Securing your webshop using SSL-certificates is one of the basic administrative tasks when setting up the site. Providing SSL-security should be seen mandatory for a webshop. Using a more expensive EAV-certificate adds confidence to the users experience. This tutorial explains how to deal with SSL within MageBridge^TM.

Want to disable SSL on certain pages for performance reasons? Optimize the rest of Magento first by checking out our SPO-list.

Where to enable SSL

When dealing with MageBridge, there are three connections for which you can enable SSL:

• Browser + Joomla!^TM - used by the customer
• Joomla! + Magento - used by the MageBridge API
• Browser + Magento - used by the customer for CSS, JavaScript and images

Enabling SSL for Joomla!

In the Joomla! Global Configuration, there is an option "Force SSL" which enables SSL for the entire site. However, as soon as you access the website from non-SSL, it does not automatically redirect you to the equivalent SSL-page. Also, this option does not allow you to use SSL only for the shop.

Within the MageBridge Configuration, you can find an equivalent option under the tab Bridge, named "Enforce SSL". This functionality only works if you have the MageBridge System Plugin enabled.

The "Enforce SSL" option has the following options:

• Disable SSL: All SSL-pages will automatically be redirected to their non-SSL counterpart
• Entire Joomla! site: This option is the same as the "Force SSL" option in the Joomla! Global Configuration, except that non-SSL pages will automatically be redirected to their SSL-counterpart
• Shop only: SSL is only enforced on the MageBridge-component pages, while on all other pages the visitor is redirected back to the non-SSL equivalent
• Checkout and customer-pages only: SSL is only enforced on the MageBridge checkout and customer-pages. Please note that this option is EXPERIMENTAL and should be handled with caution: While MageBridge is capable of redirecting the pages, there are many third party Magento modules (payment gateways for instance) with different URLs, that will not listed to this.

These options allow you to enforce SSL between the customers browser and Joomla!, which is the most important connection to secure.

Enabling SSL for Magento

Within Magento, you only need to setup things properly: Within the Magento configuration (General > Web > Secure / Unsecure) you'll find the Base URLs for different parts of Magento. We recommend that you enter here the Magento hostname (not the MageBridge or Joomla! hostname) under which Magento can be accessed directly.

Easiest is to add the Magento hostname as default Base URL, while all other URLs (for media, skin, etcetera) use a reference to this default value through the following construct:

{{unsecure_base_url}}

Make sure you list the HTTP URL of Magento under the Unsecure section, while mentioning the SSL-version under the Secure section.

Enabling SSL for the MageBridge API

Enabling encryption between Joomla! and Magento (used by the MageBridge API) is only sensible when Joomla! and Magento are not located on the same webserver, or if you don't trust the network administrator of the Apache webserver (who happens to be a part-time script-kiddie).

Enabling SSL for the API can be done through the API-tab within the MageBridge Configuration. Set the option "Protocol" to HTTPS. Before enabling SSL for the MageBridge API, make sure Magento is acessible through SSL. This can be tested by accessing Magento stand-alone (https://MAGENTO/).

Dealing with non-SSL content

Modern browsers give a warning when on a single webpage SSL-secured content is mixed with non-SSL content. To prevent this warning, all content should be delivered through SSL - including CSS-stylesheets and images. It is important that if you enable SSL for Joomla! (and thus MageBridge) you also enable SSL for Magento.

Unfortunately, this also means that if you purchase a SSL-certificate (for instance a SSL EAV certificate) for Joomla!, you also need to purchase a SSL certificate for Magento. Only if both applications are located within the same domain, you can use the same SSL-certificate for both.

Warning for untrusted certificates

If you are using a trusted certificate for both Joomla! as Magento, your customers will never have to accept the certificate: It is automatically accepted by the browser. However, with untrusted certificates, the customer has to agree with a browser warning indicating that the certificate could be dangerous to use.

When using untrusted certificates with MageBridge, beware of the following problem: If Magento is located on the same domain as Joomla!, the customer will need to accept the Joomla! certificate. Because this certificate automatically applies to Magento as well, the Magento parts in MageBridge (CSS, JavaScript, images) are served without a problem.

But if Magento is located on a different domain, the customer needs to accept both the Joomla! certificate as well as the Magento certificate. But the browser is not displaying the SSL-warning for Magento, because it only involves "indirect" content (CSS, JavaScript, images). The browser warning can only be accepted if the customer visits Magento stand-alone, which defies the purpose of MageBridge. Therefor we do not support the usage of untrusted certificates.

Webservers with Suhosin might cause problems due to the setting suhosin.session.encrypt set to Yes. This setting prevents sessions from being switched between HTTPS and HTTP.

Tutorials on MageBridge administration

• Performance tuning with MageBridge
• MageBridge SEO Guide
• MageBridge scenarios
• Authentication guide for MageBridge
• Using MageBridge modules
• Step-by-step: Activating MageBridge plugins
• Upgrading Magento, Joomla! and MageBridge
• Configuring payment methods in MageBridge
• MageBridge Security Guide
• Step-by-step: Creating a MageBridge Menu-Item
• Step-by-step: Create a Magento API user
• API permissions with MageBridge
• How to use URL-suffices with MageBridge?
• Using MageBridge stores to load a different Magento theme
• Step-by-step: Adding a custom Magento block
• Managing MageBridge extensions
• Using the MageBridge Content Plugin
• Prevent direct access to Magento
• Switching stores with MageBridge
• Migrating users between Joomla! and Magento
• Using MageBridge Product Connectors
• Best practices with MageBridge
• Using the MageBridgeLinks/JCE-plugin
• Moving a MageBridge site
• Importing and exporting users
• Two VirtualHosts but one domain
• Removing MageBridge
• Disabling user synchronization in MageBridge
• Questions to ask your hosting provider
• MageBridge caching
• Setting the MageBridge URLs in Magento

Tutorials on MageBridge integrations

• Language configuration in MageBridge
• Integrating MageBridge with other Joomla! extensions
• Step-by-step: Configuring sh404SEF
• Integrating JomSocial and MageBridge
• JomSocial profile-synchronization
• Overriding the JomSocial-connector configuration
• Working with JomSocial events
• Related products with the Joomla! Tags component
• Using Layered Navigation Pro with MageBridge
• Using HM_FeaturedProducts with MageBridge