I'm trying to get rid of a certificate warning. I have the following code that executes before anything else, and forces the user to the https version of the URL:
if((!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == "") && ($_SERVER['REMOTE_ADDR'] != '127.0.0.1')){
$redirect = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
header("Location: $redirect");
exit();
}
This redirects to the correct URL, but it seems to leave an SSL warning in its wake:
In the console I get this:
(The page at https://mysite.com/special-offer/ displayed insecure content from http://mysite.com/special-offer/.)
However if I visit the url ($redirect) directly, no SSL warning is given. All resources are being served over https.
This has nothing to do with PHP or redirect. Your web page has references to http resources. When this page is loaded using HTTPS, you get a warning.
Solution: review your web page and change the URLs to either "//www.domainname.com" (i.e. no protocol specifier) or to proper HTTPS addresses if applicable (some servers have different paths for resources accessible via HTTP and via HTTPS).
The SSL connection is established before you send the 301 Redirect. Because the Browser can't trust the redirect they Show a warning.
Related
In my web app you get redirected after successful login via header('Location: https://domain.com/loggedin') but when its finished redirecting I get to following URL http://domain.com:443/loggedin which give (of course) following error
400 Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
What do I have to change? What did I do wrong or what do I have to add?
This sounds absurd but after some thinking:
I added a slash (/) at the end so now it looks like this header('Location: '.PROJECT_HTTP_ROOT.'/');.
Works like it should now!
I have a few links in my page. When I open the page in http://, it works just fine (correctly goes to http://www.example.com/path/to/page. But when opened in https://, when I click on the link, it brings me to www.example.com:443/path/to/page instead, and it gives me a 400 error:
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
I'm sure my link targets are fine (I use relative paths). How can I tackle this issue?
Default port for HTTPS is 443, because of which all calls to HTTP will route to http:/XYZ:443/ by default. If you want to access the url via https, you'd need to enable/setup https in your webserver.
If you are using apache, try this link: http://docs.oracle.com/cd/A95431_01/install/ssl.htm
Have you got SSL certificate four your domain or localhost?
"You're speaking plain HTTP to an SSL-enabled server port." Try to change your SSL settings.
Within a standard "brochure" site I have a subsystem where private data is passed back and forth in a series of pages. The site is done and working now without HTTPS.
Can someone point me to a list of steps that I need to do, to implement HTTPS on the secure part of the site?
The only thing you as a programmer need to do is checking that the user in fact uses HTTPS:
if($_SERVER['SERVER_PORT'] !== 443 &&
(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')) {
header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
exit;
}
Then (have your sysadmin) order and install a SSL certificate on the web server.
The web site must be configured itself, this is not related to php itself at this point.
On your local PC I think you use Apache as web server.
So for Apache you need install a certificate, Apache need to listen https port (443 by default).
You can view this link, it can help you: http://www.onlamp.com/pub/a/onlamp/2008/03/04/step-by-step-configuring-ssl-under-apache.html
Also, in all sections of the web site you need use https protocol in url, not http.
E.g. https://example.com
There is no PHP code change involved. HTTPS means the data that the communication between the browser and the webserver will be encrypted. The browser is already setup for HTTPS, all you have to do is to configure your web server. Most probably you can do the whole change from your hosting control panel itself.
If you want to force HTTPS, you can use a one line mod_rewrite code
Try this:
<?php
if ($_SERVER['HTTPS'] != 'on') {
echo '<script type="text/javascript">window.location = "https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '";</script>';
}
?>
I have a load balanced dev site that I'm working out bugs for SSL on and I have ran into one last very annoying issue. On some pages I need to force it to SSL so easy enough, I just wanted to create a
header ("Location: https://www.example.com/mypage.php");
I thought that was easy enough and no worries. However, every time I do this it transforms it back to http. Well as you can figure it creates an endless loop that can't be resolved. I can't figure out how to keep that https in there so that it will pull the secure version of the page. If I navigate directly to the secure page with https it works just fine. The only issue is on this redirect.
Any help would be awesome! I'm using POUND as a load balance proxy. Apache on the web-server nodes. The SSL cert is setup at the Load Balancer.
When loadbalancing, 'internal' SSL usually goes out the door: Clients connect through a load-balancer with which you can do SSL encryption, but behind that in most loadbalancers I've seen is plain 'HTTP'. Try to get your loadbalancer to set a custom header to you indicating that there is a HTTPS connection between loadbalancer & client.
From http://www.apsis.ch/pound/index_html
WHAT POUND IS:
...
an SSL wrapper: Pound will decrypt HTTPS requests from client browsers and pass them as plain HTTP to the back-end servers.
And from more manual pages:
HTTP Listener
RewriteLocation 0|1|2
If 1 force Pound to change the Location: and Content-location:
headers in responses. If they point to the back-end itself or to
the listener (but with the wrong protocol) the response will be
changed to show the virtual host in the request. Default: 1
(active). If the value is set to 2 only the back-end address is
compared; this is useful for redirecting a request to an HTTPS
listener on the same server as the HTTP listener.
redirecting to https pages is no problem.
you can check for the port, scheme or server variable (probably server variable is the best) to see if https is on, and have it as a condition for redirecting
$_SERVER['SERVER_PORT'] == 443
parse_url($_SERVER['REQUEST_URI'],PHP_URL_SCHEME) == 'https'
$_SERVER['HTTPS'] == 'on'
but as you have an infinite loop there must be something else wrong!
try using the load blancer "balance" instead. it only takes about 5 minutes to set up, and instead of proxying, will do "real" load balancing. I would guess your proxy is currently redirecting https requests to the http address. Try making a request without using the balancer. you can do this by setting up the host name in your /etc/hosts file to point directly to a server instead of to the load balancer's IP
I would like to use a secure SSL login on my website! I have not used SSL before, so I am looking for some good reading. Can anyone tell me where I can find some sample code of SSL snippets or page code. (Not too technical)
I do have a static IP
My host is set-up to handle SSL Pages.
Interested in: Basic page code. / Tree structure. / Other
Paul
My first thought would be to simply call a function to redirect to the https: version of the current page when you need to be secure.
Some code like this:
if($requireSSL && $_SERVER['SERVER_PORT'] != 443)
{
header("HTTP/1.1 301 Moved Permanently");
header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}
Reference
If you've an SSL enabled host, writing a login is not different to writing one without SSL - all the encryption happens at a lower layer of the protocol stack, so by the time your PHP sees the request, it's already decrypted. Similarly, your script outputs are encrypted by the HTTP server before onward transmission back to the user.
SSL happens before the request ever reaches PHP. The only impact on your PHP would be in the self-facing links you're publishing, which you'd want to switch from http://... to https://... There's a $_SERVER['HTTPS'] variable you could use to trigger this change if you'll be accepting both SSL and non-SSL connections. But if you're moving everything to SSL, you'll want to move all your links once rather than having it check on each request.