Our site, www.divestyle.co.uk uses an SSL certificate throughout the site, except when it goes to the online shop which is built in Magento, all on the same hosting. I built the main site which uses the SSL and the wordpress blog but for some reason the shop does not.
http://www.divestyle.co.uk/dive-shop/scuba-diving/regulators.html
You can see that the URL does not have the SSL padlock on.
Any ideas why not? We had some issues with the htaccess with the redirects which we fixed on another question, so I am adding the htaccess file on here too in case we need to add something to it. We obviously want to make sure that changing the URL to https will not affect any of the sales we can receive.
# -- concrete5 urls start --
# -- Force www: #
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
# force https
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://www.divestyle.co.uk/$1 [R,L]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# -- Wordpress #
RewriteRule ^divestyle_blog/index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule divestyle_blog/. divestyle_blog/index.php [L]
# -- /Wordpress #
# --Magento #
RewriteRule ^dive-shop/index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule dive-shop/. dive-shop/index.php [L]
# -- /Magento #
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}/index.html !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
RewriteRule . index.php [L]
</IfModule>
# -- concrete5 urls end --
------- UPDATE -------
I have changed my .htaccess file so the 2nd one matches this, RewriteRule ^(.*)$ but the site is still coming as insecure. See the screenshots. It mentions about the images.
https://www.dropbox.com/s/3w6sfnjn8pgcxg8/Screenshot%202017-12-13%2007.38.04.png?dl=0
https://www.dropbox.com/s/zw8ujcg2wj9arpp/Screenshot%202017-12-13%2007.37.58.png?dl=0
When I asked the developer about the issues, he sent me this, not sure if this helps get to the bottom of this:
The 'httponly' option has been created like this on purpose. There is a type of website attack called XSS.
If someone managed to inject some javascript code onto your site (which on some sites can be via adverts) then they would be able to read the contents of any cookies. If the cookie contained a session id for a logged in user they would be able to read that and send it back out to someone and they would be able to log in as that user without requiring their username and password. A 'httponly' option tells the browser that the cookie should only be sent over http (which includes https in this definition) and not made available to javascript or anything else running within the local browser.”
This is probably guilty because of a bad syntax :
RewriteRule ^/?(.*) https://www.divestyle.co.uk/$1 [R,L]
You should match ^/(.*)$ as on the first rule
Forcing https is like magic. I had to try multiple solutions from the internet, that people claimed to work, and they didn't on my server.
Here is my snippet, that works ;)
# SSL
RewriteCond %{ENV:HTTPS} !=on
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
Try it instead of your rule under # force https comment.
Related
So my site is going secure. Except one directory (/da) has old Flash content (that I cannot edit) that simply refuses to work under SSL. So, I pieced a few StackOverflow user solutions (THANK YOU!) together, wrote a HTTP --> HTTPS rewrite where I carve out an exception for the /da directory and got that much working just fine.
The only issue is with mobile browsers which play Flash content (such as Puffin and Photon). For some reason, they don't like the rewrite code and continue to open the /da directory under HTTPS... thus the Flash content doesn't work.
I thought that I could just exclude those browsers from the rewrite, but I can't get that piece to work. Please see below and let me know what I'm doing wrong. It's the "Puffin|BonEcho" line which I'm trying to get to work. Am I doing it wrong?
Or is there a better solution? Is there a way to get Puffin and Photon to comply with the HTTP/HTTPS rewrite script?
Thanks!
RewriteEngine On
RewriteCond $1 !\.(gif|jpe?g|png)$ [NC]
# Force HTTPS for anything which isn't /da
RewriteCond %{HTTPS} =on
RewriteCond %{THE_REQUEST} ^[A-Z]+\s/da [NC]
RewriteCond %{HTTP_USER_AGENT} !"Puffin|BonEcho" [NC,OR]
RewriteRule ^(da) http://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
# Force HTTP for anything which is /da
RewriteCond %{HTTPS} !=on
RewriteCond %{THE_REQUEST} !^[A-Z]+\s/da [NC]
RewriteRule !^da https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
# Remove index.php from URLs
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1
I am working on a site where I have many short URLs which is redirected to a bigger version of URL. The idea is that the short URLs are distributed offline and users generally remembers them and types in the browser address bar. As example:
http://www.example.com/abc should redirect to http://www.example.com/higher_education/companion/politics/abc.html
Also there are some external links as well. like: http://www.example.com/google will redirect user to https://www.google.com
EDIT -
There is another scenario where http://www.example.com/elementary/def.html will be redirected to http://www.example.com/elementary/xyz.html
However, we now want to achieve this with RewriteMap. The code that we've written for that is as below:
<IfModule rewrite_module>
RewriteEngine on
RewriteMap custommap txt:/var/www/vhosts/example.com/httpdocs/map.txt
#RewriteCond %{REQUEST_URI} !^/index.php$
RewriteRule "^(.*)$" "${custommap:$0}" [R,L,NC]
</IfModule>
The map.txt contains:
abc http://www.example.com/higher_education/companion/politics/abc.html
google https://www.google.com
The problem is .htaccss file contains also some RewriteRule.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*)\.html$ /index.php?sid=$1&ssid=$2 [L,NC,QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)\.html$ /index.php?sid=$1 [L,NC,QSA]
So any request comes with .html will be served by index.php as standard CMS feature. However, now the code goes into redirect loop.
If someone shares some light in order to mitigate this issue then that would be great. The Apache version is 2.2 so I can't use any IF-ELSE in that.
Regards,
Aneek
You should put some restrictions on the rule serving URLs from RewriteMap:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond ${custommap:$0} !^$
RewriteRule ^[^.]+$ ${custommap:$0} [R=301,L,NE]
This will ensure only non-files and non-directories with no DOT in URI will be handled by custommap.
More importantly it will also check existence of a mapping in custommap before redirecting.
Make sure you clear your browser cache before testing this change.
I have a site and I see that there are proxies which are messing up my seo, what I mean it's not that someone connects through proxy, but there are domains that when you go to it's EXACTLY like my site, even if I upload something to my ftp I can access it from the other site. I want to block all access from other domains to my content, blocking IP one by one is too hard, someone is making proxies all the time and they change IP every time. So what I want is that the site can only be accessed if in browser url there is my site name (example.com/mypage not proxy.com/mypage which shows same content except all occurrences of my site names are replaced)
Here is my current htaccess code. I'm using nginx as reverse proxy
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]
RewriteRule ^inc/.*$ index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_URI} !-l
RewriteCond %{REQUEST_FILENAME} !\.(ico|css|png|jpg|gif|js)$ [NC]
RewriteRule ^(.*)$ index.php [QSA,L]
You can detect bots requests by googling random strings from your site, then follow links, then look into logs. Then block those ips.
You can enable some kind of javascript protection on your site. Detect current address/host then compare to yours. Redirect false to your domain.
Use imagination and patterns.
This question may look like its been asked already and i have seen them all, i've been looking and attempting a lot of answers AND answers that weren't approved. I have successfully made it so that if the user goes to desktop version it will go to the mobile site and even if they go to places such as.
www.domain.com/aboutus
it would take them to
m.domain.com/?page=aboutus
So here is where the problem lies, not that it doesn't work, but I've been trying to remove the $_GET variable from the redirection the "?page=" part.
my .htaccess looks something like...
<IfModule mod_rewrite.c>
RewriteEngine on
# if it is not a file or folder, rewrite to index.php?page=<value>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?page=$1 [L,QSA]
</IfModule>
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|googlebot-mobile|iemobile|ipad|iphone|ipod|opera mobile|palmos|webos" [NC]
RewriteRule ^index.php(.*)$ http://m.domain.com/ [QSA,L]
</IfModule>
I've tried adding the request filename with the redirection for mobile but to no avail. There are websites who have achieved it like 9gag by using the in built Google Chrome inspect element, google changes the user agent to devices that are selected (Mobile Phones) and I've used that to test how the redirection goes. so if i write 9gag.com/hot - it would take me to m.9gag.com/hot not m.9gag.com/?page=hot or wherever.
Thanks in advance, I've really been bothered by this.
You need to check the mobile redirect first, and you need to include the request URI.
<IfModule mod_rewrite.c>
RewriteEngine on
# Redirect mobile requests to the mobile site
# (but don't redirect when accessing certain directories)
RewriteCond %{REQUEST_URI} !^/images [NC]
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|googlebot-mobile|iemobile|ipad|iphone|ipod|opera mobile|palmos|webos" [NC]
RewriteRule ^(.*)$ http://m.domain.com/$1 [R=302,L]
# If it is not a file or folder, rewrite to index.php?page=<value>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?page=$1 [L,QSA]
</IfModule>
You can make the redirect permanent by changing 302 to 301.
I have the following in my .htaccess - the clean url's declaration and the https redirect both work fine individually but put together are causing the continuous redirect error (this server is redirecting in a way which will never complete).
Here is my .htacess:
RewriteEngine on
# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# otherwise forward it to index.php
RewriteRule . index.php
# force to use https
#RewriteCond %{HTTPS} !=on
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Any idea how i can resolve this?
Thank you
Hope I am not late as I stumbled through your same problem and figured out the conflict just a day ago.
Write the following in your .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php
The first rule will automatically redirect any HTTP requests to HTTPS and (through the crucial [L] tag) stop other substitutions which will mess up the page (specifically, images and CSS stylesheets would not be served).
The second one is the Yii suggested way to check whether a particular URL corresponds to a real file or directory and, if not, to forward the request to index.php (the bootstrap file for the Web application). (The rules in the application's configuration file should do the rest, then).