Switching website from http to https

Hello community,
I was wondering if anyone has the solution on my problem with setting website base url switched to https.

I’ve updated System settings as it was in MODX docs, ‘server_protocol’ value is set to ‘https’ and changed the .htaccess file accordingly.

here is the .htaccess file content:

# Preformatted text # MODX supports Friendly URLs via this .htaccess file. You must serve web
# pages via Apache with mod_rewrite to use this functionality, and you must
# change the file name from ht.access to .htaccess.
#
# Make sure RewriteBase points to the directory where you installed MODX.
# E.g., "/modx" if your installation is in a "modx" subdirectory.
#
# You may choose to make your URLs non-case-sensitive by adding a NC directive
# to your rule: RewriteRule ^(.*)$ index.php?q=$1 [L,QSA,NC]

RewriteEngine On
RewriteBase /


RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

# Rewrite www.domain.com -> domain.com -- used with SEO Strict URLs plugin
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} ^www\.mywebsiteurl\.com [NC]
RewriteRule (.*) http://mywebsiteurl.com/$1 [R=301,L]

# or for the opposite domain.com -> www.domain.com use the following
# DO NOT USE BOTH
#
# RewriteCond %{HTTP_HOST} .
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]



# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent 
# https://www.domain.com when your cert only allows https://secure.domain.com
#RewriteCond %{SERVER_PORT} !^443
#RewriteRule (.*) https://example-domain-please-change.com/$1 [R=301,L]



# The Friendly URLs part
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]



# Make sure .htc files are served with the proper MIME type, which is critical
# for XP SP2. Un-comment if your host allows htaccess MIME type overrides.

#AddType text/x-component .htc



# If your server is not already configured as such, the following directive
# should be uncommented in order to set PHP's register_globals option to OFF.
# This closes a major security hole that is abused by most XSS (cross-site
# scripting) attacks. For more information: http://php.net/register_globals
#
# To verify that this option has been set to OFF, open the Manager and choose
# Reports -> System Info and then click the phpinfo() link. Do a Find on Page
# for "register_globals". The Local Value should be OFF. If the Master Value
# is OFF then you do not need this directive here.
#
# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS :
#
# Your server does not allow PHP directives to be set via .htaccess. In that
# case you must make this change in your php.ini file instead. If you are
# using a commercial web host, contact the administrators for assistance in
# doing this. Not all servers allow local php.ini files, and they should
# include all PHP configurations (not just this one), or you will effectively
# reset everything to PHP defaults. Consult www.php.net for more detailed
# information about setting PHP directives.

#php_flag register_globals Off

I tried both of the following in head section to extract the “correct” url:

 <base href="[[!++site_url]]">
 <base href="[[++site_url]]">

but it keeps displaying http:// at the beginning :frowning:

My temporary solution was setting base url manually to what I need:
<base href="https://mywebsiteurl.com/">

Thanks for your help in advance!


The website uses latest version of MODX (2.7.1) and PHP7.2 is enabled on server (PLESK)

1 Like

Hi, on my site this gives me https, it can be a bit tricky

RewriteCond %{HTTP_HOST} somedomain\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://somedomain.com/$1 [R,L]

This section is converting the URL back to http, though only for those who come in on a www URL:

RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} ^www\.mywebsiteurl\.com [NC]
RewriteRule (.*) http://mywebsiteurl.com/$1 [R=301,L]

Thanks for sharing your experience, but that didn’t help in my case ;(

Thanks for your notice. Changed http: to https in that line, but that didn’t work ;(

In your template how are you specifying your base url? It should be uncached. ie:

<base href="[[!++site_url]]" />

not
<base href="[[++site_url]]" />

That’s why I’m rising this thread. The one you mentioned (first option) doesn’t work for me.
Pls check the initial request (I just edited it, for some reason the forum’s comment editor didn’t include part or preformatted code)

Have you hardcoded the site_url in a system or context setting perhaps?

Who is your host? I ask as some hosts require you use a specific htaccess setting.

yep, it’s now hardcoded in HEAD section.

Well, the host is the company I’m working for. We host our website on dedicated server which uses PLESK.

I meant if you created any system or context settings named “site_url” with the hardcoded value. MODX normally calculates the site_url dynamically for each request, unless you hardcode it in the settings.

I would suggest to strip down everything you’ve got now and build it back up.

If you have two places doing the same thing, they can conflict. They might each work if alone, but the combo does something wrong.

This from @andytough must, in nearly every case, work.


    <base href="[[!++site_url]]" />

My suggestion is to strip down the htaccess for now and get that above code and site_url working first, then you can add in https

I’m sorry, I’m quite new to MODX. Still didn’t get what’s “system or context settings”. How they should look? Thanks in advance!

1 Like

Here’s my .htaccess that I just ripped from one of my sites. I can confirm this working and redirecting to https.

# MODX supports Friendly URLs via this .htaccess file. You must serve web
# pages via Apache with mod_rewrite to use this functionality, and you must
# change the file name from ht.access to .htaccess.
#
# Make sure RewriteBase points to the directory where you installed MODX.
# E.g., "/modx" if your installation is in a "modx" subdirectory.
#
# You may choose to make your URLs non-case-sensitive by adding a NC directive
# to your rule: RewriteRule ^(.*)$ index.php?q=$1 [L,QSA,NC]

RewriteEngine On
RewriteBase /

# Rewrite www.domain.com -> domain.com -- used with SEO Strict URLs plugin
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} ^www.(.*)$ [NC]
#RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
#
# or for the opposite domain.com -> www.domain.com use the following
# DO NOT USE BOTH
#
#RewriteCond %{HTTP_HOST} !^$
#RewriteCond %{HTTP_HOST} !^www\. [NC]
#RewriteCond %{HTTP_HOST} (.+)$
#RewriteRule ^(.*)$ http://www.%1/$1 [R=301,L] .

# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent 
# https://www.domain.com when your cert only allows https://secure.domain.com
RewriteCond %{SERVER_PORT} !^443
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule (.*) https://alienbuild.uk/$1 [R=301,L]

# The Friendly URLs part
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

# Make sure .htc files are served with the proper MIME type, which is critical
# for XP SP2. Un-comment if your host allows htaccess MIME type overrides.

#AddType text/x-component .htc

# If your server is not already configured as such, the following directive
# should be uncommented in order to set PHP's register_globals option to OFF.
# This closes a major security hole that is abused by most XSS (cross-site
# scripting) attacks. For more information: http://php.net/register_globals
#
# To verify that this option has been set to OFF, open the Manager and choose
# Reports -> System Info and then click the phpinfo() link. Do a Find on Page
# for "register_globals". The Local Value should be OFF. If the Master Value
# is OFF then you do not need this directive here.
#
# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS :
#
# Your server does not allow PHP directives to be set via .htaccess. In that
# case you must make this change in your php.ini file instead. If you are
# using a commercial web host, contact the administrators for assistance in
# doing this. Not all servers allow local php.ini files, and they should
# include all PHP configurations (not just this one), or you will effectively
# reset everything to PHP defaults. Consult www.php.net for more detailed
# information about setting PHP directives.

#php_flag register_globals Off

# For servers that support output compression, you should pick up a bit of
# speed by un-commenting the following lines.

#php_flag zlib.output_compression On
#php_value zlib.output_compression_level 5

# The following directives stop screen flicker in IE on CSS rollovers. If
# needed, un-comment the following rules. When they're in place, you may have
# to do a force-refresh in order to see changes in your designs.

#ExpiresActive On
#ExpiresByType image/gif A2592000
#ExpiresByType image/jpeg A2592000
#ExpiresByType image/png A2592000
#BrowserMatch "MSIE" brokenvary=1
#BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
#BrowserMatch "Opera" !brokenvary
#SetEnvIf brokenvary 1 force-no-vary

# BEGIN cPanel-generated php ini directives, do not edit
# Manual editing of this file may result in unexpected behavior.
# To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
# For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI)
<IfModule php5_module>
   php_flag asp_tags On
   php_flag display_errors Off
   php_value max_execution_time 30
   php_value max_input_time 60
   php_value max_input_vars 1000
   php_value memory_limit 128M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/var/cpanel/php/sessions/ea-php56"
   php_value upload_max_filesize 100M
</IfModule>
# END cPanel-generated php ini directives, do not edit

but I tried it, and the mentioned code:
<base href="[[!++site_url]]" />

just gives in return a nonsecure url, smth like this:
<base href="http://www.siteurl.com/"/>

1 Like

thanks, but it doesn’t work in my case ;(

Right, and then add the htaccess code I gave you before, that should get you closer at least

https is quite tricky, unfortunately, it takes time.

Try adding the htaccess code for https, removing the part you had originally that seems to force http, and see if you get closer.

if that htaccess isn’t working for you, and you’re calling the base href uncached then i’d lean towards @markh suggestion that maybe you have this value hard coded somewhere. do you have a multi site setup? if so you may need to right click on the context (website by default) and edit the settings. you may find a site_url setting there hardcoded with the http protocol.

Pls check your base_url and is this code in the top of your template?

<base href="[[!++site_url]]" />

There shouldn’t be any domain change at all, just https or http before the domain

Are those links hard-coded perhaps? If they are they would need changing, but again not the domain

Can you give me an example of this domain change?