Secure certificate registration – ensure you choose ‘www’ or not

I’ve been helping a client move their website from their existing host to a new one, as their old host is closing down.

This was quite straightforward once they’d decided to only move the site I had written the code for, not another which was a complicated unknown entity.

The only wrinkle was they have a secure certificate to give them an https connection and we had to register a new certificate as part of the move. I did this through their host at their request, but hadn’t realised that most SSL certificates are specific to the domain, including the sub-domain. This was a mistake as they used the ‘www’ version of their address for their website, and I registered the new certificate for the non-www version.

To stop this being a problem, I put a redirect in to the .htaccess file to redirect all traffic to the non-www version on the secure connection:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.(.*)
RewriteRule ^.*$ https://%1/$1 [R=301,L]

The only further foible was as this was an existing site, Google had indexed the site, and shows the https version in the search results, even though the home page is not explicitly https. Now, because it points people to the https://www version of the site, it shows an unsecure error before showing the site, because the certificate isn’t valid for that on the new site.

Solution?

  • Used Google Search Console (AKA Webmaster Tools) to update the preference to the non-www name
  • Updated the DNS of the www. version to point to the old server while it is still working
  • Added the above .htaccess redirect on the old server to point everyone across to the secure version of the non-www address
  • Created a new XML sitemap of the site at the secure, non-www address and re-submitted it to Google Search Console
  • Wrote an apologetic e-mail to the client explaining the mistake
  • Wrote this blog post and linked to the new site address to help the non-www address get indexed

All this means – searchers go to the old host so no security warning, then get forwarded to the new host while we wait for Google to respond to the preference change. I hope it comes through quickly.

And now I’ll go back to my scheduled work a wiser, if more tired, man.

Sending a push notification to your browser or mobile with ColdFusion and Push Engage

Push Engage is a service which lets you easily send push notifications to a browser or mobile phone, using a little code on your website. It’s very easy to set up and they currently have a very generous free account, allowing you to send a notification to up to 2,500 browsers/devices.

I’m using it as part of some alerts in the background of a client’s website. They’re using ColdFusion, so I needed to work out the code to send the alert from them, the API documentation on Push Engage has an example in PHP, but it’s very simple to convert. Here’s a CFHTTP call that will send a notification:

<cfset api_key = “(your API key here)”>

<cfhttp method=”Post”
url=”https://www.pushengage.com/apiv1/notifications”>

<cfhttpparam type=”header”
value=”#api_key#”
name=”api_key”>

<cfhttpparam type=”Formfield”
name=”notification_title”
value=”The text for the alert title”>

<cfhttpparam type=”Formfield”
name=”notification_message”
value=”The smaller text of the message of the notification”>

<cfhttpparam type=”Formfield”
name=”notification_url”
value=”http://www.example.com/”>
</cfhttp>

I’ve already followed their steps for adding Javascript to a page on the website, visiting it using a browser on my computer and my phone and accepting notifications from the site. Now, when I trigger the page with this on, I get a notification a few moments later. Lovely!

Thanks to Dave Child for introducing me to Post Engage.

 

Worried about the Google mobile update? Check your Google Analytics first

If your website is not suitable for easy use on a mobile, i.e. it’s not ‘responsive’ or you do not have a version of the website just for mobile phone users, you will be affected by the Google update coming next week. Basically, if someone searches on their mobile phone, they won’t see your website in Google’s search results any more. However, if they search on their laptop or larger computer, they will see it as they do now.

I’m seeing a lot of scare mongering on social media about this and articles which are prodding people towards panic. Before you get too worried, please remember this affects:

  • People using their smartphones to search Google and find your website

Here is how you find out how many people that is, if you use Google Analytics:

Login to Google Analytics and go to the report for your website.

On the menu on the left, click ‘Audience’ (this will probably already be chosen,) then ‘Mobile’, then ‘Overview’

Google Analytics - mobile overviewThis shows you how many mobile users you have looking at the website. The screenshot above is for one of my personal websites, so the traffic generally is quite low. In this case, I had 102 visitors to the site using their mobile phone to view it in the last 30 days.

However, that doesn’t tell me how many will be affected by this Google update. For that, I need the number coming from Google’s natural search results. So, to find those:

Click ‘Secondary dimension’, then ‘Acquisition’, then ‘Source / Medium’

Choosing where people have come fromLook down the list and find the line which says ‘mobile’ and ‘google / organic’. If it’s not immediately visible, try making the ‘show rows’ bigger in the drop down list under the table of results.

Affected mobile visitorsSo for this website, I had 61 visitors come through Google search to the website on their mobile phones in the last 30 days. This website isn’t built in a responsive way, so basically I’m likely to lose that after the Google update comes out.

I don’t want to lose that, but then again, I’m also very busy at the moment and don’t have time to re-build the CSS and potentially the HTML of the website, so I’m just going to have to put up with that. It’s not great, but it’s 7% of my traffic. That’s not going to kill the website.

Checking through my client’s websites, I’m seeing mobile use between 15% and 40%, and traffic from Google’s natural search results – remember, the bit that will actually be affected by this change – being between 2.5% – 13% and one outlier at 29%.

If you’re a business and have Goals set up, it’s worth digging further in to Google Analytics to see how many visitors using their mobiles are converting in to customers – although this becomes tricky, as people often research on their phone, then buy on their computer.

If you’re thinking of doing a quick conversion to a responsive website, check your Analytics first. If you’re only going to lose a small percentage of visitors, it will be worth considering not doing a hurried conversion, but holding off and giving it some more thought and doing a better update when you’ve had more time to work out what you want done. Yes, you’ll lose some traffic in the short term, but doing a hurried conversion that doesn’t work quite right won’t get you any more sales anyway. Don’t react just because the update is coming in now, improve your website by making it work better on phones because you want to give those visitors a good experience of your business.

Setting up ColdFusion 11 and SQL Server Express 2014 on Windows 8

Recently I installed Windows 8.1 in a virtual machine so I could set up IIS, ColdFusion (Developer version) and SQL Server (Express), which would match some of my client’s hosting well enough to use as a test environment.

SQL Server Express and ColdFusion developer edition can be used for free by developers, which makes this a nice, low cost development environment.

I hit big problems trying to get ColdFusion to talk to SQL Server Express, so I thought I ought to document the setup process for next time I tried and hit these problems. Sorry if you’re reading this and some of the notes are not detailed enough, I’ve set up ColdFusion and SQL Server enough times that the basics have stuck, if you need more help you might find it useful to search YouTube for help videos.

Setting up SQL Server Express 2014

Download SQL Server Express 2014 and running the installer. This all worked fine so just Google for wherever Microsoft are putting the installers now (which is a different place whenever I look, which is several years apart.) Try to find out if you’ve got a 32bit or 64bit version of Windows first, as you need to download the version which matches your Windows.

Setting up IIS

Go in to Windows settings > Control Panel > Programs > Turn Windows features on and off

I’m not sure I needed all of these, but I ended up turning them on while trying to solve problems:

Tick all of these (where nested, tick the ones inside the nest, not just to install everything):

.Net framework 3.5
.Net framework 4
Within Internet Information Services:
– Web Management Tools:
– – IIS 6 Management Compatibility
– – – IIS Metabase and IIS 6 configuration compatibility
– – IIS Management Console
– – IIS Management Service
– World Wide Web Services:
– – Application Development Features:
– – – .Net Extensibility 3.5
– – – .Net Extensibility 4.5
– – – ASP.NET 3.5
– – – ASP.NET 4
– – – CGI
– – – ISAPI Extensions
– – – ISAPI Filters
– – Common HTTP Features:
– – – Default Document
– – – Directory Browsing
– – – HTTP Errors
– – – HTTP Redirection
– – – Static Content
– – Health and Diagnostics:
– – – HTTP Logging
– – Performance Features:
– – – Dynamic Content Compression
– – – Static Content Compression
– – Security:
– – – Request Filtering

Setting up ColdFusion 11

Download from http://coldfusion.adobe.com

Run the installer

Choose the option to install a standalone web server, then, later in the install options you can choose to connect it up to IIS.

Setting up a database user in SQL Server Express 2014

In SQL Server Management Studio

Create a database:

Right click on Databases in the left column ‘Object Explorer’ > ‘New Database…’ and run through the short form

Create a user:

In left column ‘Object Explorer’, click on Security, right click on ‘Logins’ > ‘New Login…’

Add a new user, e.g. ‘CFUser’

Choose SQL Server authentication, give it a password.

Uncheck ‘Enforce password policy’

In the ‘Default Database’ drop down, change it to your new database

On the left hand ‘Select a page’ click on ‘User Mapping’

Tick the your new database, further down add them as a type of user to the database – ‘db_datareader’ & ‘db_datawriter’

Configuring Windows Firewall to allow access to SQL Server

As per these instructions from Microsoft I ran WF.msc then set up an Inbound Rule to allow TCP on port 1433 for local use.

Configuring security to allow ColdFusion to get data from SQL Server Express 2014

Apparently by default, SQL Server Express doesn’t allow remote connections, but configuring it to allow a remote connection so ColdFusion could get data from it was very hard, as the 2014 version of SQL Server Express is more locked down than previous versions. I wouldn’t have got it working without this Stackoverflow question about SQL Server Express 2012.

Open ‘SQL Server Configuration Manager’ (by searching for ‘SQL Server configuration’ on the Start screen.)

Under ‘SQL Server Network Configuration’ > ‘Protocols for SQLEXPRESS’:

Change ‘Named Pipes’ to ‘Enabled’ (by right clicking) (I’m not sure this step is necessary, as I found it in a bit of advice while I was still trying to get everything working.)

Change ‘TCP/IP’ to ‘Enabled’, then right click again and choose ‘Properties’

Under ‘IP2’ set the IP address to be that of the computer’s IP address on the local subnet (I found this out by running ‘netstat -a’ on the command line and looking down for port 1433 while I was trying something else, I’m sure there’s an easier way of finding it.)

Scroll down to the settings for IPAII.

Make sure ‘TCP Dynamic Ports’ is blank (not the 5 digit number that mine had in there by default.)

Make sure the ‘TCP Port’ is set to ‘1433’ (mine was blank by default.)

You may also need to go to ‘Services’ (by searching for it in Windows) and turning on the SQL Server Browser service (and setting it to run automatically) – I already had mine turned on during other debugging, I’ve read different advice on whether it should be on or off.

Some of the settings for SQL Server don’t take until you’ve re-started the SQL Server service. I think in the end I restarted Windows to be sure things were going to take long-term.

After all of this, I was able to go in to ColdFusion administrator and successfully set up a datasource using the database user I’d set up. Just getting SQL Server and ColdFusion to talk to each other was 3-4 hours of messing about with my settings, hence writing up these notes to make it easier next time.

The Zopim chat widget and Google processing Javascript when crawling

A client contacted me with an odd problem recently. When searching for their own company name in Google, this is the snippet beneath the link to their site:

“We’re sorry! Seems no one can serve you now. If you leave your email address, we’ll get back to you soon.”

Ah, I thought, they’ve got some odd text in their page somewhere, and Google has picked up on it. So I look at the source of their home page and… no sign of the text. No use of “sorry” at all.

So, maybe this is an old cache of the page and the text has changed. I check the source of the cached page in Google, nope. Now, maybe the cache is a different version from what’s being used to build the snippet, but that’s unlikely and the client says they haven’t ever had the sorry text on the page.

So I checked whether anyone else is having this problem by searching for the exact start of the phase in Google.

Lots of results, all with the same snippet text:

Google Search results for "We're sorry. It seems no one can serve"

Opening up a few of the pages I can see they’re all using the same chat widget from Zopim.

Sensibly, if you try to use the chat widget when no one is available, Zopim will show a friendly message saying no one can be contacted. However, it’s not the same message as I’m seeing in the snippet.

So, I right-click on one of the pages in Chrome and use ‘Inspect Element’, this is using Chrome’s developer tools to see what’s on the page when it’s finished being made, including any changes Javascript code may have made to it. However, searching still doesn’t show the word ‘sorry’.

I’m running out of ideas now, so use a small script to grab the source of the client’s page as if it was a search engine crawler. Definitely no phrase in there, or use of the word ‘sorry’.

I remember Firebug in Firefox runs a little differently to Chrome’s developer tools, so use that to check a page. Hey presto, there’s the “We’re sorry…” text. Setting up the screenshot, I click on the little ‘f’ you can see below. That’s the Flashblock extension at work, in Firefox I have to click on any area where Flash wants to run. I installed it to stop obnoxious adverts running. However, when I allowed Flash to run, the message I was looking for disappeared.

So, when Google is crawling the web, it is running Javascript. That’s the only way that it could have seen this text that it’s grabbed as the snippet. It does not run Flash content, otherwise it would not have seen this message.

We're sorry text in source of the page
(Note, not my client. I’m under NDA with them so I’m not saying who they are.)

I’ve heard rumours of Google running Javascript within its crawler for years. I’ve seen it able to get at pages that some Javascript navigation had hidden away, although only when that navigation was using very common scripts like the ones that come in Dreamweaver, or sites using the #! URL schemes like Twitter did for a while. This is the first time I’ve seen it definitely run Javascript, and also pluck out a message only revealed by Javascript in to the search results snippet.

Does this mean we can be sure Google will crawl all of the content on a site using Javascript to load all of it’s content? No, I would say this current crawling is experimental – choosing the “We’re sorry…” text for the snippet on the brand search that kicked off my investigation was a very poor choice given the other text available on the page. I can only think they did this because the text was very high up on the page, within thesection. Does it point to them doing more and more to crawl the web ‘naturally’, as most web users do? Yes.

As more and more content gets hidden away behind AJAX and snazzy, Javascript-run interfaces, Google will have to put more and more effort in to being able to crawl that content effectively. This is proof they are doing that, if imperfectly.

If you use the Zopim chat widget, you may want to move the block of Javascript you put in thedown to the footer of the page and check if the chat still works. You don’t want a useless snippet in a brand search for your company just because of the chat service you’re using.