PrestaShop 9 SSL Behind Reverse Proxy: The Ultimate Guide to Fixing Redirect Loops & Mixed Content

As e-commerce experts at Migrate My Shop, the PrestaShop Migration Hub, we frequently encounter complex technical challenges that impact store performance and security. One such common hurdle, especially with modern PrestaShop 9 deployments, involves correctly configuring SSL when your store sits behind a reverse proxy like Traefik, Nginx, Caddy, or Apache. This setup, while offering immense benefits for load balancing, security, and performance, often leads to frustrating redirect loops and mixed content warnings if not handled precisely.

This guide, inspired by a critical solution shared by MigrationPro on the PrestaShop forums, aims to provide a comprehensive, authoritative walkthrough to ensure your PrestaShop 9 store runs flawlessly with SSL terminated at your reverse proxy. Say goodbye to those pesky errors and hello to a secure, fully functional e-commerce experience!

The Challenge: PrestaShop's SSL Misinterpretation Behind a Proxy

Imagine your PrestaShop store as a house. Your reverse proxy is the gatekeeper, handling all incoming traffic. When a customer visits your site via HTTPS, the gatekeeper (proxy) decrypts the connection (SSL termination) and then forwards the request to your PrestaShop server using plain HTTP. From PrestaShop's perspective, it only ever sees unencrypted HTTP requests from the proxy, never the original HTTPS connection from the client.

This fundamental misinterpretation leads to a cascade of problems:

• Infinite Redirect Loops: PrestaShop, believing it's running on HTTP, tries to redirect all traffic to HTTPS, but the proxy keeps sending HTTP, creating an endless loop.
• Mixed Content Warnings: Your browser detects that while the main page is HTTPS, some resources (images, CSS, JS) are being loaded over HTTP, triggering security warnings and potentially breaking site functionality.
• SSL Showing as "Disabled" in the Back Office: Despite your proxy handling SSL, PrestaShop's own configuration panel will incorrectly report SSL as inactive, preventing you from fully leveraging its features and potentially impacting module behavior.

Deep Dive into the Root Cause: The Missing $_SERVER['HTTPS'] Variable

PrestaShop, like many PHP applications, relies on the $_SERVER['HTTPS'] variable to determine if the current connection is secure. When SSL is terminated at the reverse proxy, this variable is simply never set in the PHP environment that PrestaShop sees. The proxy-to-backend connection is unencrypted, so the server hosting PrestaShop has no direct knowledge of the client's original HTTPS request.

Without this crucial piece of information, PrestaShop's internal logic for generating secure URLs, handling redirects, and validating payment gateway callbacks goes awry. This is where our targeted solution comes into play.

The Comprehensive Solution: A Four-Step Approach to SSL Harmony

To rectify PrestaShop's SSL detection, we need to explicitly inform it about the original client connection protocol. Here’s how to achieve this with a robust, upgrade-safe method.

Step 1: Configure Your Reverse Proxy to Forward Essential Headers

The first critical step is ensuring your reverse proxy passes along the necessary information about the original client request. Specifically, you need to forward the X-Forwarded-Proto, X-Forwarded-For, and Host headers. These headers tell PrestaShop about the client's original protocol, IP address, and requested domain.

• Traefik: Good news! Traefik typically forwards these headers automatically, requiring no additional configuration on your part.
• Nginx: For Nginx, you'll need to explicitly add these lines within your server or location block:

  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $host;

• Apache: If using Apache as a reverse proxy, ensure your mod_proxy configuration includes directives like ProxyPreserveHost On and RequestHeader set X-Forwarded-Proto "https" env=HTTPS (or similar logic to dynamically set it based on the incoming scheme).
• Caddy: Caddy's reverse_proxy directive also supports forwarding headers, often with a simple header_up X-Forwarded-Proto {http.request.scheme}.

Why this matters: These headers are the bridge between the client's original request and PrestaShop's understanding of it. Without them, PrestaShop remains oblivious to the true protocol.

Step 2: Tell PrestaShop to Trust the Proxy Header (The Key Fix)

This is the most crucial part of the solution. We will modify PrestaShop's configuration to read the X-Forwarded-Proto header and use it to set the internal $_SERVER['HTTPS'] variable.

Open your PrestaShop installation's config/defines.inc.php file. Add the following code snippet near the top, ideally after the initial PHP opening tag and any comments:

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
}

This simple conditional statement checks if the X-Forwarded-Proto header is present and set to 'https'. If it is, it then explicitly sets $_SERVER['HTTPS'] to 'on', tricking PrestaShop into believing the connection is secure. This immediately resolves most redirect loops and mixed content issues.

Step 3: Enable SSL in PrestaShop's Configuration

Even after Step 2, it's vital to formally enable SSL within PrestaShop's own settings. This ensures that internal links are generated correctly, and payment modules (which often check the database directly) function as expected.

• Option A - Console (Recommended for PrestaShop 9): For a clean, command-line approach, use the PrestaShop console:

  php bin/console prestashop:config set PS_SSL_ENABLED --value 1
  php bin/console prestashop:config set PS_SSL_ENABLED_EVERYWHERE --value 1

• Option B - Back Office: If you can access your Back Office without redirect loops (perhaps after Step 2), navigate to Shop Parameters > General. Set "Enable SSL" to "Yes" and "Enable SSL on all pages" to "Yes".
• Option C - SQL (If Locked Out): If you're completely locked out due to persistent redirect loops, you can enable SSL directly in the database. Always back up your database before running SQL queries!

  UPDATE ps_configuration SET value = '1' WHERE name = 'PS_SSL_ENABLED';
  UPDATE ps_configuration SET value = '1' WHERE name = 'PS_SSL_ENABLED_EVERYWHERE';

  (Remember to replace ps_ with your actual database table prefix if it's different.)

Step 4: Verify Your Shop URL Settings

Finally, ensure your Shop URL settings are correctly configured. In your PrestaShop Back Office, go to Shop Parameters > Traffic & SEO > Shop URL. Make sure both "Shop domain" and "SSL domain" are set to your public domain (e.g., yourstore.com, without the https:// prefix).

Crucial Considerations & Best Practices for E-commerce Security

While the above steps provide a robust solution, keep these important points in mind for long-term stability and security:

• Upgrade Safety: Modifying config/defines.inc.php is generally safer than editing core files like classes/Link.php, which are frequently overwritten during PrestaShop updates. However, always re-verify your defines.inc.php file after major PrestaShop upgrades to ensure your custom code is still in place.
• Payment Modules: Modules like PayPal, Stripe, and other payment gateways often perform their own checks for SSL status, sometimes directly querying the ps_configuration table. This is why Step 3 is critical, even if Step 2 makes your site appear secure.
• Avoid Core File Edits: As mentioned, never edit classes/Link.php or any other core PrestaShop file. Such modifications will be lost during updates and can lead to unexpected behavior or security vulnerabilities.
• Proxy-Specific Headers: Remember that while Traefik is often plug-and-play, Nginx, Apache, and Caddy require explicit configuration for forwarding X-Forwarded-Proto. Always consult your proxy's documentation.
• Performance and SEO: A correctly configured SSL setup is not just about security; it's a significant factor for SEO rankings and builds customer trust. Mixed content warnings can deter visitors and negatively impact your search engine visibility.

Why This Matters for Your PrestaShop E-commerce Store

For any e-commerce business, a secure and reliable online presence is paramount. SSL encryption protects sensitive customer data, builds trust, and is a non-negotiable requirement for modern web standards and payment compliance. By correctly configuring PrestaShop 9 behind your reverse proxy, you ensure:

• Enhanced Security: All data transmitted between your customers and your store is encrypted.
• Improved SEO: Google favors HTTPS sites, giving them a ranking boost.
• Customer Trust: The padlock icon in the browser instills confidence, leading to better conversion rates.
• Payment Gateway Compatibility: Seamless integration with all major payment processors.
• Compliance: Meeting PCI DSS and other industry security standards.

This solution, refined and shared by the community, is a testament to the power of collaborative problem-solving. If you're embarking on a complex PrestaShop migration or facing other intricate technical challenges, remember that expert assistance is just a click away. At Migrate My Shop, we specialize in seamless PrestaShop migrations and advanced configurations, ensuring your e-commerce platform is robust, secure, and ready for growth.

We hope this comprehensive guide saves you countless hours and helps you achieve a perfectly secure PrestaShop 9 setup. Feel free to share your experiences or ask questions in the comments below!