CLoudflare page rules: force SSL except specified URL pattern? - web

Is it possible to force SSL with Cloudflare except specified URL pattern? for example: example.com/* forced to use SSL, but example.com/iframe use HTTP only, not HTTPS.

If you are using Automatic HTTPS Rewrites within CloudFlare's Crypto section, yes. Create a Page Rule for example.com/iframe* where Automatic HTTPS Rewrites is off. See attached image for the Page Rule setting:
But you might be redirecting with Microsoft IIS or Apache. In that case, you must make the distinction there.

Related

Rewrite rule for targeting http only (no https)

A website that I manage was currently turned via cpanel to redirect at https. Unfortunately a single site/folder/program works only in http and not in https (idk why).
Is there any rewrite rule that will force this site to load in http only?
The whole thing is made like this:
https://example.com --> HTTPS (ok and desired to be in https)
http://example.com/NastyWebApp --> HTTP (doesn't work in https)
What I need, is to force the NastyWebApp to load in http only.
Perhaps not the ideal solution, but a solution that will do the job, via Javascript:
<HTML><HEAD><title>Nasty Web App</title></HEAD>
<body><SCRIPT LANGUAGE="JavaScript">(window.location.replace("http://stackoverflow.com/nastywebapp.php"));

Can Netlify redirect traffic from http to https without forcing SSL

Another question asked quite often by the Netlify community. "Can Netlify redirect traffic from http to https without forcing SSL (TLS)?"
Once you have a certificate in place, you can check a box to force TLS. This will both set a redirect from http to https, and add Strict Transport Security headers to all requests.
The user does not want to force SSL until everything is setup correctly and they know they will not be changing their setup.
November 2018 Update
The accepted answer is no longer true
Currently, as of November 2018 (since July 2018) all new sites on Netlify are HTTPS with force redirect turned on by default and you cannot turn it off.
See the blog post:
All new sites on Netlify are HTTPS by default
and this issue on GitHub:
Issue #158: Disabling forced SSL
Even for old sites, the option to turn off HTTPS or to turn off the redirect to HTTPS is no longer available:
Netlify does allow you to force TLS. It is recommended to not 'force TLS' until you are certain all URL's work with https
Don’t check the ‘force TLS’ option until you are certain that all of your URL’s work with an ‘https://’ in front!
Why?
Once you force TLS using Netlify they will set the STS (Strict-Transport-Security) header in your page response headers. I will not go through the explanation but you can read about it here.
The main thing to know is:
Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS
Note that Netlify's settings (using the force TLS checkbox) are to have the visiting browsers enforce this for 1 year past visit date! So, if you have anything that fails on https, your site is going to have some issues until you are able to fix them.
Wait!
You still want your site to always serve up https pages once you add the certificate, but not have it forced while testing or working through issues.
Solution:
Use the _redirects file at the root of your deployed site (in your "Publish directory, next to index.html) to redirect traffic to https.
Here is an example of the file
_redirects
# redirect netlify sitename to your sitename for SEO purposes,
# to avoid duplicate content. Do this for http and https
https://example.netlify.com/* https://www.example.com/:splat 301!
http://example.netlify.com/* http://www.example.com/:splat 301!
# also redirect http to https for your custom domain.
# Note that netlify automatically redirects to your custom domain from the bare domain (or vice versa), so you only need one rule here.
http://www.example.com/* https://www.example.com/:splat 301!
Or the same redirects using Structured Redirects
netlify.toml
[[redirects]]
from = "https://example.netlify.com/*"
to = "https://www.example.com/:splat"
status = 301
force = true
[[redirects]]
from = "http://example.netlify.com/*"
to = "http://www.example.com/:splat"
status = 301
force = true
[[redirects]]
from = "http://www.example.com/*"
to = "https://www.example.com/:splat"
status = 301
force = true
NOTE:
Netlify already redirects the bare domain to www subdomain (optional)
It's recommended to use www as your custom domain, to take full advantage of Netlify CDN with ANY DNS setup.
redirects the netlify subdomain site to custom domain (optional)
redirects http to https for all paths

How to redirect from http to https with a redirect on IIS

I would like all traffic to my site to use https on IIS.
How do I configure a redirect to do that?
(Note: this will be self answered, as there is no correct answer anywhere on this.)
This blog link supposedly answers this question:
However, no-one so far as been able to get it the answer to work, as you end up with an endless loop of a redirect redirecting to a redirect.
So after working with this and resolving it, here is the correct answer:
Install the Http Redirect Feature if it is not already installed.
Create two sites, not one site. The first site is the insecure site which is bound to http only. Do not bind https on this site.
The second site is your secure site. This is bound to https and your security cert.
On the insecure site, add the http redirect: "Redirect requests to this destination: https://example.com" Select status code of Permanent (301).
Test. Any request to http://example.com will be forwarded to https://example.com.

ignore url mod-rewrite via htaccess

i use Prestashop and force https for all url.
I need to add script with this url:
src="//c.imedia.cz/js/retargeting.js"
i need url keep like this in html.
but htaccess seems change it to
src="https://c.imedia.cz/js/retargeting.js"
which doesn't work then.
i tried to add Rewrite rule to prevent override this url
RewriteRule retargeting\.js$ - [L,NC]
Any solution please?
htaccess does not change the src in your HTML. The browser will replace // with the protocol that is used in the request. i.e. https. It's commonly referred to as protocol relative URL.
More info in this answer about that
So if you don't want it to use https then you should explicitly set it as http. That will however cause mixed content when served over https and modern browsers will probably block it. So if you force https then ALL your resources have to be https as well or it will be blocked and not loaded even using http.
So then you should get a wildcard SSL certificate for your subdomains so that your resources can be served as https as well.

I want to use https in opencart checkout page only, the rest page should have http

I have installed ssl certificate and I want to use https in checkout page only. I have set on the ssl in settings. It's still showing https in all the page.
Please tell me the solution for this.
Thank you!
Opencart by default works with ssl only in checkout pages and when user is logged in, as such the only way for you to have https in all url is to force via .htaccess, the simplest solution if this is the case is to remove the redirection that forces https in .htaccess enable ssl in opencart backend and change the config file site url from http to https, although these are steps you should have taken before, and a simple removal of the right lines in .htaccess should suffice.

Resources