typo3 site with http and https

Question

I have a site working as http. The site has from letsencrypt a certificate and the realted apache config to work with https as well.

How can I configure t3 to do both, http and https.

Regardless what I tried to configure it works either or but not both.

Help appreciated!

Regards Kallewirsch

Why? Is there any special requirement to use both? Better use https and do a redirect from http to https. — Thomas Löffler, Sep 22 '22 at 07:45
It is possible, but configuration depends on your TYPO3 version. For v9+, look for `baseVariants` and react to the request. — Jonas Eberle, Sep 22 '22 at 07:58
@ThomasLöffler: Although I would like to gain some experience to configure a site with both I already tried to configure a redirect but was not successful on this as well. Do you have a hint for me! — averlon, Sep 22 '22 at 08:10
@JonasEberle: baseVariants is as far as I understood the concept related to different working environments. So there needs to be a condition. Or ist there another way to make use of it for a production environment? — averlon, Sep 22 '22 at 08:25

Jonas Eberle · Answer 1 · 2022-09-23T13:45:40.930

1

You can use baseVariants with conditions based on the request environment.

As an example:

base: http://your.server
baseVariants:
 - base: 'https://your.server
   condition: 'getenv("HTTPS") === "on"'

(How https:// is signalled to PHP depends on your webserver/proxy environment. See https://stackoverflow.com/a/16076965/2819581)

Nota bene: You have been warned about duplicate content, security etc. already.

edited Sep 23 '22 at 13:45

answered Sep 23 '22 at 06:32

Jonas Eberle

2,835
1
15
25

Thanks. I will test it. It's more for learning then for production usage. – averlon Sep 23 '22 at 08:46
I got it wrong http:// vs. https:// but you get the gist – Jonas Eberle Sep 23 '22 at 13:45

NextThursday · Answer 2 · 2022-09-22T15:37:14.597

No matter why you think you need to do this, supporting both schemas as in "after page load http can still be shown in the url bar" is not a secure nor a necessary thing anymore. What is relevant is that if a user types in http://example.com the page will be shown and that all communication with your server is secure, thus in the end https should be used. Letsencrypt is a wonderful choice.

In order to circumvent all problems user, browsers and web applications can run into, HSTS should be activated, which is basically "web server magic" for always using https without leaving anybody behind, even if they try to use http. So configure TYPO3 to serve via https and activate HSTS for your webserver.

On the details for why and how to HSTS refer to e.g. https://https.cio.gov/hsts/

If you want TYPO3 to serve content no matter the schema or domain adapt the TYPO3 site configuration base url to not include schema or domain. For security reasons I won't provide an example.

Hi, yes, for sure, http is outdated and letsencrypt is an option for non profit org to get an affordable encryption. Anyhow. I would like to learn how to do it. This will then allow me (hopefully) to setup the site in a correct way using both, http and https and ending up with https. But first - at least in my opinion - learn how to do it and see the way to the correct setup. — averlon, Sep 22 '22 at 08:30
@averlon then read into HSTS and understand why this should be done in the httpd (e.g. Apache) only and prominently and never ever inside a web application. Added answer to your request as new paragraph. — NextThursday, Sep 22 '22 at 15:37

score 0 · Answer 3 · answered Sep 22 '22 at 08:10

You should configure an http to https redirect in apache configuration. (.httacess)

Http times are over browser ms default to https and auto upgrade connections if possible. Also http is rightly marked as insecure (similar to a wrong ssl certificate)

There is no valid reason to use http. Anymore

typo3 site with http and https

3 Answers3