I've got a client site hosted on PagodaBox (Laravel 4) and it is serving https request with a certificate warning. The client's internal applications expect any https traffic to fail on the web host and follow through to their internal gateway.
Is it possible to disallow all HTTPS request from within an htaccess file? Redirecting will not work in this case. We cannot modify the httpd.conf so it looks like .htaccess is the only option.
So far, I've tried this and the site will still accept HTTPS request:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTPS} off
This will never work. The SSL connection has to be established FIRST, before the HTTP layer is ever processed. That means your users will STILL get a certificate warning, and then get redirected.
In real world terms, you've got a box giftwrapped with razor wire. They have to get through the razor wire (your cert warnings) so they can see that box contains a note saying "present is under bed".
Your rewrite is basically saying "If https is off, then do nothing". You have no RewriteRule, which is where the actual rewriting occurs. And since on an SSL-enabled site HTTPS would never be off, the RewriteCond would never match to start with.
You can't redirect from an SSL connection witch has no valid certificate. The redirect comes after the page to accept the untrusted certificate.
Without accepting the untrusted certificate you have no valid connection.
Related
We have a client that hosts their IIS web server on AWS. When navigating to a particular PHP web application on this server, it works when there is a slash on the end, but not when it is absent.
this works:
https://example.com.au/application/
However, if one were to enter this into the address bar:
https://example.com.au/application
it redirects to the equivalent http address with a slash on the end:
http://example.com.au/application/
http is disabled via the firewall, so the result is an error.
Here is the request details in Chrome debugger
So my question is, what does my client need to check to ensure this redirect does not occur? or that instead of redirecting to HTTP, it redirects to HTTPS?
Additional info:
This same issue does not seem to occur with .NET web applications. Eg 'https://example.com.au/dotnetapp' will not redirect to 'http://example.com.au/dotnetapp/'.
There are no rules configured in "URL rewrite"
IIS logs show requests when the HTTPS url is triggered, but not the HTTP one.
Edit: This seems to be due to browser caching. After disabling browser caching, i can see the 301 entry in the log files.
'index.php' is set as a default document
One possible reason is that the PHP project doesn't know that the secure connection is active and so it's redirecting the page to the http version when adding the slash.
PHP application can detect the secure connection by the $_SERVER['SERVER_PORT'], $_SERVER['REQUEST_SCHEME']. But if the application is behind some reverse proxy (e.g. Varnish or Amazon’s Elastic Load Balancer), the connection to the PHP application is probably not secured. PHP should be informed about the original secure connection with X-Forwarded-* headers.
Please check if the PHP has these variables set:
$_SERVER['HTTP_X_FORWARDED_PROTO']: should be https,
$_SERVER['HTTP_X_FORWARDED_PORT']: should be 443.
Symfony framework
If the application is using the framework, e.g. Symfony, it should be configured to trust the IP of the reverse proxy and to trust also these headers:
# config/packages/framework.yaml
framework:
# ...
# the IP address (or range) of your proxy
trusted_proxies: '192.0.0.1,10.0.0.0/8'
# trust *all* "X-Forwarded-*" headers
trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
# or, if your proxy instead uses the "Forwarded" header
trusted_headers: ['forwarded']
See https://symfony.com/doc/current/deployment/proxies.html for more details and https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly for more detaiils if the IP address of reverse proxy server changes.
Looks like you are setting location header in the 'index.php' file and so browser is redirecting to the http url.
If the index.php has code like below, replace the http to https and to the correct URL
header("location:http://example.com.au/application/");
Updated :
Also check your folder to see if any other files are redirecting.
Please make sure the index.php is listed as the first in the default document list and none of the other files contain redirect code.
You can search for "meta http-equiv="refresh" http tags in all the files in folder to see if they are redirecting.
How do I definitively and totally stop WordPress from rewriting all URLs from HTTP to HTTPS?
I need to set it up on a testing server and run there without an SSL certificate on an internal-only server so I can test PHP 7.2 which is breaking my live WP site with my plugin mix.
I have got a copy of the site on a different server but I simply cannot get it to STOP using HTTPS on every single link – it currently fails to load as it keeps requesting HTTPS but there is no certificate or set up loaded on the testing server to use HTTPS and apache isn't even listening on port 443 on that testing server.
Already changed the WP_HOME and WP_SITEURL in wp-config.php to refer to HTTP, and used the test server’s IP instead of the site domain name. Also put in
define(‘FORCE_SSL_ADMIN’, false);
define(‘FORCE_SSL’,false);
Dumped the DB to disc, truncated the live tables, then text-replaced all https://domainname.com occurrences with http://192.168.0.1 (for example) in the dumpfile, and reloaded every table’s data back into it to get rid of ALL references to “https” in any URLs in the DB.
Put this in my .htaccess (which DOES get parsed, as I can crash the testing server’s httpd by putting crud into it):
.
.
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
.
.
So:
The .htaccess deliberately rewrites any requests to port 443 or HTTPS to HTTP.
There is an index.htm and index.html that specify 192.168.0.1/index.php in the /var/www/html folder via meta refresh tags.
The wp-config specifies for WP_HOME and WP_SITEURL “http://192.168.0.1” and FORCE_SSL_* are set to “false”.
But still, referencing in a browser
http://192.168.0.1 or http://192.168.0.1/index.php
always results in
https://192.168.0.1
being rewritten in the browser address bar and then the browser just stops and reports the page as unreachable. Have cleared cache and can insert arbitrary “die(…” commands and see them render if I CTRL F5, so the browser cache is not a factor.
All I want to do is test if PHP 7.2 will break my site – on a testing server without HTTPS.
What is there besides .htaccess, wp-config.php and the associated MySQL database that still forces WP to HTTPS instead of HTTP when directly referencing in a web browser the testing server’s 192.168.0.1 IP?
I just need WP to -actually- use
http://192.168.0.1
and stick with that instead of each time making it https://192.168.0.1
Expected result is to not see URL rewriting in WordPress from http:// to https:// in the browser address bar on the testing server.
Stefan
Ok found the solution (at least partially) to this.
Had a plugin called "Really Simple SSL" loaded. Manually disabled this, and now the site is at least partially loading. Still have severe errors and mangled URLs that don't work, but at least it is not each time jumping into HTTPS.
Thanks for the replies!
Stefan
I have hosted an ecommerce website with the OpenCart script at www.medicosales.in
I am facing some errors.
The website when opened by typing medicosales.in is NOT automatically resolving to https:// where I have seen in SSL secured sites that just by typing yourdomain.com the URL automatically takes https://
It's showing this message
How to solve it?
You should set up your .htaccess file if you're using Apache, or similar if you're using another webserver to rewrite your URLs to include https:// if they do not already. This will force the user's browser to access via the correct protocol.
For Apache place the following code into the top of your .htaccess file in your document root for the site ensuring mod_rewrite is enabled.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Whenever you load a resource externally e.g. via something like <img src="http://example.com/myimage.jpg" ... you must ensure that the protocol is HTTPS also otherwise your browser will give you that message since the resource was not loaded securely.
The way to fix this is ensure that all externally linked resources have their URLs prefixed with // and not http://. This way the browser will use the current protocol to fetch the resource.
Thanks #davidgiga1993 for pointing out // rather than using https://
It is not automatic. You need to send a 302/301 redirect back to the user pointing to the https URL.
So I want to force the user to access the https version of my page rather than the http. And according to this post all I have to do is this:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
But MY site resides in a folder within the main directory, so it's in www.domain.com/Folder. So should this htaccess code go inside the main directory or in the subdirectory. Because I do not want to change the way the access the main site, only the folder.
This is a not-so-good method of going about this, especially if you have access to httpd.conf. The better method is to create TWO virtual hosts. One for your standard port 80 stuff, which simply has an unconditional redirect to the SSL version, e.g. in pseudo-ish .conf talk:
<VirtualHost example.com:80>
RedirectPermanent / https://example.com
DocumentRoot /some/fake/path
</VirtualHost>
<VirtualHost example.com:443>
normal site stuff here...
</VirtualHost>
This has the advantage of leaving the redirect viable even if a config messup disables .htaccess files, plus serving up bogus/non-existent content if SSL dies for whatever reason.
You can leave it in the root directory but change it to:
RewriteRule ^(your-directory/.*)$ https://www.yourdomain.com/$1 [R,L]
Keep in mind, though, that before the redirect happens, the cookies and query parameters with possibly sensitive data has already been sent in clear text, so remember to use the secure cookie atribute if you use cookies.
Your site can be vulnerable if you're redirecting from http to https. Take a look at this for some more information on that.
http://www.thoughtcrime.org/software/sslstrip/
seems silly to "force ssl" till they fix the big gaping security hole it opens up in browsers in the name of "site verification"
this has no real basis and there is potential for abuse by a rogue CA, rogue state, or corruption.
(and the "verification" is useless anyway not being based on user wishes not anyone actually looking at the sites - there are plenty of phishing sites out there with "valid" certificates!)
there is way too much misinformation being bandied around about SSL
you get the same encryption with a self signed certificate but browsers tell users you site is "untrusted" (with of course no basis - "not checked" or "not verifiable" would be what any warning should actually say - warnings need to be informative not something that just scares users so much most of them just close them without even reading the rest of the warning!)
until this is fixed in browsers I cannot recommend the use of SSL at all in a web site context.
meanwhile all I can recommend to forget port 443 and implement your own encryption layer (or use something like ssh if it doesn't need to be a browser)
My server provides SSL connections via https, although the certificate costs extra...
Is there anything that needs to be changed in the PHP code to utilize this protocol?
My site has:
ajax forms via POST
regular forms and pages using POST and GET parameters
Session variables
You should be good to go. PHP does not impact the use of SSL or not.
Things you should check are:
Are all URLS in you application relative (no http://)
Are assets (CSS/JS/IMG) used in your site (both from internal and external sources) also as relative paths or prefixed with https://
Having an asset without https:// in a SSL powered site, the browsers will warn you visitors that something ain't right.
you can use the server .htaccess file to redirect all your links. So when the standard page is opened via say a link the server redirects to the https version...
# Permanent reirect ALL old pages to HTTPS:
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Other than any hard-coded URLs, no, your code shouldn't know about the difference, nor care.
I'd have to say the same as mvbrakel, but as far as session cookies/cookies you will want to turn on HTTPS only if you are using https on ALL your pages.
Also adding HTTP only to cookies, js scripts won't be able to check value and such.
The code does not need to be changed, other than to change all links from http:// to https:// (seriously, don't forget that, else you aren't using SSL...)