Preconditions

1. the HTTP code of the page can be seen in the Network of the Web Browser inspector
2. check for not allowed/domain protocol combo looks like this:
   • with Debug Mode disabled:
     • the page is blank
     • the HTTP 404 error code sent
   • with Debug Mode enabled:
     • the page displays a debugger toolbar and the The "..." protocol/domain combo is not allowed. text (the ... is replaced with used domain/protocol)
     • the HTTP 404 error code sent
3. used domains:
   • test.domain.com - base domain for testing
   • sd1-http.test.domain.com - domain, where 1st site domain could be accessed via http:// protocol
   • sd1-https.test.domain.com - domain, where 1st site domain could be accessed via https:// protocol
   • sd2-http.test.domain.com - domain, where 2nd site domain could be accessed via http:// protocol
   • admin1-https.test.domain.com - domain, where Admin Console can be accessed over https
   • admin2-https.test.domain.com - domain, where Admin Console can be accessed over https
   • front-https.test.domain.com - domain, where Front-End can be accessed over https

Preparations

• in any editor:
  1. open the OS-specific hosts file (the C:\Windows\System32\drivers\etc\hosts on Windows; the /etc/hosts on macOS/Linux) for editing as Administrator
  2. add entries for each of the above-shown domains in there (e.g. if you have aaa.bbb.ccc.ddd test.domain.com entry, then add aaa.bbb.ccc.ddd sd1-http.test.domain.com entry and so on)
  3. save changes
• in the IDE:
  1. open the /system/config.php file for editing
  2. set the $_CONFIG['Misc']['Domain'] setting to the test.domain.com
  3. save changes
  4. open the themes/advanced/index.tpl file for editing
  5. add the [Site Domain ID: <inp2:site-domain.current_Field name="DomainId"/>]<br/> line above the <inp2:st_ContentBlock num="1"/> line
  6. save changes
• in the Admin Console:
  1. login to the Admin Console by accessing it on the test.domain.com domain over http:// protocol
  2. go to the Configuration → Website → Advanced section
  3. clear these system settings:
     • SSL Domain (www.domain.com)
     • SSL Domain for Administrative Console (www.domain.com)
  4. uncheck these system settings:
     • Require SSL for login & checkout
     • Require SSL for Administrative Console
  5. Session Cookie Domains (single domain per line) system setting to this value (multi-line):

test.domain.com
admin1-https.test.domain.com
admin2-https.test.domain.com
front-https.test.domain.com

• 1. save changes
  2. go to the Configuration → Website → Site Domains section
  3. add 1st site domain with Domain Name=sd1-http.test.domain.com and SSL Domain Name=sd1-https.test.domain.com
  4. add 2nd site domain with Domain Name=sd2-http.test.domain.com
  5. logout from the Admin Console
  6. delete all cookies
• apply the patch

Part 1 - access Admin Console over SSL, when it's not configured

1. open the Admin Console login screen using test.domain.com and http:// protocol
2. confirm, that:
   • domain/protocol combo is allowed
   • you're on the Admin Console login screen
3. open the Admin Console login screen using test.domain.com and https:// protocol
4. confirm that domain/protocol combo is forbidden

Part 2 - access Admin Console over SSL, when it's configured

1. open the Admin Console login screen using test.domain.com and http:// protocol
2. go to the Configuration → Website → Advanced section
3. set SSL Domain for Administrative Console (www.domain.com) system setting to the admin1-https.test.domain.com
4. save changes
5. confirm that you're stayed on the same page (setting page)
6. logout
7. confirm, that:
   • you're stayed on the same domain/protocol
   • you're seeing an Admin Console login screen
   • you stayed on the admin1-https.test.domain.com domain and http:// protocol (deleted, because it was a copy/paste error)
8. try changing domain the URL to the admin1-https.test.domain.com, but keeping protocol as-is (the http://)
9. confirm that domain/protocol combo is forbidden
10. try changing protocol in the URL to the https://, but keep domain as-is (the admin1-https.test.domain.com)
11. if the Redirect to HTTP when SSL is not required system setting is enabled, then confirm that you've stayed on the Admin Console login screen using test.domain.com and http:// protocol
12. if the Redirect to HTTP when SSL is not required system setting is disabled, then confirm that you've stayed on the Admin Console login screen using admin1-https.test.domain.com and https:// protocol

Part 3 - changing Admin Console SSL domain

1. open the Admin Console login screen using admin1-https.test.domain.com and https:// protocol
2. go to the Configuration → Website → Advanced section
3. set SSL Domain for Administrative Console (www.domain.com) system setting to the admin2-https.test.domain.com
4. save changes
5. confirm, that:
   • you're stayed on the same protocol
   • you're seeing an Admin Console login screen
   • (would only work if you've enabled Memcache support) you redirected to the admin2-https.test.domain.com domain and stayed on the https:// protocol
6. open the Admin Console login screen using admin1-https.test.domain.com and https:// protocol
7. confirm that domain/protocol combo is forbidden

Part 4 - dual (http & https) site domain access checking

1. open the sd1-https.test.domain.com using https:// protocol
2. confirm, that:
   • domain/protocol combo is allowed (you'll be redirected to sd1-http.test.domain.com using http:// protocol unless the Redirect to HTTP when SSL is not required system setting is disabled)
   • you're seeing [Site Domain ID: 1] text (replace 1 with ID of 1st created site domain)
3. open the sd1-https.test.domain.com using http:// protocol
4. confirm that domain/protocol combo is forbidden
5. open the sd1-http.test.domain.com using http:// protocol
6. confirm, that:
   • domain/protocol combo is allowed
   • you're seeing [Site Domain ID: 1] text (replace 1 with ID of 1st created site domain)
7. open the sd1-http.test.domain.com using https:// protocol
8. confirm that domain/protocol combo is forbidden

Part 5 - single (http) site domain access checking

1. open the sd2-http.test.domain.com using http:// protocol
2. confirm, that:
   • domain/protocol combo is allowed
   • you're seeing [Site Domain ID: 2] text (replace 2 with ID of 2nd created site domain)
3. open the sd2-http.test.domain.com using https:// protocol
4. confirm that domain/protocol combo is forbidden

Part 6 - single (http) main website access checking

1. open the test.domain.com using http:// protocol
2. confirm, that:
   • domain/protocol combo is allowed
   • you're seeing [Site Domain ID: 0] text
3. open the test.domain.com using https:// protocol
4. confirm that domain/protocol combo is forbidden

Part 7 - dual (http & https) main website access checking

1. open the Admin Console login screen using test.domain.com and http:// protocol
2. go to the Configuration → Website → Advanced section
3. set SSL Domain (www.domain.com) system setting to the front-https.test.domain.com
4. save changes
5. logout
6. open the test.domain.com using http:// protocol
7. confirm, that:
   • domain/protocol combo is allowed
   • you're seeing [Site Domain ID: 0] text
8. open the front-https.test.domain.com using https:// protocol (you'll be redirected to test.domain.com using http:// protocol unless the Redirect to HTTP when SSL is not required system setting is disabled)
9. confirm, that:
   • domain/protocol combo is allowed
   • you're seeing [Site Domain ID: 0] text
10. open the front-https.test.domain.com using http:// protocol
11. confirm that domain/protocol combo is forbidden

Part 8 - front-end SSL domain used in admin

1. open the Admin Console login screen using test.domain.com and http:// protocol
2. go to the Configuration → Website → Advanced section
3. set SSL Domain (www.domain.com) system setting to the front-https.test.domain.com
4. clear SSL Domain for Administrative Console (www.domain.com) system setting
5. save changes
6. logout
7. open the Admin Console login screen using front-https.test.domain.com and https:// protocol (you'll be redirected to test.domain.com using http:// protocol unless the Redirect to HTTP when SSL is not required system setting is disabled)
8. confirm, that:
   • domain/protocol combo is allowed
   • you see the login screen
9. open the Admin Console login screen using front-https.test.domain.com and http:// protocol
10. confirm that domain/protocol combo is forbidden