I currently have a website that allows users to create profiles and add their own custom domains, effectively masking their domains.
I've just enabled HTTPS on my main domain and now when I'm accessing their full domains (theirdomain.com) through HTTPS, it says: The identity of this website has not been verified. Server's certificate does not match the URL.
When checking to see if HTTPS is on $_SERVER['HTTPS'] it doesn't show that HTTP is on, which is correct because HTTPS isn't working--although the URL has been accessed through HTTPS.
Is it possible to just redirect all HTTPS requests to HTTP for every domain but my own (maindomain.com)
Either via PHP or HTACCESS, or through Apache?
Is it possible to just redirect all HTTPS requests to HTTP for every domain but my own
Try adding this to the .htaccess file in your web document root folder (often public_html or htdocs):
RewriteEngine On
%{HTTPS} on
%{HTTP_HOST} !^(?:www\.)?maindomain\.com
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [R=302,L,NE]
Once you are satisfied that the redirect works, you can change the 302 to 301 to make it permanent.
This assumes that mod_rewrite is both installed and activated for htaccess files.
If you are not sure, to check if mod_rewrite is installed, look at the list of installed modules in the output of phpinfo();
By default, mod_rewrite is not enabled for htaccess files. If you are managing your own server, open httpd.conf
and make sure that the webroot directory block contains one of these lines: AllowOverride FileInfo or AllowOverride All
Related
Recently I have included an SSL certificate for HTTPS redirection for my lightweight e-commerce site. The site is built with an OSCommerce platform and what I need help with is fixing these kinds of errors (on console) appearing throughout the pages: Mixed Content: The page at 'https://voberhaat.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://voberhaat.com/oc-content/themes/bender/js/jquery-ui/jquery-ui-1.10.2.custom.min.css'. This request has been blocked; the content must be served over HTTPS.
The layout and design of the site are broken after the HTTPS redirection and I am trying to find the files where I can rewrite the HTTPS for the relevant contents it is asking for. In my server if I navigate to the corresponding paths and files, I can't figure out the URL, they don't simply exist there.
Someone could help me out regarding this?
Have you tried forcing https for your entire site via an .htaccess file?
Try creating an .htaccess file in your main directory and add this code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
First: edit your includes/configure.php
set
define('HTTP_SERVER', 'https://<yoursite>');
define('HTTPS_SERVER', 'https://<yoursite>');
define('ENABLE_SSL', true);
Second:
Check header.php, footer.php, breadcrumbs.php for "http:" links
In my project, HSTS is enabled. So if someone is tryig to use the site using the HTTP then it redirects to HTTPS.
After the Security scan, it is reported that ttf, woff and woff2 files are ignoring the HSTS.
Example 1:
On Google Crome if i am trying below URL then it redirects to HTTPS:
http://example.com/backend/web/lib/roboto/Roboto-Light.woff2 then it
redirects to
https://example.com/backend/web/lib/roboto/Roboto-Light.woff2
If i try same thing on Firefox then it just downloads the Roboto-Light.woff2 file over HTTP instead of redirecting to HTTPS.
Example 2:
If i am trying below URL on both google Chrome and Firefox it just downloads the file.
http://example.com/backend/web/lib/roboto/Roboto-Black.ttf
So what should i do to fix this issue?
Update
Network log after accessing the below URL:
http://example.com/backend/web/lib/roboto/Roboto-Black.ttf
It seems that first file is being loaded by visiting the HTTP URL. But the https one not being updated in Address Bar of browser but not sure.
VHOST Settings
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ServerName example.com
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} ^http$
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#RewriteCond %{HTTPS} !=on
#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
You need to go back and ask the security scan people why they think this is the case.
You are clearly showing that HSTS is being set for the font files.
You area also showing that you are correctly showing the 307 internal redirect for HSTS reasons.
This is the way it's supposed to work. You get two requests in Chrome's network tab (other browsers may be different):
A fake 307 response which upgrades the request from HTTP to HTTPS. This is created by the browser and the HTTP request never reaches the server. Hence why I am calling it a "fake" resonse.
The real request sent over HTTPS.
As fonts are downloaded it's difficult to tell that this was downloaded over HTTPS except by looking in the network tab - but that's fine.
If i try same thing on Firefox then it just downloads the Roboto-Light.woff2 file over HTTP instead of redirecting to HTTPS.
How do you know this? Are you sure you have visited the site over HTTPS to get the HSTS header? The first request may well be over HTTP (though you have a standard redirect in place so this should redirect to HTTPS and then download), but after that it should auto redirect BEFORE the request is sent.
If i am trying below URL on both google Chrome and Firefox it just downloads the file.
It probably does. But after a redirect.
It seems that first file is being loaded by visiting the HTTP URL. But the https one not being updated in Address Bar of browser but not sure.
No, as discussed the first one is a dummy request. The second is the real request which is actually sent to the browser. As the font file is downloaded immediately it doesn't do anything with the URL bar.
I have some projects on my wamp/www/ directory. Some of my projects, when accessed through 127.0.0.1/project_name or localhost/project_name automatically adds an https:// prefix on the url so it becomes https://127.0.0.1/project_name, which then causes the site to be unreachable.
These projects DOESN'T have any .htaccess files on their root directories. While this may be true to some of my projects, some of my projects are ok and doesn't add unwanted https:// prefix on url.
I'm using WAMP 3.0.6
One more thing. Make sure you remove this from you head section if you have it. It forces the resources (jpg, css, js) to load with https.
<meta http-equiv="Content-Security-Policy"content="upgrade-insecure-requests">
Apache web servers are able to rewrite/redirect incoming requests/urls. Globally this behavior can be set using the httpd.conf or php.ini files for example.
Typically when the default or global behavior needs to be modified for a certain directory, an .htaccess file can be used to define different behavior for requests to that directory/project.
Look in the root of the projects that are being redirected as https:// for an .htaccess file . If you see the lines below in the .htaccess file, you can remove them or modify them to ensure the server handles requests as you expect.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I need to change my whole site working on https instead http.I have changed http part of WordPress Address (URL) and Site Address (URL) to https from Settings->General but the whole site is down. What steps i need to perform to convert wordpress site from http to https. I have CentOS release 6.3 (Final) installed.
To make a website HTTPS, firstly get an SSL certificate for the domain, install it on the server and change the website permalinks from http to https.
Admin Setting:
Go to the admin dashboard.
Point you mouse over Settings and click General.
Where it says WordPress Address (URL) and Site Address (URL) replace the http:// part with https:// for both of them.
Click Save Changes
To easily enable (and enforce) WordPress administration over SSL, the constant FORCE_SSL_ADMIN should be set to true in your site's wp-config.php file to force all logins and all admin sessions to happen over SSL.
define('FORCE_SSL_ADMIN', true);
To setup a 301 permanent redirect, FTP/SFTP to your server and add the code below at the top of WordPress' .htaccess file.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^yoursite.com [NC,OR]
RewriteCond %{HTTP_HOST} ^www.yoursite.com [NC]
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [L,R=301,NC]
Change every instance of yoursite.com to your WordPress URL.
To inform Google about the change in URL, re-add your WordPress site to Google webmaster tool (but this time with https://).
Hope it will help.
What Techie Code said is correct...
Also Don't mention HTTP or HTTPS in your image path. Just keep it like //yoursite.com/img/image.jpg so it will keep track of http or https automatically. This is called as Protocol Relative URL's.
Check here The Protocol-relative URL http://www.paulirish.com/2010/the-protocol-relative-url/
I have hosted an ecommerce website with the OpenCart script at www.medicosales.in
I am facing some errors.
The website when opened by typing medicosales.in is NOT automatically resolving to https:// where I have seen in SSL secured sites that just by typing yourdomain.com the URL automatically takes https://
It's showing this message
How to solve it?
You should set up your .htaccess file if you're using Apache, or similar if you're using another webserver to rewrite your URLs to include https:// if they do not already. This will force the user's browser to access via the correct protocol.
For Apache place the following code into the top of your .htaccess file in your document root for the site ensuring mod_rewrite is enabled.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Whenever you load a resource externally e.g. via something like <img src="http://example.com/myimage.jpg" ... you must ensure that the protocol is HTTPS also otherwise your browser will give you that message since the resource was not loaded securely.
The way to fix this is ensure that all externally linked resources have their URLs prefixed with // and not http://. This way the browser will use the current protocol to fetch the resource.
Thanks #davidgiga1993 for pointing out // rather than using https://
It is not automatic. You need to send a 302/301 redirect back to the user pointing to the https URL.