Some users reporting site not secure - security

I have a client who just installed an SSL certificate. I added this to the .htaccess file to force users to redirect to https and force them to www:
# Redirect bare domain to www and HTTPS
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.twentyteninc.com/$1 [R=301,L]
# Redirect HTTP to HTTPS
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
I also addressed all the mixed content warnings. Now, everything redirects to https and I get the beautiful lock symbol in all browsers I test with.
Unfortunately, though, some users are still seeing the "Not Secure" messages:
If I run a Qualys SSL Test, it comes back with an A score:
What could be causing this? Why does everything look secure for me but not for some?

My problem was that the WordPress theme the client is using was pulling the favicon over HTTP instead of HTTPS and for whatever reason, my browser (and all the other browsers I tested with) was simply choosing not to load it at all.
This caused me never to get a mixed content warning.
After staring at the screenshot above for long enough, I noticed that the favicon was loading and that it wasn't for me which tipped me off to go digging through the theme for it.

Related

How to use Drupal's htaccess to redirect from https to http

I have this Drupal project which inherited several domains, so I have:
www.domain1.com
www.domain1.co.uk
www.domain2.com
www.domain3.com
and I want to redirect all these domain to www.newdomain.com and also want to redirect all requests to https to http as well as redirect all the domains above without www to www.newdomain.com and have tried a few things but it didn't work.
Here's what I've tried:
RewriteCond %{HTTP_HOST} !^www\.newdomain\.com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/?(.*) http://www.newdomain.com/$1 [L,R,NE]
But with the above, all old domains (domain1.com, domain2.com, etc) gets redirected to www.newdomain.com, however when I hit https://domain1.com for example (it happens with all domains above using http), it shows a blank page. When I hit https://www.domain1.com it shows a warning from using a self signed certificate - meaning it doesn't redirect to http.
I've read on a page somewhere that I should delete these lines from htaccess:
RewriteRule ^ - [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=protossl:s]
But when I did, even the basic redirect that happens now (for instance, from www.domain1.com to www.newdomain.com stops working.
What am I missing here?
Thanks in advance
If https protocol always shows blank page, maybe there is distinct folder for it on your FTP ("httpsdocs" or something like that).
Also you should check your hosting provider's help page for more information about the https protocol and SSL certificate configurations.

Redirecting http://example.com to https://www.dummy.com/ via .htaceess

A client of mine wants to change their domain name, but wants to keep their Google ranking. To do this, they've pointed two domain names to the same IP, but we're having an issue where if you visit the site via the old domain, you get a security certificate warning and the page just loads with the old domain name.
What I'd like to do is detect when someone's coming to the site via the old domain and rewrite it to the new domain. For example, if they where to visit example.com/some-page.htm, it would rewrite to https://www.dummy.com/some-page.htm.
I found this code snippet somewhere that purports to do this, but it just brings the site down:
RewriteCond %{HTTP_HOST} !^example.com$ [NC]
RewriteRule ^(.*)$ https://www.dummy.com/$1 [R=301,L]
This is a WordPress site, so I'm using the normal WordPress rewrite rules, and I'm using the HTML5 Boiler Plate .htacess to enable http > https redriects, non-www > www redirects, and force HTTP Strict Transport Security, if any of that makes a difference.
You need to change condition to:
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$ [NC]
RewriteRule ^ https://www.dummy.com%{REQUEST_URI} [NE,R=301,L]
However keep in mind if you visit https://exampl.com and certificate is for dummy.com then SSL cert warning will still be there because SSL handshakes before mod_rewrite is invoked for redirecting to new site.

Redirecting old HTTPS site with htaccess

I've searched quite thoroughly and can't find an answer to this...
So basically I have a website set up, www.supersaturated.co.uk all working great with https and the relevant htaccess redirects.
The client has an old website which was secure, www.supersaturated.net. This is now a parked domain on a new hosting account.
The problem I'm having is that the SSL certificate on the new site is only for that .co.uk domain. If someone goes to http://www.supersaturated.net it redirects to the secure .co.uk as it should. But if someone goes to https://www.supersaturated.net it gives the browser warning for an untrusted connection. Is there a way to redirect this or is the browser just seeing the lack of SSL for the .net before even attempting a redirect?
Here is the relevant part of my htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.supersaturated\.co\.uk$
RewriteRule (.*) https://www.supersaturated.co.uk/$1 [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Any help is much appreciated.
Yes it is true that browser is seeing the lack of SSL for the .net before even attempting a redirect rule. This is due to the fact that cert negotiation between web server and browser happens before mod_rewrite is invoked (due to security reasons).

Redirect all but one page to http from https

For reasons of SEO, I would like to redirect all but one of the pages of my website from https to http. Currently, if you visit the https:// version you are presented with my website and the aforementioned prefix is in the address bar. If you visit the http:// version the https:// prefix is absent. Apparently, as a result, Google treats my site as if it were two identical sites. Not good for SEO.
St.Woland's answer here was very helpful in redirecting almost all the pages of my website from https to http. In fact, it worked like a dream until I tried visiting the one page that needed to have the secure connection.
Before trying his fix, were you to visit the secure basket page the whole page was marked as secure. However, with the recommended .htaccess fix in place, all images and css were flagged as insecure and Chrome refused to load them; the page looked a mess.
It seemed like an article on Best Host Ratings had the solution: add further .htaccess files to the images and css folders and all would be well.
Sadly, this then meant that those pages without the https:// prefix did not load the css or the images.
Please see below the code I put in. Firstly, the .htaccess to redirect all but the basket page from https to http:
RewriteEngine On
RewriteBase /
# Turn SSL on for basket
RewriteCond %{HTTPS} off
RewriteCond %{SCRIPT_FILENAME} \/basket\.php [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
# Turn SSL off everything but basket
RewriteCond %{HTTPS} on
RewriteCond %{SCRIPT_FILENAME} !\/basket\.php [NC]
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]
Secondly, the .htaccess I placed in the images directory:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} images
RewriteRule ^(.*)$ https://www.domain.com/images/$1 [R,L]
An obvious solution to this situation might be to just redirect the whole site across to the https version. But, placed at the base of all pages except the basket page is script from Google AdWords that places relevant ads across the internet after users have visited my site. This script is flagged as insecure.
Any help with this issue would be most appreciated.
With kind regards,
Mark

https to http redirection when ssl is not installed

We have a site which was https enabled. After a site revamp we have removed the certificate and https://www.foo.com is not http://www.foo.com.
There are many links in other sites, which link to th old https site, which we have no control. Is there something we can do in out side to redirect these links to home page atleast?
Will url rewriting work in this case?
There were some broken link which we fixed with a custom 404 page and tracking the links.
Does this belong to serverfault?
You're pretty much out of luck - you can do URL rewriting as #Josh says, but before the browser even gets that far, most of them will give the user a big warning message telling them the SSL certificate isn't valid, which will put off most of the visitors.
I'd recommend buying an SSL certificate - they're not so expensive - then doing the rewrite.
using mod_rewrite
# forces everything to non-secure if secure (http)
RewriteCond %{SERVER_PORT} =443
RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [R,L]
Josh
The solution for IIS may be ISAPI_Rewrite 3. Here's the .htaccess:
RewriteBase /
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]

Resources