule to transcode them on the fly for almost not overhead.

sub_filter 'http://$host/' 'https://$host/'; sub_filter 'http:\/\/$host\/' 'https:\/\/$host\/'; sub_filter_last_modified on; sub_filter_once off; sub_filter_types application/xml text/xml;

The issue that I have is that when I turn it all on i can either set SSL On in magento, and then the backend tries to bounce because with termination it looks at the requests and sees HTTP, or with SSL Off in magento but then when i go to it in after termination it thinks its HTTPS and toys to redirect to HTTP.

I am trying to just find the code that does the redirects when a requests is recived per the magento settings and just comment them all out but I can't find the code

pynej picture pynej on 28 Feb 2017

@pynej I have the same issue, I use termination as well.
_
Checkout is forced SSL but not the rest..

Chrome now says "Not secure" on all pages except checkout..

Very critical bug, people get scared when they see "Not secure" .

petterkj picture petterkj on 15 Mar 2017

Workaround for NGINX (behind AWS ELB), SSL termination..:

Modify the nginx configuration ... 

location / {
    if ( $http_x_forwarded_proto != 'https' ) {
        return 301 https://$host$request_uri;
    }
    try_files $uri $uri/ /index.php?$args;
}

Basically says that if the load balancer does not forward from HTTPS, we redirect accordinly.

petterkj picture petterkj on 16 Mar 2017
1 🎉1 😄1 👍1

This could be caused by not all links in frontend using https. To fix you need to add _secure="true" to media links and others:
{{media url="custom_slides/slider-image1.jpg" _secure="true"}}

thomgre picture thomgre on 21 Apr 2017

Make sure you have clear the cache by running this command: php bin/magento cache:clean and also delete everything in var/cache directory. Here's a guide which has mentioned various Magento SSL Configuration issues with their solutions: Magento SSL Configuration

SyedMuneebb picture SyedMuneebb on 21 Aug 2017

I did Enable Stores -> Configuration -> General -> Web -> Use Secure URLs on Storefront and Use Secure URLs in Admin.

And no i cant get in to my store/admin. I get the ERR_CONNECTION_REFUSED when i type inn my webadress.

How can i get into my admin page again now?

Celtex picture Celtex on 6 Dec 2017

SSL does not only take care of user side, It also helps you to rank faster and also let your user trust you in the search engine and making a transaction without any problem, Enabling SSL with cloudways is easier. https://www.cloudways.com/blog/how-to-install-ssl-on-magento/, Thanks for sharing this guide about configuring it.

alexmorco picture alexmorco on 4 Jun 2018
👎1

@peec, thank you for your report.
We've acknowledged the issue and added to our backlog.

ghost picture ghost on 21 Aug 2018

easy method to enabling SSL on your magento 2 store, Go then to Stores>Configuration from the admin panel and unfold the Base URLs (Secure) section then changing http to https after Yes for Use Secure URLs on Storefront and Use Secure URLs in Admin fields. Do the same for the Admin also.

Source - https://www.sparxbpo.com/blog/enable-ssl-magento-2-store.html

sparxbpoit picture sparxbpoit on 7 Sep 2018

@peec, thank you for your report.

Unfortunately, we are archiving this ticket now as it did not get much attention from both Magento Community and Core developers for an extended period. This is done in an effort to create a quality, community-driven backlog which will allow us to allocate the required attention more easily.

Please feel free to comment, reopen or create new ticket according to the Issue reporting guidelines
if you are still facing this issue on the latest 2.3-develop branch. Thank you for collaboration.

magento-engcom-team picture magento-engcom-team on 18 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

salelsol picture salelsol  路  3Comments
jzalenski picture jzalenski  路  3Comments
algostore picture algostore  路  3Comments
ostmond picture ostmond  路  3Comments
phirunson picture phirunson  路  3Comments