I am developing an ecommerce application using PHP. All the pages were accessed through HTTPS, while some of the pages are accessed through HTTP like home page, category listing and product listing. I have used htaccess code for redirection. But in HTTPS pages it shows shield symbol in the address bar and denotes that a web page is partially encrypted. Kindly advice me to resolve.
Htaccess code
########### Load Home, Category, Products and Product Detail page with HTTP ##########
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} index\.php|category|product
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
########### Load other than Home, Category, Products and Product Detail page with HTTPS ##########
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !(index\.php|category|product)
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
this is usually caused by having images/javascript/css being served from non-secure places.
The easiest way to fix this is to change all of URLs to relative URLs or remove the scheme...
Good:
<img src="/images/logo.png">
<img src="./images/logo.png">
<img src="//example.com/images/logo.png">
Bad:
<img src="http://example.com/images/logo.png">
<img src="https://example.com/images/logo.png">
Serving any content from a regular "http" URL in a "https" page will always trigger a partially secure warning.
Note:
There are other possible causes for a partially secure page, but this is usually the reason. Beyond that, you can see specifically what is making your page secure by clicking the lock icon near or in the address bar
Related
I am trying to redirect my site to always open in HTTPS. I am using CloudFlare and they have a setting to "Always use HTTPS". But there is a page on my website where I do not want to use HTTPS as it opens other websites under an iFrame. And if that page also loads in HTTPS then under iFrame any website whose URL hasn't been mentioned with HTTPS doesn't open. Therefore, for that particular page I want to keep the website to be opened under HTTP.
Things I am doing:
In CloudFlare Crypto settings "Always Use HTTPS" is ON.
Then in my page where I want it to opened under HTTP say surf.php
I am using the following PHP code:
if($_SERVER['HTTP_HOST'] != 'localhost'){
if(isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'on'){
if(!headers_sent()){
header("Status: 301 Moved Permanently");
header(sprintf('Location: http://%s%s',$_SERVER['HTTP_HOST'],$_SERVER['REQUEST_URI']));
exit();
}
}
}
Now the page doesn't open and says "The page isn’t redirecting properly". What should I do? Is there any other method to accomplish this? I want to use HTTPS in whole website so "Always use HTTPS" settings in cloudflare should be ON except just surf.php. What should be the best method here?
It sounds like you are in a redirect loop. Where you have a .htaccess file that forces HTTPS, and then you redirect to HTTP using PHP. Then that new request has all the same rules applied to it so that it gets redirected by .htaccess again to HTTPS, and so on (to infinity)
So I would first make sure your not forcing HTTPS in your .htaccess file. If so you can add a RewriteCond to exclude your URL:
#RewriteEngine On #-- if not included elsewhere
#if HTTPS is not on (then continue)
RewriteCond %{HTTPS} !=on
#add this rule in (if not our page, then redirect to HTTPS)
RewriteCond %{REQUEST_URI} !^/surf\.php$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
When mod rewrite hits a Rewrite condition if it fails (is false) it will disregard the next rewrite rule. So with this in place your PHP code could do it's job, but you can also do this in htaccess alone. Because you will have dependence on the URL in there anyway, I don't see an issue doing it all in the .htaccess file.
This would basically be the opposite of the above except you know the url. Something like this:
#if HTTPS is not on (then continue)
RewriteCond %{HTTPS} !=on
#add this rule in (if not our page, then redirect to HTTPS)
RewriteCond %{REQUEST_URI} !^/surf\.php$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#if HTTPS is not off (then continue)
RewriteCond %{HTTPS}!=off
# (if is our page, then redirect to HTTP)
RewriteCond %{REQUEST_URI} ^/surf\.php$
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I can't really test this though, but that's the general idea. If HTTPS is no off, and the %{REQUEST_URI} is our page !^/surf.php$ redirect to HTTP... Basically you have to punch a hole through the HTTPS rule and then force http.
I am pretty sure with %{REQUEST_URI} you only have to check if it starts with your URL (minus the host and protocal).
I'll admit I'm a bit rusty with complex HTACCESS rules, spoiled by MVC routers, so this may very well not be 100% correct. But the general idea is sound.
Anyway hope it helps.
I am trying to force https only on one page of a yii framework website, and let the rest of the pages be http. The page that would be forced https is
https://www.mywebsite.com/index.php?r=user/profile
The following creates what I desire, but with a mixed content error. Furthermore, when I go from the mixed content tab to any other tab, it doesn't automatically become http. It takes the movement to one more tab to reach http status.
RewriteEngine On
# Go to https
RewriteCond %{HTTPS} off
RewriteCond %{QUERY_STRING} ^r=user/profile$ [NC]
RewriteRule ^(index\.php)$ https://www.mywebsite.com/$1 [R,L]
# Go to http
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_REFERER} !/index\.php\?r=user/profile
RewriteCond %{REQUEST_URI} !^/index\.php$ [OR]
RewriteCond %{QUERY_STRING} !^r=user/profile$ [NC]
RewriteRule ^(.*)$ http://www.mywebsite.com/$1 [R,L]
The mixed content error is as follows.
Mixed Content: The page at 'https://www.mywebsite.com/index.php? r=user/profile' was loaded over HTTPS, but requested an insecure image 'http://www.mywebsite.com/assets/7a295fc1/nav1_bg.gif'. This content should also be served over HTTPS.
As it can be seen, the assets under yii framework is the only folder causing problem.
1.Is there a way to request the files used from assets in a https fashion so I don't get a mixed content error?
2.Is there a way to ensure that moving from the https tab to any other tab causes immediate http conversion, instead of requiring the movement to one another tab. (i.e. Profile page(https) to Home page causes a Home page with (https). Movement from the home page to any page other than the profile page becomes (http). I would like it to happen immediately.
The problem is you cant make a http request for any static or dynamic files from an https connection.
The best solution is to Move entire thing in https.
If it is not possible then one other solution would be like this - make a proxy page. that would be receiving https request and fetch the content over http and serve it via https.
We have a section of our site which uses https to login securely, however when you visit this page and click away, you continue to view the site in HTTPS. This causes display issues on any pages using the http://www.domain.com/news/ URL.
How can we force all pages under the http://www.domain.com/news/ folder to use HTTP rather than HTTPS?
It's the opposite of requiring https, so with the condition of https on, rewrite this specific dir with deeper path to the http version.
RewriteEngine on
RewriteCond %{HTTPS} on
RewriteRule ^news/(.*) http://%{SERVER_NAME}/news/$1 [L]
Instead of SERVER_NAME, you can use HTTP_HOST when your site is accessed with a server-alias and you don't want to change that.
Be aware that links to https-requiring pages should be use https explicitly, or have a rewrite-rule of their own.
Place this 301 redirect rule in /news/.htaccess:
RewriteEngine on
RewriteBase /news/
RewriteCond %{HTTPS} on
RewriteRule ^ http://%{HTTP_HOST}/%{REQUEST_URI} [L,R=301,NE]
Just installed an SSL for my website and I'm facing 2 issues:
1- https:// isn't added by default, am I supposed to redirect to https:// with .htaccess or did I mess something up during instalaltion
2- I get this message "Your connection to www.MYWEBSITE.com is encrypted using 128-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit....", I check the console for the error logs, all of it is errors from me linking images from my subdomain, my image folder, and an IMGUR image.
Eg: The page at https://www.website.com/forums/ displayed insecure content from http://www.website.com/forums/images/theme/buttons/collapse_thead.gif.
What should I do?
Change the image URL from http to https
This is little tricky. Approach should be:
Check if REFERRER page is using htts://
If yes then redirect http to https for all image, js, css files
Based on above approach following mod_rewrite rules should work:
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https:// [NC]
RewriteRule \.(jpe?g|gif|bmp|png|css|js)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NC]
It is probably your application generating URLs to the images without HTTPS.
Have a look here how to rewrite all requests to HTTPS: Need to redirect all traffic to https
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
I want to run few pages on https while all others pages run on http
I wrote below code in .htaccess and on config.inc.php file
.htaccess
RewriteEngine on
Options +FollowSymLinks
RewriteBase /
RewriteRule ^login/?$ login.php [NC]
# Rewrite non www to www.charityrummage.com
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
# Rewrite to https
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} /login [OR]
RewriteCond %{REQUEST_URI} /do_login.php [OR]
RewriteCond %{REQUEST_URI} /payment/?.*$
RewriteRule ^(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]
# traffic to http://, except login.php and payment.php
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !(/login|/do_login.php|/payment)
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]
also made some changes in config.inc.php which is required and first file of the website
config.inc.php
$ssl_page = array('login.php','do_login.php','payment.php');
// Note: do_login.php is intermediate page
if(in_array(trim($_SERVER['SCRIPT_NAME'],'/'),$ssl_page)){
define('PROTOCOL','https://');
}else{
define('PROTOCOL','http://');
}
define('DS','/');
define('URL',PROTOCOL.$_SERVER['HTTP_HOST'].DS);
// based on URL i made CSS and JS Path
here is the website link :
http://www.charityrummage.com.
login page is ssl enabled :
https://www.charityrummage.com/login
BUT
when I run the website, it gives different errors on different browsers and its really annoying. below are the error description on different browsers
IE8
it always prompt for security error and
if i click on Yes then display everything fine except left panel
if i click on NO then certificate error near web address but website works fine.
Chrome ( v :20.0.1132.8 )
display multiple warning about css and js ( see in console ) in below format:
The page at https://www.charityrummage.com/login ran insecure content
from http://www.charityrummage.com/css/reset.css
but if you view source of login page then you can see that every
css and js running with https://
Firefox (v 16.0)
it display lock sign ( secure ) just for few seconds and then gone away
( i m surprised it never prompt security alert for https )
but when we go with page info -> media then many of images are coming from http://
Will you please examine and tell me what is exact problem?
One more thing i want to know.
if https:// pages are not displaying properly then which one is responsible
Operating system OR
Browser OR
server OR
Programming issue OR
SSL certificate issue
and at the end what is the solution of this problem?
Thanks
Try with this rule:
# Force files ending in X to use same protocol as initial request
RewriteRule \.(gif|jpe?g|png|ico|css|js)$ - [S=1]
or this one:
# don't do anything for images/css/js (leave protocol as is)
RewriteRule \.(gif|jpe?g|png|ico|css|js)$ - [NC,L]
Before the # traffic to http://
I got round this problem before by setting the base href on the page like so
<base href="<?php echo HTTPS_BASE_REF; ?>"></base>
This meant that all links derived from this and resolved correctly.
The constant of HTTPS_BASE_REF was set in my config.inc.php file.