I have a codeigniter project. Recently I deployed it with SSL. And I forced my site to use Https from http by modifying in .htaccess and changed baseurl too. The problem is I have a registration and login form . When changed from http to Https the form doesn't submits and the entry in dB is also not made...,any thing till I wanna change?
Make sure the value of base_url in config.php uses https, i.e.
$config['base_url'] = "https://example.com/";
Usually it because the html try to load non https sources.
You can see the blocked requests on chrome console.
Make sure all your sources (css, js, fonts) are loading with relative urls, anr\or change hard-coded and external links to https
Related
We have a client that hosts their IIS web server on AWS. When navigating to a particular PHP web application on this server, it works when there is a slash on the end, but not when it is absent.
this works:
https://example.com.au/application/
However, if one were to enter this into the address bar:
https://example.com.au/application
it redirects to the equivalent http address with a slash on the end:
http://example.com.au/application/
http is disabled via the firewall, so the result is an error.
Here is the request details in Chrome debugger
So my question is, what does my client need to check to ensure this redirect does not occur? or that instead of redirecting to HTTP, it redirects to HTTPS?
Additional info:
This same issue does not seem to occur with .NET web applications. Eg 'https://example.com.au/dotnetapp' will not redirect to 'http://example.com.au/dotnetapp/'.
There are no rules configured in "URL rewrite"
IIS logs show requests when the HTTPS url is triggered, but not the HTTP one.
Edit: This seems to be due to browser caching. After disabling browser caching, i can see the 301 entry in the log files.
'index.php' is set as a default document
One possible reason is that the PHP project doesn't know that the secure connection is active and so it's redirecting the page to the http version when adding the slash.
PHP application can detect the secure connection by the $_SERVER['SERVER_PORT'], $_SERVER['REQUEST_SCHEME']. But if the application is behind some reverse proxy (e.g. Varnish or Amazon’s Elastic Load Balancer), the connection to the PHP application is probably not secured. PHP should be informed about the original secure connection with X-Forwarded-* headers.
Please check if the PHP has these variables set:
$_SERVER['HTTP_X_FORWARDED_PROTO']: should be https,
$_SERVER['HTTP_X_FORWARDED_PORT']: should be 443.
Symfony framework
If the application is using the framework, e.g. Symfony, it should be configured to trust the IP of the reverse proxy and to trust also these headers:
# config/packages/framework.yaml
framework:
# ...
# the IP address (or range) of your proxy
trusted_proxies: '192.0.0.1,10.0.0.0/8'
# trust *all* "X-Forwarded-*" headers
trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
# or, if your proxy instead uses the "Forwarded" header
trusted_headers: ['forwarded']
See https://symfony.com/doc/current/deployment/proxies.html for more details and https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly for more detaiils if the IP address of reverse proxy server changes.
Looks like you are setting location header in the 'index.php' file and so browser is redirecting to the http url.
If the index.php has code like below, replace the http to https and to the correct URL
header("location:http://example.com.au/application/");
Updated :
Also check your folder to see if any other files are redirecting.
Please make sure the index.php is listed as the first in the default document list and none of the other files contain redirect code.
You can search for "meta http-equiv="refresh" http tags in all the files in folder to see if they are redirecting.
I am facing Mixed content warning when i am trying to load files from http to https.
But now i am planning to move my site from http to https.
I need to know whether files will be loaded from
https -> https
https > http
without any issues.
Thank you.
Short version: YES, you will still face mixed content if the below cases are not treated, even after migration to https.
If you're migrating your website from http to https these are the two cases you need to consider that would still result in mixed content warning :
Your website is on https but you still have absolute paths starting with http:// in the source code ; you need to change them in the code
Your website contains URLs to external resources ( again absolute urls ) and they start with http:// ; in this case you need to check if the 3rd party serves content on https then change the URL accordingly; if not, you could just remove the http:// urls to get rid of the warning ( or make a copy of the resources locally and serve them on https )
Just add the 2 script versions one with http in from and one with https just make sure the https files support https or it won't work still! Or if there on your system just add /file path and if not you can try to have files be //external file path don't add https or http in them!
My server provides SSL connections via https, although the certificate costs extra...
Is there anything that needs to be changed in the PHP code to utilize this protocol?
My site has:
ajax forms via POST
regular forms and pages using POST and GET parameters
Session variables
You should be good to go. PHP does not impact the use of SSL or not.
Things you should check are:
Are all URLS in you application relative (no http://)
Are assets (CSS/JS/IMG) used in your site (both from internal and external sources) also as relative paths or prefixed with https://
Having an asset without https:// in a SSL powered site, the browsers will warn you visitors that something ain't right.
you can use the server .htaccess file to redirect all your links. So when the standard page is opened via say a link the server redirects to the https version...
# Permanent reirect ALL old pages to HTTPS:
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Other than any hard-coded URLs, no, your code shouldn't know about the difference, nor care.
I'd have to say the same as mvbrakel, but as far as session cookies/cookies you will want to turn on HTTPS only if you are using https on ALL your pages.
Also adding HTTP only to cookies, js scripts won't be able to check value and such.
The code does not need to be changed, other than to change all links from http:// to https:// (seriously, don't forget that, else you aren't using SSL...)
The application I'm working on has rewrite rules in place to ensure that the user is always on https. In my fb application settings, I can define both the secure and nonsecure canvas page to use https (so no redirection will occur) but I cannot do the same on a tab page of the application. FB uses whatever protocol the user is running on as far as I can tell.
Because of this, when a user hits the application via http, mod_rewrite redirects the user to the https version. Redirects don't pass along form data. There was a thread I found that discussed using a proxy redirect but that doesn't seem to be working.
Is there some configuration setting I could use to turn my signed_request $_POST into a $_GET? Alternatively is there some api call I could make to get the signed_request? The facebook->getSignedRequest() simply looks in the $_REQUEST which due to the redirect contains no post data.
I'd do the redirect in PHP (using $_SERVER['HTTPS']) rather than via .htaccess, and do it after first saving the signed request data to the user's session.
I have the same problem here. When I visit the tab using HTTPS I get the signed_request just fine because there's not redirect happening.
I run another Facebook app on the same server and it uses an htaccess file to make sure the files are served over HTTPS. So, What I ended up doing was making sure that the sub folder I'm working in is excluded from the rewrite. Like so:
RewriteCond %{THE_REQUEST} !/my-app-folder
Then, in my PHP I do a check to see if the referer is HTTP. If it is not, I change the header to an HTTPS version of my app. Like so:
$referer = $_SERVER['HTTP_REFERER'];
if (substr($referer,0,5) != 'https') {
header("Location: https://www.facebook.com/myapp?sk=app_xxxxxxxxxxxxxx");
}
This is probably not fool proof, but once I click that like button, I definitely get the results I need. I tested this in the dreaded IE as well and it appears to be working there too.
Some browsers do redirect your request to https automatically if you have been on this particular site on https so if you are in http mode on facebook there is situation:
facebook requests http version of your app, browser redirect this request of facebook to https and POST data and thus signer_request are gone in this process...
i see this problem in chrome 23, if you delete browsing data (particulary "Deauthorize content licenses") app should run back on http
Ok here's my issue I have a file that is delivered through https, all the files on my server have a common header.php file that is included within files. In the header file i have all my stylesheets etc called from my cdn folder. http://cdn.domain.com since they are called http in my https file (via header.php) it doesnt transmit fully in https.
Is there a way to have htaccess make all transactions on a https page via https even if it is trying to get the http version ? Or is my best bet to coding it in the PHP?
Thanks
This isn't really a server configuration issue. What you need to do is ensure that the server is returning "https" for the location of all of your external resources (css, javascript & images).
Your best bet with a common header file is to use relative urls (no http(s)://example.com/) and let the browser determine the protocol that should be used.
If the css et al are on a different domain, then I'd just detect the protocol being used and massage the protocol in your html before returning it to the user.
Or you can just use HTTPS everywhere ;0)
Just remove http: from all your URL's. It will use http or https depending on what protocol the webpage is using.