Suddenly, my images are not showing up on my site when accessing https pages. No change in my code. My host did have to recompile their ftp service with SSL support after my request (so I could ftpes my site). Can't thing of anything else that would affect my SSL cert. Same thing happens on FF and IE and on different computers.
If I go to your website ( https://www.scfootball.org/ ), I don't see the images, as you said : I get a 403 (Forbidden) error for each one of those -- I can see this using the "Net" tab of the Firefox extension Firebug, for instance.
If I try to see an image directly, without going trough the site (for instance : https://www.scfootball.org/widgets/GulloParkHeader.png ), then, I can see the image.
If you try, make sure you copy-paste the URL to a new tab/window, and not just click on it
Which means there is some kind of trouble between the website and the access to the images ; not on the images themselves.
If I disable the referer in firefox (the web developper toolbar extension allows that easily) and refresh your website's webpage, the images appear.
If I re-enable the referer, and refresh again, then the images don't appear anymore.
Which means there is something, related to the referer, that prevents the images from being sent, and returns a 403 error instead.
Just a wild guess : maybe there's a .htaccess in your widgets directory (or somewhere else) that prevents images from being served, if the referer doesn't correspond to a specific domain ?
Considering the images are displayed on the site when I access it without HTTPS (i.e. with an URL such as http://www.scfootball.org/index2.php ), maybe there is a "protection" in place so your images are not displayed if the Referer is not that non-https website... And that "protection" has not been updated when you switched to HTTPS ?
(I've seen that kind of "protection" used to prevent hot-linking of images, for instance)
This is an old post but, it could be hotlink protection too.
If you turn it on an allowed alias for a http:// domain you gotta for its https:// too, otherwise itll deny your images from being called to client.
I used DJango API to test locally, everything is normal, after deploying SSL, the interface access is normal, but the picture shows 404
Yeah, "not showing up" is a little vague. If the HTML is served by HTTPS and the images are still being served by HTTP, there's a little security leak inherent in the page, which your browser may deal with in one of several, largely ineffectual, ways.
Related
I currently have a website setup on a Secure server.
When I go to my website, the browser will show the HTTPS secure connection symbol at the start of the page load, but then the symbol will be crossed out (google chrome) or disappear (safari) once the page fully loads.
I understand that any files that are not linked to the particular page through an HTTPS path will cause the page to not be considered secure.
I have setup all of my CSS and JavaScript files as being accessed through https://www.example.com/file however I understand that all of my PHP includes must also be accessed through the HTTPS secure path.
When I set my php.ini file to "allow_url_include = on" it still does not permit me to include using a URL path. I additionally have the "allow_url_fopen = on" set as well, but I am still not able to URL include using https://www.example.com.
Can someone explain to me how I can make it work so that every PHP include is included via HTTPS, so that all of my pages will be shown as HTTPS in a user's browser? (this is an ecommerce website, so this factor is important for my users to see).
I have setup all of my CSS and JavaScript files as being accessed through https://www.example.com/file
Good.
You also need to do that for all your images, and any other resources that get included.
however I understand that all of my PHP includes must also be accessed through the HTTPS secure path.
In general, PHP includes should be done from the file system and not hit HTTP(S) at all (since that is inefficient).
The browser can't see what PHP does though, so it isn't the cause of your problem.
I have a website set up that uses a custom 404 error page. This seems to be working on most pages.
In fact, I have two different error pages that I want to show, and now a third that I just found out about.
This page, which does not exist, shows the correct error page that should be shown if a page cannot be found. This shows the error page as configured in my .htaccess file:
http://www.canadiancommuter.com/wontfindthis.php
This error page is generated from my PHP code if someone tries to access an old article that no longer exists in the database:
http://www.canadiancommuter.com/2334054466-some+old+article.html
However, this link, which will also generate a 404 error, shows a different error page (which usually includes advertising):
http://www.canadiancommuter.com/2012062500-TTC+asks+Ministry+of+Labour+to+treat+CNE+like+Rolling+Stones+concert%2FCaribana.html
I know the reason WHY this URL doesn't work. I purposely added characters to it to cause it to return a 404 error. My problem is that I can't figure out WHERE this other 404 error page is coming from.
It's not in my .htaccess file, the error page from my .htaccess file can be seen in the first link above.
It's not in my code. The only error page generated by the code itself can be seen in the second link above.
The only other places it could come from is my domain registrar, and my web host.
The domain is registered through one registrar, but points to my hosting account with another provider. The registrar says that because I'm just pointing the DNS for my domain to we web host the error page wouldn't come from them, but would come from my web host.
My web host says this error page isn't coming from them, but must be in my code.
I've heavily modified all of the code used for this site, so I'm pretty confident that the error page is not coming from there.
Does anyone have any ideas where I should look for this error page?
(Just a note, I'm not certain the registrar or the web host were entirely sure of what they were talking about, so I haven't ruled out either of them as being the source of this page. However, a thorough look through the administrative consoles for both do not reveal anything to this effect.)
Your pages are being served through a proxy running cloudflare-nginx which could be catching some 404 errors because slashes in either / or %2F form cause a different 404 page to be served.
Do you have an .htaccess rule that catches all of the possible 404 errors and not just the ones that match your filename scheme? If not, try setting one up. You could also try to run the site in a local server instance and see if the 404 pages behave as expected.
Edited because I mistakenly took characters produced by Transfer-encoding: chunked to be caused by misconfifguration
If (as you have already determined) your code doesn't generate the error page, then the "mysterious" 404 page comes either from the default websersver configuration (which is presumably controlled by your hosting provider) or indirectly from your DNS service (if your webserver redirects your browser to an unregistered domain, for example, then you may be redirected to a page which invites you to buy it).
The most straightforward way IMO to track this down is by using a browser equipped with machinery for tracking redirects (e.g. Firefox with the Firebug extension installed). If the error pages are indeed coming from your domain (and not a misspelling of it), then that implicates the default webserver configuration (and so presumably your hosting provider).
EDIT:
Re-reading the above I realize that I should clarify: your DNS service can't simply "redirect" you somewhere. If you find that typing a non-existing domain into your browser redirects you to a page with advertising then you can be fairly sure that it's your network connectivity provider that is inspecting your HTTP request, doing a DNS looking on your behalf behind the scenes, and redirecting you.
This is absolutely from your host provider!!
When %2F is given in url, nginx cannot handle that as an error (this might be a bug!) and it displays your host's default error page, you can see the same error on other websites hosted on the same server as your site:
http://aias-uic.org/not-found.html
http://halfdrawn.com/not-found.html
http://flyingmantis.com/not%2Ffound.html
...
and there are many other websites on the same server as your site! (you can check their IP to be sure)
The last one uses custom error page, so with %2F the mysterious error page is shown!
You can also disable your custom error pages for a while and you will probably get the mysterious error page!
I don't really know what is going on or anything, but I want to make my entire site done in Codeigniter, to be SSL encrypted, EVERYWHERE, but the problem is, I have the base_url in the config set to https://www.mysite.com/
But when I load it up, it shows that the page is unsecure (the red crossed out https on chrome)
I made sure all the images on the page, all the included css/js files, are all using the https as well, and I still get that error...
SSL is installed to my VPS correctly. I want to use ssl in some pages of my website. Every form in these pages are starting with "https://", too. But browsers don't accept it.
What are the possible reasons?
There may be a number of reasons. Last time I got it on my site was when I was using an iframe with external content and a flash widget loaded via an external javascript. Both were accessed via HTTP and messed my site's trustworthiness.
So. Check all your external content: javascripts, widgets, iframes, images, stylesheets... You may be loading them via HTTP, which in turn may make Chrome claim the SSL certificate has a problem.
I would try checking it via something like this first : http://www.sslshopper.com/ssl-checker.html
You might also try running curl -verbose https://yourlink.com from the console in order to get detailed printout of where the hiccups are.
If i visit the home page on my site (which uses code igniter) my homepage is using http,
Code igniter sets a cookie containing all the session info.
If I then click login, which is using https I get unsecure content warnings, and the only thing I can think of it being is the cookies as If I restart the browser then go straight to https://mysite.com/login then I get no unsecure content warnings.
How can I fix this (Note that the homepage cannot be https).
This error comes from content being served over http to a page that's supposed to be https. For example, an <img>, <link>, or <script>.
The thing with Codeigniter is that it's very likely you're using base_url() or site_url() for full absolute URLs to the embedded content, probably using http.
Here are some things you can do:
Use relative URL's, i.e. <img src="/path/to/images.jpg">
Don't specify a protocol. Example: //example.com/path/to/image.jpg More on this technique here: http://paulirish.com/2010/the-protocol-relative-url/
In the __construct() of the controller that you need to use https (or in the method that needs it), load a different config file that redefines your base url to use https. Note that it will be too late for any scripts/libraries that use the base url for html output before this config file is loaded.
If you load the page in IE, you should get a very nagging error message that will give you a list of all the content that was delivered insecurely to help you troubleshoot (other browsers should have this feature as well, but in IE it's especially prominent).
EDIT: Saw your note that there is nothing on the page being requested via http, only https, and the note about what happens when no cookies are present. My mistake, I just woke up - I should have read the question more thoroughly :p
You are loading unsecure content (usually images/iframes) on your secure (https) login page.
What this means is that you are referencing a link to a page that is not secure (is not https). This will cause the error, and prompt users whether or not to load such content. It's a problem with the links to external content, not your cookies.
Edit: To (temporarily) fix the issue, find any links/references to external content and disable it for the time being, then visit your page and the prompt/error should go away.
To fix the issue, you'll have to download the content or use a file on your site to securely download the content for that page to use.