Concrete5.7 setup for HTTPS or SSL access

Permalink 2 users found helpful
Hi Guys,

Our website is running Concrete 5.7 and we have setup our .htaccess to force our traffic on to HTTPS (secure) which is all working great, but there are a few things that are not right and I'm not sure the correct way to resolve them.

We have mixed content issues on some pages however.

Even though the page is loaded over HTTPS any Concrete5 generated styling for Layouts etc.. is included as http which clearly breaks on most modern browsers. And that styling isn't included.
<link href="" rel="stylesheet" type="text/css" media="all">

When we browse to the login form actually submits to a non secure URL. How do we fix this?

Concrete5 FORM Blocks.
All form blocks also redirect to non secure urls. Safari now alerts this to the user on submit which isn't a great experience!

I have "hacked" the core code to get around a few of these issues, but would love to know what the actual way is to set this up?

Thanks for your help in advance.


View Replies: View Best Answer
moosh replied on at Permalink Reply

Did you tried to go to "URLs & Redirection" settings and setup canonical urls ?
If you put https://... for the both fields, I think https will be forced.

Rocketspark replied on at Permalink Reply 1 Attachment
Hi Moosh,

Yes we have https version set for the "SSL URL" field.

I can't set the https:// url into the Canonical URL field as I get the following error. (attached)

bendodge replied on at Permalink Reply
I had the same issue with a fresh install of and HTTPS. Styles breaking, right-hand menu randomly (but not always) degrading, login cookies doing funky things, etc.

Mine was even worse because I set up the SSL certificate and redirect on my web host (Nearlyfreespeech) before I even ran the install scripts, since I was running them over the open Internet and ***didn't want to pass my database and admin passwords over plaintext. Are you listening, developers?*** The install script got stuck in several places, and I was eventually forced to do it over HTTP and change passwords afterwards.

Anyway, the fix for me has been to set BOTH the Canonical URL and SSL URL to the https:// address. The web interface will not allow you to do this, but you can force the change by editing

and setting both
to the https:// address. The comments at the top of the file say not to edit it directly, but nobody has sued me yet...

I love C5 and have used it for years, but I'm very disappointed that the touted 5.7 doesn't work out of the box with with TLS. In this post-Snowden age, encryption should be a default! Apologies for using TLS, HTTPS, and SSL interchangeably. I don't know which words to use where, but I'm hoping to make this post show up in search results.
mkharisecario replied on at Permalink Reply
I also have similar problem. Even after I change Canonical and ssl url from dashboardnya. Everytime I browse to my site, it always open http, not https. Not sure if it come from server side, because I have another WP site and work ok.

I read from some web to include
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

On .htaccess, but when I did that, seems my site is not working correctly
hissy replied on at Permalink Reply
Which version are you using?
Update might resolve the issue.
Rocketspark replied on at Permalink Reply
Hi Hissy,

We are using Concrete

kenjihonma replied on at Permalink Reply
We have the same Problem. We forced https via htacces and edited the settings in SEO-URL configuration, but all forms on the page and the backend dashboard still try to load via http. So the backend and register-/login-forms don't work anymore.

I think this is a serious problem. Please solve it. In other systems, you can just switch "force ssh" on in the backend and everything works fine.
bendodge replied on at Permalink Reply
kenjihonma, did you try my solution, above, specifically editing the SEO-URL settings manually? I'm curious as to whether my solution works for others, or if I've got something funky going on in my environment. (^_^)
kenjihonma replied on at Permalink Reply
I tried it and it didn't work. After i added it to the generated overrides, all backend-settings were deleted.
mkharisecario replied on at Permalink Reply
It also didnt work for me
Rocketspark replied on at Permalink Best Answer Reply
Hi there,

I thought I'd update everyone on where I got to with this.

We use cloudflare to serve our SSL cert and force our traffic to be SSL. Setting the SEO canonical url in /application/config/concrete.php ended up causing a redirect loop for us, but I think this would probably fix the issue for most:

'seo' => array(
    'canonical_url'          => '',
        'trailing_slash' => true,
        'url_rewriting_all' => true

Fore the issues around the CSS files being included insecure, I ended up hacking the core code.


LINE 182 __toString function..

public function __toString()
       $assetURL = $this->getAssetURL();
          $assetURL = str_replace('http://', 'https://', $assetURL);//fix this on production!
        $e = new HeadLink($assetURL, 'stylesheet', 'text/css', 'all');
        if (count($this->combinedAssetSourceFiles)) {
            $source = '';
            foreach ($this->combinedAssetSourceFiles as $file) {
                $source .= $file.' ';
            $source = trim($source);
            $e->setAttribute('data-source', $source);

Hope this helps someone..
designsforchange replied on at Permalink Reply
Hi all,

I'm having the same issue and have tried all of the suggestions available on this feed.

I'm running and a lot of the css doesn't render properly and some of the images don't show up, yet some of them do?

Any thoughts on that?

Thank you
bw1 replied on at Permalink Reply
This is ridiculous. Is there an -actual- solution for this coming? This should literally be a checkmark in the dashboard somewhere, not having to go edit more files manually.

When 5.7 is as rough as it is, why in the world are we rushing like h*ll to get 5.8 rushed out?
ctadmin replied on at Permalink Reply
Agreed, there are some things that really should be just check boxes and not 'build from scratch' type options in the system.
Rocketspark replied on at Permalink Reply
Yes totally agree..

The issue is that most developers will build a site on their local which generally is http, then it's not until it goes live on the server that it is needed to be https and you discover all these issues.
bnguyen replied on at Permalink Reply

I am also having trouble. I recently installed SSL certificate and now I cannot log in to my website. I am not a developer and I need help resolving this issue.
walkingstick replied on at Permalink Reply
Same issue for me. Has anyone come up with a non-hack-the-code way to get it to force to HTTPS?
Cahueya replied on at Permalink Reply
I use this in my .htaccess:

<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteCond %{HTTP_HOST} ^(www\.)(.+) [OR]
   RewriteCond %{HTTPS} off
   RewriteCond %{HTTP_HOST} ^(www\.)?(.+)
   RewriteRule ^ https://%2%{REQUEST_URI} [R=301,L]
   RewriteEngine On
   RewriteBase /
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME}/index.html !-f
   RewriteCond %{REQUEST_FILENAME}/index.php !-f
   RewriteRule . index.php [L]

And it works just fine for me. Has nothing to do with Cloudflare and CDN stuff, just SSL.

And of course you need to set the base url right in dashboard.
Schattenreich replied on at Permalink Reply
"And of course you need to set the base url right in dashboard."

What exactly does that mean? Set the canonical URL to the http:// & https://?
losttheplot replied on at Permalink Reply
Set the two canonical fields to your https URL in /application/config/generated_overrides/concrete.php as follows

'seo' => array(
        'canonical_url' => '',
        'canonical_ssl_url' => '',
        'redirect_to_canonical_url' => 1,
        'url_rewriting' => 1,

...then add the above rewrite rules to your .htaccess file. It works fine for me :)
bw1 replied on at Permalink Reply
Anyone else think this is ridiculous? Why do I need to go hardcode things like this? Why in the h311 is there two settings for the canonical URL?
jasteele12 replied on at Permalink Reply
No, no, no - the warning at the top of the files in generated_overrides/* are there for a reason. These should go in application/config/concrete.php instead.

Please see my reply to this post: