Within a standard "brochure" site I have a subsystem where private data is passed back and forth in a series of pages. The site is done and working now without HTTPS.
Can someone point me to a list of steps that I need to do, to implement HTTPS on the secure part of the site?
The only thing you as a programmer need to do is checking that the user in fact uses HTTPS:
if($_SERVER['SERVER_PORT'] !== 443 &&
(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')) {
header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
exit;
}
Then (have your sysadmin) order and install a SSL certificate on the web server.
The web site must be configured itself, this is not related to php itself at this point.
On your local PC I think you use Apache as web server.
So for Apache you need install a certificate, Apache need to listen https port (443 by default).
You can view this link, it can help you: http://www.onlamp.com/pub/a/onlamp/2008/03/04/step-by-step-configuring-ssl-under-apache.html
Also, in all sections of the web site you need use https protocol in url, not http.
E.g. https://example.com
There is no PHP code change involved. HTTPS means the data that the communication between the browser and the webserver will be encrypted. The browser is already setup for HTTPS, all you have to do is to configure your web server. Most probably you can do the whole change from your hosting control panel itself.
If you want to force HTTPS, you can use a one line mod_rewrite code
Try this:
<?php
if ($_SERVER['HTTPS'] != 'on') {
echo '<script type="text/javascript">window.location = "https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '";</script>';
}
?>
Related
I have a running nginx web server using PHP 7.4 (FPM) using Ubuntu 20.04. The web server runs on port 2080 and 2443, and they are port forwarded on port 2443 LAN 443 WAN.
I have a PHP script that should redirect me to another page of my website, but it redirects me on a page that uses port 2443 which is inaccesible since i need 443. I tried all possible things but it won't work and it will still redirect me to port 2443.
Note that i cannot use port 443 locally on my nginx server, so that isn't a option.
I have tried:
header('Location: https://domain.tld:443/page');
header('Location: https://domain.tld/page');
header('Location: https://domain.tld./page');
however with no success as it's redirecting me on https://domain.tld:2443/page .
So how do i fix this?
If you use a relative url
header('Location: ./page'); // assuming your cwd is in the root
the server will take care of protocol (HTTP vs HTTPS) and port (it will reuse the one used for the request).
this URL also is relative to your site and retains protocol and port used in the request.
header('Location: /page');
Fixed. The problem was that it redirected to "page/".
I changed this:
header('Location: https://domain.tld/page');
to this:
header('Location: https://domain.tld/page/');
And now it does no longer redirect to a :2443 port.
I'm trying to get rid of a certificate warning. I have the following code that executes before anything else, and forces the user to the https version of the URL:
if((!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == "") && ($_SERVER['REMOTE_ADDR'] != '127.0.0.1')){
$redirect = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
header("Location: $redirect");
exit();
}
This redirects to the correct URL, but it seems to leave an SSL warning in its wake:
In the console I get this:
(The page at https://mysite.com/special-offer/ displayed insecure content from http://mysite.com/special-offer/.)
However if I visit the url ($redirect) directly, no SSL warning is given. All resources are being served over https.
This has nothing to do with PHP or redirect. Your web page has references to http resources. When this page is loaded using HTTPS, you get a warning.
Solution: review your web page and change the URLs to either "//www.domainname.com" (i.e. no protocol specifier) or to proper HTTPS addresses if applicable (some servers have different paths for resources accessible via HTTP and via HTTPS).
The SSL connection is established before you send the 301 Redirect. Because the Browser can't trust the redirect they Show a warning.
Do you know any ways to do that? I want to secure my script to run only in one place. Is it possible?
possibly the easiest way to do this would be to check a hardware identifier, such as the network card's MAC address, and encrypt the PHP code using something such as Ion Cube so that someone can't simply edit the PHP and change the MAC address being checked for.
if ($_SERVER['SERVER_ADDR'] == "127.0.0.1" && $_SERVER["HTTP_HOST"] == "mydomain.com") {
//execute script
}
Not clear question.
If you mean that you want to restrict your script from being accessible for everyone. And only accessible by special users based of their IP. Then you can use $_SERVER['REMOTE_ADDR'] to check for the user IP. However you need to be aware that in cases your user is behind proxy you will need to check X-Forwarded-For HTTP header then to check $_SERVER['REMOTE_ADDR']. Better solution would be to use a firewall on the server by setting iptable settings.
If you mean that you don't want your script to be accessible at all for anyone, then put the code out-side DocumentRoot and run it from CLI.
Please provide more details to have a better answer.
The option of "noob":
if ($_SERVER['SERVER_ADDR'] == "127.0.0.1" && $_SERVER["HTTP_HOST"] == "mydomain.com") {
//execute script
}
no is very cool becouse you can do this:
<?php
$_SERVER['SERVER_ADDR'] = '127.0.0.1'; // or IP restricted
$_SERVER['HTTP_HOST'] == 'mydomain.com'; // Or TLD restricted
// AFTER, you do include():
require_once('script_of_programmer.php');
?>
in this context, any script can do executed in any server...
Unique option is use IonCube or ZEND GUARD
The problem that I am having has to do with the need to keep some urls of a website protected by HTTPS and the rest kicked to HTTP.
Normally, you have $_SERVER['HTTP_HTTPS'] or $_SERVER['HTTPS'] (depending on your flavor of Apache). You also can check the port - it's 80 for normal traffic and 443 for HTTPS.
My problem is that the certificate sits on the loadbalancer, and all these variables are unavailable, and the webserver sees http://www.foo.com on port 80. One way to fix this is to tell the loadbalancer to send the traffic on a different port, but I wonder if there are other ways to detect HTTPS coming from the load balancer?
If anybody has the same issue behind an Amazon AWS Elastic Load Balancer, the solution is simple because the $_SERVER variable will include:
[HTTP_X_FORWARDED_PORT] => 443
[HTTP_X_FORWARDED_PROTO] => https
So, to get the protocol, you could use:
function getRequestProtocol() {
if(!empty($_SERVER['HTTP_X_FORWARDED_PROTO']))
return $_SERVER['HTTP_X_FORWARDED_PROTO'];
else
return !empty($_SERVER['HTTPS']) ? "https" : "http";
}
If the load balancer is the other end of the SSL connection, you cannot get any more info than the load balancer explicitly provides. I would go for adding a http header, it may already be doing that, dump all the HTTP headers and look.
As another solution, you can do the redirection on the load balancer based on URL.
the $_SERVER['HTTP_X_FORWARDED_PROTO'] seems to be a good solution for joomla users because if your loadbalancer does the rediretion and you set the force_ssl setting to 1 or 2 then you will end in an infinite loop because joomla always sees http:
I would like to use a secure SSL login on my website! I have not used SSL before, so I am looking for some good reading. Can anyone tell me where I can find some sample code of SSL snippets or page code. (Not too technical)
I do have a static IP
My host is set-up to handle SSL Pages.
Interested in: Basic page code. / Tree structure. / Other
Paul
My first thought would be to simply call a function to redirect to the https: version of the current page when you need to be secure.
Some code like this:
if($requireSSL && $_SERVER['SERVER_PORT'] != 443)
{
header("HTTP/1.1 301 Moved Permanently");
header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}
Reference
If you've an SSL enabled host, writing a login is not different to writing one without SSL - all the encryption happens at a lower layer of the protocol stack, so by the time your PHP sees the request, it's already decrypted. Similarly, your script outputs are encrypted by the HTTP server before onward transmission back to the user.
SSL happens before the request ever reaches PHP. The only impact on your PHP would be in the self-facing links you're publishing, which you'd want to switch from http://... to https://... There's a $_SERVER['HTTPS'] variable you could use to trigger this change if you'll be accepting both SSL and non-SSL connections. But if you're moving everything to SSL, you'll want to move all your links once rather than having it check on each request.