Force SSL in Sub-Directory C5 install

Permalink Browser Info Environment
My C5 install ( is in a sub-directory of the root for a special application:
I merely want to secure the login, then revert back to http for other pages.

The Force SSL addon attempts to work, in that a page secured via the properties of the page redirects to https, however the secured page produces the browser error:
"Too many redirects occurred trying to open"... (Safari) or "This webpage has a redirect loop." (Chrome).

Also, when a page is secured, even though pretty urls is activated the secured web address adds in the 'index.php': (not sure if that is part of the issue).

What do I need to do to get the Force SSL to work where the C5 install is in a subdirectory?


Type: Discussion
Status: New
View Replies:
jbx replied on at Permalink Reply
Hi there,

Sub directory should not cause any problems. Most likely, your BASE_URL_SSL is incorrect. Check the setting in the dashboard page, in particular whether or not you have included the www. if required.

Also, ensure the SSL is properly configured and enabled first. The easiest way to do this is to simply uninstall the addon and then attempt to visit the page in https - make sure it works without the addon.

Once you have checked these things, then please get back to me and let me know how you got on.

To get rid of the index.php, you need to add
define('URL_REWRITING_ALL', true);
to your site.php file.

Hope that helps!
mlipenk replied on at Permalink Reply
https seems to work without the plug-in, but some of the content referenced within the page is still considered insecure (theme images, google fonts). This seems to be indicative of a C5 issue.

Also, when the site is https in edit mode, the "Page Properties" form throws errors such as "This form will be sent in a way that is insecure"... and the form just sits and spins upon saving. And in the inspector console: Unsafe JavaScript attempt to access frame with URL from frame with URL The frame requesting access has a protocol of 'https', the frame being accessed has a protocol of 'http'. Protocols must match.

Not sure why C5 is not simply applying the https to all referenced local resources within the site...

I thought maybe the Force SSL would let me secure just the login page and avoid all these other errors produced by the entire site being https.

concrete5 Environment Information

Browser User-Agent String

Hide Post Content

This will replace the post content with the message: "Content has been removed by an Administrator"

Hide Content

Request Refund

You have not specified a license for this support ticket. You must have a valid license assigned to a support ticket to request a refund.