Tutorials for Magento and Joomla! - Yireo

Enabling SSL for MageBridge

Securing your webshop using SSL-certificates is one of the basic administrative tasks when setting up the site. Providing SSL-security should be seen mandatory for a webshop. Using a more expensive EV-certificate adds confidence to the users experience. This tutorial explains how to deal with SSL within MageBridge.

Want to disable SSL on certain pages for performance reasons? Optimize the rest of Magento first by checking out our SPO-list.

Where to enable SSL

When dealing with MageBridge, there are three connections for which you can enable SSL:

• Browser + Joomla! - used by the customer
• Joomla! + Magento - used by the MageBridge API
• Browser + Magento - used by the customer for CSS, JavaScript and images

Is the hosting environment supporting SSL?

Please note that you should first of all make sure you can actually have SSL configured on the hosting level. Check whether you can access both the Magento site and Joomla! site under HTTPS - by typing the URL prefixed with https://. If you receive a browser error about HTTPS or SSL not being available, you should contact your hosting provider regarding this. MageBridge can only introduce SSL if your website is already SSL-enabled.

Enabling SSL for Joomla!

In the Joomla! Global Configuration, there is an option Force SSL which enables SSL for the entire site. However, as soon as you access the website from non-SSL, it does not automatically redirect you to the equivalent SSL-page. Also, this option does not allow you to use SSL only for the shop.

Within the MageBridge Configuration, you can find an equivalent option under the tab Bridge, named Enforce SSL. This functionality only works if you have the MageBridge System Plugin enabled.

The Enforce SSL option has the following options:

• Disable SSL: All SSL-pages will automatically be redirected to their non-SSL counterpart
• Entire Joomla! site: This option is the same as the Force SSL option in the Joomla! Global Configuration, except that non-SSL pages will automatically be redirected to their SSL-counterpart
• Shop only: SSL is only enforced on the MageBridge-component pages, while on all other pages the visitor is redirected back to the non-SSL equivalent
• Checkout and customer-pages only: SSL is only enforced on the MageBridge checkout and customer-pages. Please note that this option is EXPERIMENTAL and should be handled with caution: While MageBridge is capable of redirecting the pages, there are many third party Magento modules (payment gateways for instance) with different URLs, that will not listed to this. You will need to list those URLs under the option Secure URLs. For instance, if you are using the OneStepCheckout extension, you will need to add the URL onestepcheckout to the box of Secure URLs.

These options allow you to enforce SSL between the customers browser and Joomla!, which is the most important connection to secure.

Enabling SSL for Magento

Within Magento, you only need to setup things properly: Within the Magento configuration (General > Web > Secure / Unsecure) you'll find the Base URLs for different parts of Magento. We recommend that you enter here the Magento hostname (not the MageBridge or Joomla! hostname) under which Magento can be accessed directly.

Easiest is to add the Magento hostname as default Base URL, while all other URLs (for media, skin, etcetera) use a reference to this default value through the following construct:

{{unsecure_base_url}}

Make sure you list the HTTP URL of Magento under the Unsecure section, while mentioning the SSL-version under the Secure section.

Enabling SSL for the MageBridge API

As soon as you enable SSL for Joomla!, you must activate SSL in the MageBridge API and there for also with Magento. Failure to do so will end in endless loops because Magento tries to force non-SSL itself as well, while MageBridge is set to force SSL instead.

Enabling SSL for the API can be done through the API-tab within the MageBridge Configuration. Set the option Protocol to HTTPS.

SSL certificate for both Joomla! as Magento

Browsers will give a warning when a webpage contains both SSL-secured content as non-SSL content. To prevent this warning, all content should be delivered through SSL - including CSS-stylesheets and images. It is important that if you enable SSL for Joomla! (and thus MageBridge) you also enable SSL for Magento.

Unfortunately, this also means that if you purchase a SSL-certificate (for instance a SSL EV certificate) for Joomla!, you also need to purchase a SSL certificate for Magento. If both applications are located under the same hostname, you can use the same SSL-certificate for both.

Warning for untrusted SSL-certificates

If you are using a trusted certificate for both Joomla! as Magento, your customers will never have to accept the certificate: It is automatically accepted by the browser. However, with untrusted certificates, the customer has to agree with a browser warning indicating that the certificate could be dangerous to use.

When using untrusted certificates with MageBridge, beware of the following problem: If Magento is located on the same domain as Joomla!, the customer will need to accept the Joomla! certificate. Because this certificate automatically applies to Magento as well, the Magento parts in MageBridge (CSS, JavaScript, images) are served without a problem.

But if Magento is located on a different domain, the customer needs to accept both the Joomla! certificate as well as the Magento certificate. But the browser is not displaying the SSL-warning for Magento, because it only involves indirect content (CSS, JavaScript, images). The browser warning can only be accepted if the customer visits Magento stand-alone, which defies the purpose of MageBridge. There for we do not support the usage of untrusted certificates.

Note: Suhosin encryption

Webservers with Suhosin might cause problems due to the setting suhosin.session.encrypt set to Yes. This setting prevents sessions from being switched between HTTPS and HTTP.