Switching to HTTPS
If your live site is served over HTTPS, we recommend setting up your Omni CMS environment to be HTTPS-only. This includes both files and content resources, and site settings.
The two most important items to consider are page resources and page links.
- Page resources are pieces of content or resources that come from some other location and are loaded on your page. This can be CSS, JavaScript, content in
<iframe>
tags, and even images. - Browsers throw a warning if any of these items are unsecured (loaded over HTTP) but displayed on a secured page (a page loaded over HTTPS). They might even block the resource entirely.
- Page links are hard-coded links (for example, not using dependency manager) that send users to other pages on the web or within your site.
- Make sure any hard-coded links that point to other pages in your site are set for HTTPS. You can still have links on your HTTPS pages that point to external sites that don't use HTTPS. You can't control those sites since they aren't managed by your web server
We recommend performing the steps outlined in this guide in this order:
- Verify that the SSL cert is configured in your server. Do not force HTTPS yet.
- Complete the following sections in Omni CMS.
- Force HTTPS at server level.
Make sure that the intermediate SSL cert is in place and configured correctly. Your IT team or hosting provider can help verify and fix this for you as needed. You can use https://www.immuniweb.com/ssl/ to check your certs configuration and generate a report that you can send to your IT team or hosting provider for assistance as needed.
Switching over to HTTPS doesn't work for some third-party codes. You would need to do some additional investigation or contact your third-party script vendor to find if they have a version that works over HTTPS. This is something we strongly suggest that you do before switching your production server over to HTTPS.
Site SettingsLink to this section
- In Omni CMS, navigate to Setup > Sites.
- Click the More Actions
menu for the site that is switching to HTTPS.
- Click Edit > Site.
- In the Production Server FTP Settings section, navigate to "HTTP Root."
- Type to change
http
tohttps
. - Click Save.
If your templates in Omni CMS are stored on the production server, adjust the template directory field in site settings, also under Production Server FTP Settings, to point to https
. If they're on staging, double-check your XSL to make sure any references to template locations point to https
. You may need to do a find and replace on the server that hosts your templates.
Find and ReplaceLink to this section
The most important fix is for any page resources that pull content onto your pages using HTTP. This could be CSS or JavaScript being brought in from an external source, iFrame content, or images.
- Go to Content > Find and Replace.
- Perform a find and replace to update any hard-coded links in your domain to HTTPS. Example:
Find: http://www.yourschool.edu
Replace: https://www.yourschool.edu- If you have subdomains, use the following regex:
Find:http://([^.]+\.)?(domain\.edu)
Replace:https://$1$2
- Replace
domain\.edu
with your actual domain, and include the backslash to escape the period in the regex.
- Replace
- If you have subdomains, use the following regex:
Do not change any system URLs, such as the following:
<!DOCTYPE document SYSTEM "http://commons.omniupdate.com/dtd/standard.dtd">
<document xmlns:ouc="http://omniupdate.com/XSL/Variables">
Modifying these could cause issues including broken pages.
Dependency ScanLink to this section
- Go to Setup > Sites.
- Click the More Actions menu for the site.
- Click Scan > Dependency Scan.
This runs a dependency scan on your site that converts links to dependency tags.
Republish AssetsLink to this section
- Go to Content > Assets.
- Select all assets and publish.
Site PublishLink to this section
- Go to Setup > Sites.
- Click the More Actions menu for the site.
- Click Publish > Publish Site.
RSS ItemsLink to this section
RSS feeds and item paths are not updated by the find and replace, and must be manually updated. If you have a lot of RSS items that require updating, our support team can run a script to accomplish this. Please request this after all other steps are complete.
Helios Calendar for Omni CMSLink to this section
If you have the Helios calendar module, you need to FTP to your production server where the calendar is installed and edit the config.php
file. This file is usually located at /var/www/html/calendar/inc/config.php
.
Update the CalRoot
and AdminRoot
variables within this file to https
.
Omni CMS SearchLink to this section
If you have the Omni CMS search module, go to Settings > Basic Walk Settings and update your "Base URL" to https
. Re-walk your site so it is re-indexed.
If you have created any best bets, manually update their URLs tohttps
. Go to Tools > Best Bet Groups and click on "Manage Best Bets." Choose your best bet group and edit each best bet by clicking on the pencil icon.
Final StepsLink to this section
Afterward, we suggest running a final find for http://
, which shows all other hard-coded non-HTTPS URLs in your site. Use this to confirm that all remaining HTTP URLs on the site, after performing the above actions, are links pointing to external pages that you don't have control over.
Once all your resources and links have been converted to using HTTPS, for all sites in your account, you can enable "Always Use HTTPS" in the account settings. This has additional checks for enforcing HTTPS use in the Omni CMS environment.