SSL on multi site and multiple domains

This is an open forum for any mojoPortal topics that don't fall into the other categories.

This thread is closed to new posts. You must sign in to post in the forums.
4/30/2012 11:46:20 AM
Total Posts 27
Hybrid coding since
the dawn of time.

SSL on multi site and multiple domains


I currently have my main site on and my language specific versions on / / ... as child sites.

I would like to put everything on ssl. What would be the best way to approach this ?

I guess I will have to redirect my language tlds to either: (how is this possible with mojoportal ? where I could use a free single domain certificate)

or (where I would have to buy a multiple host certificate)


are there better ways?





4/30/2012 12:00:35 PM
Total Posts 1203
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: SSL on multi site and multiple domains

I think you outlined the two choices pretty well. The first method would be using Multiple Sites Based on Folder Names. The second method would be Multiple Sites Based on Host Names, and you'd use a wildcard SSL certificate. You'll just need to choose the one that best fits your needs. Be sure to look at the limitations section of the Folder Names option, since that may impact which way you go.


5/3/2012 2:46:58 PM
Total Posts 27
Hybrid coding since
the dawn of time.

'orange' and 'red' https

The folder names works fine for me, thanks. (it's ok for users to be logged in on the subsites)

I have been looking into ssl a bit more and I start to understand why so many sites are insecure.

Plenty of pages show the 'orange' https because of affiliate links, eg. Amazon, TradeTracker, ... and it seems that those links don't work on https. The other orange pages I get because of the feed manager including http instead of https.

Even worse, when using chrome it seems that once I hit a page with a 'red' https, it keeps on displaying this on all the pages until I visit another site and come back.

This 'red' https is the worst, your page is more secure then the average page on the net and it looks for the users that it is terribly insecure.

Any ideas?

5/3/2012 3:07:11 PM
Total Posts 18439

Re: SSL on multi site and multiple domains

Anything on the page (typically images, javascript, iframes or css links) that has src="http:// will cause the browser warning about insecure content on the page if the outer page is using https. For internal things you can just use relative urls like src="/

It is only src= that you need to worry about href="http: won't cause any errors because it doesn't load anything into the page like src= does.

For links to external javascript or images or css you must hope that they support ssl or decide to remove that from the page. The modern technique for linking to external resources is to do it without the protocol like src="//www.somothersite/someptherresource

// will make it use https if the containing page is using https or you can always use src="https:// since that won't cause any problems on pages that don't use ssl and will prevent problems on pages that do. But for some things https may not be supported and it is best not to use them. You can change them to https then use firebug network tab, if any of the fail to load using https then it is not supported and your only solution is to remove them.

I know Chrome is the worst about showing the red slash even on other pages after you visit any page with insecure content. Most thing built into mojoPortal are designed to use https if the page is using it. I changed not long ago from using IntenseDebate comment system to using Disqus because Disqus has beeter support for https. But just a few days ago I started seeing the red slash in Chrome pon this site and it was caused by a change in Disqus, I had to contact them and they fixed it for my account so this site should be fine on all pages now.

So you need to go through each page where you see the browser warning and inspect the html for src=:http:

You may need to use Firebug or browser tools to find them because sometimes additional non-secure javascript is loaded by other javascript that is using https.

These days it is more important  than ever to use SSL and you should use the config settings to prevent cookies from being passed when not using SSL as discussed in the article Use SSL. You'll notice on this site if you visit a page without https it appears that you are not logged in, that is because we have it configured to only pass cookies on secure requests, so as soon as you click the link to sign it it goes back to a secure page and if you were already logged in it sees your cookies again and knows you are already logged in.

Hope that helps,


You must sign in to post in the forums. This thread is closed to new posts.