- September 11, 2017 at 8:12 pm #51295
I have a multisite installation with several domains. I purchased your multisite Pro plugin.
I added certificates for all my domains.
I installed Really Simple SSL plug-in per instructions. This is required before the multisite.
I couldn’t even log in. I couldn’t do a thing.
I found your instructions for force de-activating the Really Simple SSL plug-in and can now log in. But I haven’t a clue what I’m supposed to do to get either of the plug-ins to work.September 11, 2017 at 8:45 pm #51298
After deactivating, logging in, and then reactivating, this time it worked.
Painful, though.September 11, 2017 at 8:56 pm #51301
Strange you had trouble activating the first time. Did you get a redirect loop?
Maybe another plugin was redirecting back to http? If you have any additional info, we can look into it.
If you need any other assistance, let me know!September 13, 2017 at 9:08 pm #51601
No it’s working fine.
I did want to let you know that you’re spelling network as netwerk in several places. Next time you do code changes, might want to fix that.
Also, I’m getting the following in each site
The mixed content fixer is not active on the admin panel. Enable this feature only when you have mixed content on the admin panel.
This is enabled, so I’m not sure why I’m getting this message.
Actually, the link was to an old URL from over a decade ago, and was to a JSP page with a .jsp extension. One of the mixed content fixers found .js, and then stopped matching didn’t get that it was a .jsp page. This is more of an FYI, as I find it unlikely this type of issue will happen again.September 13, 2017 at 9:10 pm #51602
Sorry, for mangled comment. Hopefully, you can read.September 13, 2017 at 9:41 pm #51618
I spoke too soon, there is another issue.
One of your options is to enable HSTS, but you’re not doing anything. You’re not generating the header, and you don’t provide an option to submit the domain to the HSTS Preload list.
What do I need to do to get this to work, other than enable HSTS?September 13, 2017 at 10:46 pm #51632
Thanks for the feedback on the network/netwerk, I’ll make a note.
As for the “false positive” This kind of results can come up, that’s the reason it still needs to be done manually, the scan can’t account for any possible situation. But thanks for mentioning it.
HSTS: if you enable the HSTS option, assuming you’re on Apache, the HSTS header should be inserted in your .htaccess. On NGINX it is a php header. Can you send me your .htaccess file so I can take a look?
I’m looking into the preload list option, I’ll get back to you on that. It should appear after enabling HSTS on the network settings page.September 14, 2017 at 2:37 pm #51741
I tested my site, and it’s not ready for HSTS anyway. Not all of my subdomains are served via HTTPS, and doing so may be a problem for one of them.
But the .htaccess file has
# BEGIN Really_Simple_SSL_HSTS
Header set Strict-Transport-Security: “max-age=31536000” env=HTTPS
# END Really_Simple_SSL_HSTS
However, when I tested the site with the HSTS preload org, I’m getting
Error: No HSTS header
Response error: No HSTS header is present on the response.
Regardless of subdomain issue, shouldn’t the header be working?September 14, 2017 at 2:40 pm #51742
Does look like the header should be
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
I can modify that myself in the .htaccess file. First, though, I’ve got to think about the subdomain issue. I may wait on all of this until Lets Encrypt puts out the wildcard certificate.
ThanksSeptember 14, 2017 at 2:50 pm #51744
Your current HSTS header is the “basic” HSTS header, which only activates when the site is loaded over https, and does not include subdomains, which is why you can activate it on multisite without risk of other sites being forced over https. The preload directives are inserted when the “hsts preload” option is enabled. This option is not visible at the moment on the settings page, I have corrected this in an update which I will release tomorrow.
Please note that the env=https directive is also required for preload.
The main issue here seems that the HSTS header does not seem to work, which is strange. Adding the preload directive won’t solve that. Possibly your hosting company does not allow setting headers in the .htaccess?
If you have a redirect chain which aims to limit the number of redirects, this might be a problem for HSTS. The redirect should always be “http://domain.com -> https://domain.com -> https://www.domain.com for example.September 15, 2017 at 1:33 pm #51863
An update to the Really Simple SSL multisite pro plugin has been released, including the hsts_preload option, which was not showing correctly. You should not get a preload option when you have enabled the HSTS option.
Your HSTS header should already work, but if it still doesn’t this can be caused by server settings. For exmple, if the url in plesk is http://www.domain.com, this can cause problems with HSTS.September 15, 2017 at 2:29 pm #51865
It was my bad. I moved to a new server with a fresh software install and forgot to enable Apache headers. Just one of the many things to remember when you start up a new server.
Thanks for your help and quick responses.September 15, 2017 at 4:37 pm #51896
Thanks for the update, great it’s working now!