So I want to force the user to access the https version of my page rather than the http. And according to this post all I have to do is this:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
But MY site resides in a folder within the main directory, so it's in www.domain.com/Folder. So should this htaccess code go inside the main directory or in the subdirectory. Because I do not want to change the way the access the main site, only the folder.
This is a not-so-good method of going about this, especially if you have access to httpd.conf. The better method is to create TWO virtual hosts. One for your standard port 80 stuff, which simply has an unconditional redirect to the SSL version, e.g. in pseudo-ish .conf talk:
<VirtualHost example.com:80>
RedirectPermanent / https://example.com
DocumentRoot /some/fake/path
</VirtualHost>
<VirtualHost example.com:443>
normal site stuff here...
</VirtualHost>
This has the advantage of leaving the redirect viable even if a config messup disables .htaccess files, plus serving up bogus/non-existent content if SSL dies for whatever reason.
You can leave it in the root directory but change it to:
RewriteRule ^(your-directory/.*)$ https://www.yourdomain.com/$1 [R,L]
Keep in mind, though, that before the redirect happens, the cookies and query parameters with possibly sensitive data has already been sent in clear text, so remember to use the secure cookie atribute if you use cookies.
Your site can be vulnerable if you're redirecting from http to https. Take a look at this for some more information on that.
http://www.thoughtcrime.org/software/sslstrip/
seems silly to "force ssl" till they fix the big gaping security hole it opens up in browsers in the name of "site verification"
this has no real basis and there is potential for abuse by a rogue CA, rogue state, or corruption.
(and the "verification" is useless anyway not being based on user wishes not anyone actually looking at the sites - there are plenty of phishing sites out there with "valid" certificates!)
there is way too much misinformation being bandied around about SSL
you get the same encryption with a self signed certificate but browsers tell users you site is "untrusted" (with of course no basis - "not checked" or "not verifiable" would be what any warning should actually say - warnings need to be informative not something that just scares users so much most of them just close them without even reading the rest of the warning!)
until this is fixed in browsers I cannot recommend the use of SSL at all in a web site context.
meanwhile all I can recommend to forget port 443 and implement your own encryption layer (or use something like ssh if it doesn't need to be a browser)
Related
How do I definitively and totally stop WordPress from rewriting all URLs from HTTP to HTTPS?
I need to set it up on a testing server and run there without an SSL certificate on an internal-only server so I can test PHP 7.2 which is breaking my live WP site with my plugin mix.
I have got a copy of the site on a different server but I simply cannot get it to STOP using HTTPS on every single link – it currently fails to load as it keeps requesting HTTPS but there is no certificate or set up loaded on the testing server to use HTTPS and apache isn't even listening on port 443 on that testing server.
Already changed the WP_HOME and WP_SITEURL in wp-config.php to refer to HTTP, and used the test server’s IP instead of the site domain name. Also put in
define(‘FORCE_SSL_ADMIN’, false);
define(‘FORCE_SSL’,false);
Dumped the DB to disc, truncated the live tables, then text-replaced all https://domainname.com occurrences with http://192.168.0.1 (for example) in the dumpfile, and reloaded every table’s data back into it to get rid of ALL references to “https” in any URLs in the DB.
Put this in my .htaccess (which DOES get parsed, as I can crash the testing server’s httpd by putting crud into it):
.
.
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
.
.
So:
The .htaccess deliberately rewrites any requests to port 443 or HTTPS to HTTP.
There is an index.htm and index.html that specify 192.168.0.1/index.php in the /var/www/html folder via meta refresh tags.
The wp-config specifies for WP_HOME and WP_SITEURL “http://192.168.0.1” and FORCE_SSL_* are set to “false”.
But still, referencing in a browser
http://192.168.0.1 or http://192.168.0.1/index.php
always results in
https://192.168.0.1
being rewritten in the browser address bar and then the browser just stops and reports the page as unreachable. Have cleared cache and can insert arbitrary “die(…” commands and see them render if I CTRL F5, so the browser cache is not a factor.
All I want to do is test if PHP 7.2 will break my site – on a testing server without HTTPS.
What is there besides .htaccess, wp-config.php and the associated MySQL database that still forces WP to HTTPS instead of HTTP when directly referencing in a web browser the testing server’s 192.168.0.1 IP?
I just need WP to -actually- use
http://192.168.0.1
and stick with that instead of each time making it https://192.168.0.1
Expected result is to not see URL rewriting in WordPress from http:// to https:// in the browser address bar on the testing server.
Stefan
Ok found the solution (at least partially) to this.
Had a plugin called "Really Simple SSL" loaded. Manually disabled this, and now the site is at least partially loading. Still have severe errors and mangled URLs that don't work, but at least it is not each time jumping into HTTPS.
Thanks for the replies!
Stefan
I read all the discussions here on stack overflow but did not help me.
Let me explain what I would like to do:
I have a redirect from www.site1.it at www.site2.it Thanks to my hosting I can do a hidden redirect and keep the url "site1.it" when I reach "site2.it".
The problem is that my hosting inserts an iframe by including all the site disabling the responsive. I would like to know if there is a way to keep the same url after the redirect, make a hidden redirect.
ps. When I go to https://www.site2.it, the url must remain the same as it already is. I'm sorry for the link size but I do not have 10 reputation points.
Thanks for your help.
You need to changes 2 values in the database (site_url & base_url) (wp_options) and eventually create a proper DNS redirection in your hosting.
You can also check your wp-config.php
The "hidden redirect" won't help you, they are usually based on frames or iframes, and will mess with your site.
You can however use a reverse proxy. If mod_proxy is enabled, you can ask mod_rewrite to do it:
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ http://example.org/$1 [P,L]
The client will not see that the request is proxied to another host (even if it's on the same server in your case). However, if links, CSS, JS and images are referenced with host (e.g. http://example.org/myimage.jpg instead of /myimage.jpg), you will have to add more magic. In that case it's probably easiest to set WP_HOME / WP_SITEURL on the target-site to the old address for proxied requests (you can probably recognize those by the REMOTE_ADDR).
First Of all i want to tell that I am using XAMPP.
I have access to a folder in htdocs folder named mywebsite.
I want to wrote some sort of URL Masking Script in htaccess by which when every i visit localhost/mywebsite/index.php , content shown from another domain withour changing the URL.
I wrote below code yet but not able to do that.
RewriteEngine On
RewriteRule ^(.*)$ https://www.google.co.in/$1 [P]
It showing me
Server error!
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script.
Kindly Clear me, Is it possible or not.
& if yes then how it will be.
If you have enabled the http servers proxy module as you confirmed in the comments to the question then you also need to enable the SSL proxy feature it offers. So I guess this is what you are looking for:
RewriteEngine On
SSLProxyEngine On
RewriteRule ^(.*)$ https://www.google.co.in/$1 [P]
If that external resource does not only consist of a single document, but has relative links, then you also need a reverse proxy, otherwise the client will break out of your proxy:
RewriteEngine On
SSLProxyEngine On
ProxyPass / https://www.google.co.in/
ProxyPassReverse / https://www.google.co.in/
However that is something you cannot do inside dynamic configuration files, you need to place such directives inside the http servers host configuration.
And a general hint: you should always prefer to place such rules inside the http servers (virtual) host configuration instead of using dynamic configuration files (.htaccess style files). Those files are notoriously error prone, hard to debug and they really slow down the server. They are only provided as a last option for situations where you do not have control over the host configuration (read: really cheap hosting service providers) or if you have an application that relies on writing its own rewrite rules (which is an obvious security nightmare).
So I recently purchased a domain. I know how to make websites, so I uploaded a website that I made onto that domain. The only problem is is that it sends me to my index and then I have to click on some folders to actually get to see my website on my screen. I know what .htaccess is and does, but I'm not sure how to use it.
What I want is that when I go to www.mydomain.com it should open up my home.php file from the website that I made. This is my file order:
project/PHP/home.php
I'm not sure if I've given enough information, but I hope someone can help me out here.
As correctly written by #JimL in the comments above we would recommend that you simply replace home.php to index.php, since that is the default setting really all http servers are configured to use for the index document.
You can however change that, even if you can only use .htaccess style files:
DirectoryIndex home.php
That said I still would recommend to rename the index file instead. .htaccess style files should be avoided whenever possible. They are notoriously error prone, hard to debug and they really slow the http server down, often without reason. They are only offered for cases where you really need to do some configuration tweaks but do not have control over the http servers host configuration. That is for example often the case when using a cheap web space provider.
Considering the additional information you gave in the comment below you could also try to rewrite all requests to point to the php scripts inside that folder project/php. For that you can place such rewriting rules inside a .htaccess style file:
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/project/php
RewriteRule ^(.*)$ project/php/$1 [L,QSA]
If you also have to handle requests that require different rewriting then obviously you need additional rules.
But as already said in the comments below this is painful, slows the server down and makes things harder to debug.
Put your files in the public_html folder, or /var/www, you don't need the .htacces to do this.
I am currently running two websites. I am able to add my domains and set the root folder to / instead of /domain1.com and /domain2.com. That way both websites go to the same folder, however they both maintain their domain names (no redirects). My code determines whether the user is from domain1.com or domain2.com and displays the appropriate content using PHP.
Now, I have switched to another web hoster. The problem is that they don't allow you to specify where the root folder is: so it has to be /domain1.com and /domain2.com. They also don't seem to allow access to httpd.conf to edit VirtualHosts.
I have tried using .htaccess to do a redirect, but the problem is that when I go to domain2.com, it redirects straight to domain1.com, and it doesn't keep its host name of domain2.com.
I have also tried setting up symlinks, but it seems to be doing the exact same thing.
Is there any way to solve this?
Can you do a rewrite rule similar to the following (don't trust my syntax)?
# if domain2.com, send all requests to domain1.com
RewriteEngine on
RewriteRule ^(.*)$ ../domain1.com/index.php/$1
So if someone does go to domain2.com, all requests are passed through the index.php file on domain1.com for processing (I presume you're doing something similar already).
You should be able to set up symbolic links using ssh that don't redirect to the other domain. I have several .co.uk domains that use the same data as the .com that don't redirect. What host is it? You should be able to do this, maybe email them asking why it redirects.
Sure it's not in the htaccess file to redirect the domain2.com to domain1.com?