I currently have a website setup on a Secure server.
When I go to my website, the browser will show the HTTPS secure connection symbol at the start of the page load, but then the symbol will be crossed out (google chrome) or disappear (safari) once the page fully loads.
I understand that any files that are not linked to the particular page through an HTTPS path will cause the page to not be considered secure.
I have setup all of my CSS and JavaScript files as being accessed through https://www.example.com/file however I understand that all of my PHP includes must also be accessed through the HTTPS secure path.
When I set my php.ini file to "allow_url_include = on" it still does not permit me to include using a URL path. I additionally have the "allow_url_fopen = on" set as well, but I am still not able to URL include using https://www.example.com.
Can someone explain to me how I can make it work so that every PHP include is included via HTTPS, so that all of my pages will be shown as HTTPS in a user's browser? (this is an ecommerce website, so this factor is important for my users to see).
I have setup all of my CSS and JavaScript files as being accessed through https://www.example.com/file
Good.
You also need to do that for all your images, and any other resources that get included.
however I understand that all of my PHP includes must also be accessed through the HTTPS secure path.
In general, PHP includes should be done from the file system and not hit HTTP(S) at all (since that is inefficient).
The browser can't see what PHP does though, so it isn't the cause of your problem.
Related
I am really new to Drupal and playing around with this existing Drupal site.
I did a FTP transfer of all the files to my local computer directory. I currently got it on a Vagrant box and I can access the site via http://192.168.56.101/html.
I can do http://192.168.56.101/html/anything-but-user and it brings me to the proper area on the site. However I can't do localhost/html/user, because it redirects me to the website URL rather than the local URL.
I tried clearing the cache (with Drush). I scanned all files in the system and changed the web url to the local URL [not sure if I need to do any other command], and I can't seem to find anything in the .htaccess files that would lead me to this.
The href="/user I would greatly appreciate any advice or help in figuring out this solution.
--UPDATED
There was a module called "Secure Pages" that was causing the user and registration links to be locked and static to prevent redirects to phishing sites. I had to disable this module using "drush pm-disable securepages" in the terminal.
Some typical items you may want to check:
Check if you get the same problem using another browser. If with another browser it works, then it is pretty sure a cookie problem. To solve that, delete the cookie in the browser where you have the problem.
Make sure "clean urls" is enabled. Refer to "https://drupal.stackexchange.com/questions/165029/clean-url-leads-to-duplicate-url-after-migration-to-another-hosting/165044?s=1%7C3.9647#165044" for more details on that.
Make sure the value of "base_url" is set correctly (in your settings.php).
If module Secure Pages is enabled, then try to (at least temporary) disable that moduel to see if it helps.
Apparently, there was a mod called "SecurePages" that was causing the URLs to be static to prevent someone from changing them and redirecting users to a phishing site.
I have a site running WordPress on Apache server and I am attempting to provide both HTTP and HTTPS connections via the same site. I want to allow connections over HTTP without forcing a redirect to HTTPS, unless the client is connecting initially via HTTPS then I want all subsequent HTTP requests to be forwarded to HTTPS to avoid issues with CORS and unsecured content warnings.
I am having some trouble turning up results on how to effectively do this with mod_rewrite alone. Most solutions I find try to force the connections to redirect to HTTPS regardless and will not allow an HTTP connection or vice versa. I have tried a few mod rewrite conditions including making use of the referer string but none seem to work thus far. I must be missing something because I feel that this is indeed possible but I and my search engines alone are stumped.
Maybe I'm just doing something wrong or is this kind of functionality beyond Mod_Rewrite?
I was thinking to use a PHP script but was worried it wouldn't work for some static files since WordPress doesn't handle those requests.
Update:
I have made a php script to detect the version. It sets a cookie which expires in 20 seconds from being set, this is read by Mod_Rewrite and if set it redirects the URLs to HTTPS. This works for most of the subsequent requests of an initial HTTPS request. A few URLs seem to be unaffected by it, not sure exactly why as the cookie hasn't expired by the time of these file requests and the particular rules are before the static file bypass rules in the htaccess file. At any rate that was easy enough to fix by setting the file urls to protocol-less versions.
Some third party sites need domains rewritten though, as they serve https from other domains. On that note I don't think this is actually possible without buffering the whole page and actually re-writing the URLs.
It is possible to detect the initial connection but this must be done using Server Side code, like a PHP script. Then using the detection can be done at Mod_Rewrite level.
Add in the WordPress constraint and things get complicated.
WordPress isn't built to facilitate one install with both protocols allowing access to content. So to accomplish this would require a custom plugin using the detection mentioned earlier, and instead of using Mod_Rewrite to direct requests on the server, we have to buffer WordPress output and logically replace/rewrite URLs in the page before they go to the user if and only if the initial connection for the page is in SSL.
There is only one plugin I have found which does something similar to this, however it doesn't do dynamic detection only gives admin/editors a checkbox option to make a page SSL secured. The plugin is called WordPress HTTPS
Dynamic detection and redirection isn't something SSL was meant for anyways, it's either on or off, and most pages need it that way.
I was originally trying to provide both so I could use a self-signed certificate without worrying that users would get the "warning unsecured connection" messages from their browsers by forcing them to use only SSL connections.
So I'll be purchasing a cert or making a custom plugin.
tkausl is right, you don't really need to do mod_rewrite. You should be able to format links without the protocol and it will automagically select for you.
You can see that google does this with their hosted libraries:
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
*Note the lack of http: or https: this will follow the protocol requested by the user.
I have url where i host my webinars which is provided by webinar hosting provider. I would like to change that url to something within my domain.
For eg. The webinar url is something like
http://www.onlinemeetingnow.com/seminar/?id=d181a7640e
i would like to change it look something within my domain.
www.mywebsite.com/webinar
Is this possible?
The simplest way of doing this would be to create a PHP script at the desired URL that simply does a readfile () of the target URL. That would give the appearance that your site is hosting the remotely hosted content.
<?php
readfile ('http://www.onlinemeetingnow.com/seminar/?id=d181a7640e');
?>
This approach does require allow_url_fopen to be enabled, which it might not be for security reasons. It also has issues regarding such things as cookies, for example. Say you are using this trick to link to a remote site that requires a login and uses cookies to implement it, people who are logged into the remote site would appear not to be logged in, as their cookie wouldn't be sent to the remote site when you readfile () it.
You could use curl instead, as you have a bit more control, and it doesn't require allow_url_fopen. It still wouldn't be ideal though.
If you can configure your server, you could possibly use something like proxypass or URL rewriting to hide the remote URL.
Other solutions include using an iframe to display the remote site, or using AJAX to load the remote page's markup and inject into your page, but these approaches have their own set of issues that you need to take into account.
In the end, is it really worth the effort needed and the compromises you will have to make to just have the URL appear to be locally hosted when it isn't?
Maybe you want to create that page(s) on your own site and within that page you load the onlinemeetingnow url. This can be done with an iframe or such or you can get the html code from the page (with Curl or something) and than load that into your own page.
If i visit the home page on my site (which uses code igniter) my homepage is using http,
Code igniter sets a cookie containing all the session info.
If I then click login, which is using https I get unsecure content warnings, and the only thing I can think of it being is the cookies as If I restart the browser then go straight to https://mysite.com/login then I get no unsecure content warnings.
How can I fix this (Note that the homepage cannot be https).
This error comes from content being served over http to a page that's supposed to be https. For example, an <img>, <link>, or <script>.
The thing with Codeigniter is that it's very likely you're using base_url() or site_url() for full absolute URLs to the embedded content, probably using http.
Here are some things you can do:
Use relative URL's, i.e. <img src="/path/to/images.jpg">
Don't specify a protocol. Example: //example.com/path/to/image.jpg More on this technique here: http://paulirish.com/2010/the-protocol-relative-url/
In the __construct() of the controller that you need to use https (or in the method that needs it), load a different config file that redefines your base url to use https. Note that it will be too late for any scripts/libraries that use the base url for html output before this config file is loaded.
If you load the page in IE, you should get a very nagging error message that will give you a list of all the content that was delivered insecurely to help you troubleshoot (other browsers should have this feature as well, but in IE it's especially prominent).
EDIT: Saw your note that there is nothing on the page being requested via http, only https, and the note about what happens when no cookies are present. My mistake, I just woke up - I should have read the question more thoroughly :p
You are loading unsecure content (usually images/iframes) on your secure (https) login page.
What this means is that you are referencing a link to a page that is not secure (is not https). This will cause the error, and prompt users whether or not to load such content. It's a problem with the links to external content, not your cookies.
Edit: To (temporarily) fix the issue, find any links/references to external content and disable it for the time being, then visit your page and the prompt/error should go away.
To fix the issue, you'll have to download the content or use a file on your site to securely download the content for that page to use.
Suddenly, my images are not showing up on my site when accessing https pages. No change in my code. My host did have to recompile their ftp service with SSL support after my request (so I could ftpes my site). Can't thing of anything else that would affect my SSL cert. Same thing happens on FF and IE and on different computers.
If I go to your website ( https://www.scfootball.org/ ), I don't see the images, as you said : I get a 403 (Forbidden) error for each one of those -- I can see this using the "Net" tab of the Firefox extension Firebug, for instance.
If I try to see an image directly, without going trough the site (for instance : https://www.scfootball.org/widgets/GulloParkHeader.png ), then, I can see the image.
If you try, make sure you copy-paste the URL to a new tab/window, and not just click on it
Which means there is some kind of trouble between the website and the access to the images ; not on the images themselves.
If I disable the referer in firefox (the web developper toolbar extension allows that easily) and refresh your website's webpage, the images appear.
If I re-enable the referer, and refresh again, then the images don't appear anymore.
Which means there is something, related to the referer, that prevents the images from being sent, and returns a 403 error instead.
Just a wild guess : maybe there's a .htaccess in your widgets directory (or somewhere else) that prevents images from being served, if the referer doesn't correspond to a specific domain ?
Considering the images are displayed on the site when I access it without HTTPS (i.e. with an URL such as http://www.scfootball.org/index2.php ), maybe there is a "protection" in place so your images are not displayed if the Referer is not that non-https website... And that "protection" has not been updated when you switched to HTTPS ?
(I've seen that kind of "protection" used to prevent hot-linking of images, for instance)
This is an old post but, it could be hotlink protection too.
If you turn it on an allowed alias for a http:// domain you gotta for its https:// too, otherwise itll deny your images from being called to client.
I used DJango API to test locally, everything is normal, after deploying SSL, the interface access is normal, but the picture shows 404
Yeah, "not showing up" is a little vague. If the HTML is served by HTTPS and the images are still being served by HTTP, there's a little security leak inherent in the page, which your browser may deal with in one of several, largely ineffectual, ways.