In my web app you get redirected after successful login via header('Location: https://domain.com/loggedin') but when its finished redirecting I get to following URL http://domain.com:443/loggedin which give (of course) following error
400 Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
What do I have to change? What did I do wrong or what do I have to add?
This sounds absurd but after some thinking:
I added a slash (/) at the end so now it looks like this header('Location: '.PROJECT_HTTP_ROOT.'/');.
Works like it should now!
Related
I have a dev URL that is behind HTTP authentication using a simple .htpasswd file - nothing special about that at all, all standard.
I am trying to hit a URL on that domain via cURL but am getting this message of course:
Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Apache/2.4.29 (Ubuntu) Server
I have added what I believe to be the correct parameter to authorise the url but with no joy. Just the same message. I have echo'd out the username and password and these are exactly as I would enter into the browser prompt.
What is the next step to debug this?
I have solved this by NOT using curl_setopt_array, instead setting each 3 separately. Cannot currently explain why this is different but it works! :(
On my live server i'm getting a The redirect uri included is not valid. error message, whereas on my localhost OAuth works ok.
here's the full urls for both:
Localhost:
https://coinbase.com/oauth/authorize?response_type=code&client_id=xxx&redirect_uri=http%3A%2F%2Flocalhost%2Faccounts-coinbase%2Foauth&scope=balance+addresses+user+transactions
Live server (https://example.com)
https://coinbase.com/oauth/authorize?response_type=code&client_id=xxx&redirect_uri=https%3A%2F%2Fexample.com%2Faccounts-coinbase%2Foauth&scope=balance+addresses+user+transactions
I'm pretty confident I had the live server OAuth working before. Any ideas why it's failing now?
Ok I solved my own problem.
The error message, The redirect uri included is not valid. does NOT accurately reflect the issue at all. What was actually the problem is that my Coinbase OAuth app had a localhost redirect url.
The relevant OAuth redirect url, called a "callback url" is set from this rather hard to find page: https://coinbase.com/oauth/applications.
There I just switched localhost with example.com and it worked.
I have a few links in my page. When I open the page in http://, it works just fine (correctly goes to http://www.example.com/path/to/page. But when opened in https://, when I click on the link, it brings me to www.example.com:443/path/to/page instead, and it gives me a 400 error:
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
I'm sure my link targets are fine (I use relative paths). How can I tackle this issue?
Default port for HTTPS is 443, because of which all calls to HTTP will route to http:/XYZ:443/ by default. If you want to access the url via https, you'd need to enable/setup https in your webserver.
If you are using apache, try this link: http://docs.oracle.com/cd/A95431_01/install/ssl.htm
Have you got SSL certificate four your domain or localhost?
"You're speaking plain HTTP to an SSL-enabled server port." Try to change your SSL settings.
I have a load balanced dev site that I'm working out bugs for SSL on and I have ran into one last very annoying issue. On some pages I need to force it to SSL so easy enough, I just wanted to create a
header ("Location: https://www.example.com/mypage.php");
I thought that was easy enough and no worries. However, every time I do this it transforms it back to http. Well as you can figure it creates an endless loop that can't be resolved. I can't figure out how to keep that https in there so that it will pull the secure version of the page. If I navigate directly to the secure page with https it works just fine. The only issue is on this redirect.
Any help would be awesome! I'm using POUND as a load balance proxy. Apache on the web-server nodes. The SSL cert is setup at the Load Balancer.
When loadbalancing, 'internal' SSL usually goes out the door: Clients connect through a load-balancer with which you can do SSL encryption, but behind that in most loadbalancers I've seen is plain 'HTTP'. Try to get your loadbalancer to set a custom header to you indicating that there is a HTTPS connection between loadbalancer & client.
From http://www.apsis.ch/pound/index_html
WHAT POUND IS:
...
an SSL wrapper: Pound will decrypt HTTPS requests from client browsers and pass them as plain HTTP to the back-end servers.
And from more manual pages:
HTTP Listener
RewriteLocation 0|1|2
If 1 force Pound to change the Location: and Content-location:
headers in responses. If they point to the back-end itself or to
the listener (but with the wrong protocol) the response will be
changed to show the virtual host in the request. Default: 1
(active). If the value is set to 2 only the back-end address is
compared; this is useful for redirecting a request to an HTTPS
listener on the same server as the HTTP listener.
redirecting to https pages is no problem.
you can check for the port, scheme or server variable (probably server variable is the best) to see if https is on, and have it as a condition for redirecting
$_SERVER['SERVER_PORT'] == 443
parse_url($_SERVER['REQUEST_URI'],PHP_URL_SCHEME) == 'https'
$_SERVER['HTTPS'] == 'on'
but as you have an infinite loop there must be something else wrong!
try using the load blancer "balance" instead. it only takes about 5 minutes to set up, and instead of proxying, will do "real" load balancing. I would guess your proxy is currently redirecting https requests to the http address. Try making a request without using the balancer. you can do this by setting up the host name in your /etc/hosts file to point directly to a server instead of to the load balancer's IP
I would like to use a secure SSL login on my website! I have not used SSL before, so I am looking for some good reading. Can anyone tell me where I can find some sample code of SSL snippets or page code. (Not too technical)
I do have a static IP
My host is set-up to handle SSL Pages.
Interested in: Basic page code. / Tree structure. / Other
Paul
My first thought would be to simply call a function to redirect to the https: version of the current page when you need to be secure.
Some code like this:
if($requireSSL && $_SERVER['SERVER_PORT'] != 443)
{
header("HTTP/1.1 301 Moved Permanently");
header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}
Reference
If you've an SSL enabled host, writing a login is not different to writing one without SSL - all the encryption happens at a lower layer of the protocol stack, so by the time your PHP sees the request, it's already decrypted. Similarly, your script outputs are encrypted by the HTTP server before onward transmission back to the user.
SSL happens before the request ever reaches PHP. The only impact on your PHP would be in the self-facing links you're publishing, which you'd want to switch from http://... to https://... There's a $_SERVER['HTTPS'] variable you could use to trigger this change if you'll be accepting both SSL and non-SSL connections. But if you're moving everything to SSL, you'll want to move all your links once rather than having it check on each request.