I´m forcing ssl in my site using:
RewriteCond %{ENV:HTTPS} !on [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
but im using an ad newtork that doesn´t have SSL enabled.
it is possible to displat that content without the alert of insecure content to the users?
maybe with an exception?
I don't believe you'll have any luck with that. The ad network needs to provide SSL code. The browser/client tells you that you are displaying insecure content and htaccess won't be able to hide that.
Even Google Adsense does not have SSL support. Internet explorer is typically the browser that gives the intrusive dialog warning versus other browsers show the error in the console. There are ad networks that do offer SSL though.
In Chrome, if the https connection is broken it shows it in the address bar crossed out in red. I personally don't want users to see that and think my site is not secure in certain areas just because of some ads.
I don't encrypt my whole site because I don't feel it's necessary. It seems to be a fad these days but I feel it's overkill and unnecessary most of the time. I only use SSL on important pages such as login pages, account settings or any type of payment area. Otherwise the whole site doesn't need it and will prevent users from seeing the insecure content warning. If you're whole site is not one big site of sensitive content and probably isn't sense it most likely public, maybe it's not necessary to force https on your entire site. Just a suggestion to get around the warning message.
Updated:
Try this code in regards to your comment.
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} (signup|settings)
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
Related
I have a website called
www.example.com
I have a mobile website called
m.example.com
firstly i want to redirect automatically from desktop version to mobile site (if it is mobile only.. i want to detect all mobile versions)
then I want to use an htaccess to automatically redirect the main website URL to the mobile version..
However, there is a link on the mobile version that points back to the main website called
www.example.com/?nm=1 (nm mean nomobile)
i want to set cookie for this one.. (redirect to desktop site from mobile site)
if user come again after passing time ago.. i want to check hv cookie.. (check www.example.com/?nm=1 set cookie earlier) if havent cookie automatically redirect to mobile version... if have cookie want to stay in desktop version.
How can I accomplish this via htaccess without JavaSCript.
This answer solves part of the problem for you. Just like that answer, I am not going to suggest a list with user-agents for you. Find a list that is suitable for you, and put it in the rule. The types of mobile devices, browsers in mobile devices etc is ever-changing, and this answer would be out-dated before I even posted it. You need to adapt that rule a little to prevent it from matching if the cookie "nomobile" is set to "1". You need a rule that sees the "nm=1" in the url and sets the cookie. You probably also want some kind of reset for that oookie, which I labeled "nm=0".
RewriteCond %{QUERY_STRING} nm=1
RewriteRule ^ - [CO=nomobile:1:localhost:10000]
RewriteCond %{QUERY_STRING} nm=0
RewriteRule ^ - [CO=nomobile:0:localhost:10000]
RewriteCond %{HTTP_USER_AGENT} ^(user-agent1|user-agent2|user-agent3|etc)$
RewriteCond %{HTTP_HOST} !^m\.example\.com$
RewriteCond %{HTTP_COOKIE} !nomobile=1
RewriteRule ^(.*)$ http://m.example.com/$1 [R,L]
Please check the documentation for cookies for the correct usage of the CO-flag on your specific site. The code above is not tested, but in theory it should work.
I need to provide a texture URL that will be used in an online game (with a desktop software) and I need to prevent people to open the texture from their browsers and allow the texture to be opened only by that game.
The game is quite similar to Second Life, it uses part of the same engine.
I don't need an anti hacker method, just a way to prevent users that have the URL from open it in browsers.
I know someone that has done it but I don't know how, but I know is possible.
I think I need to check the HTTP header with .htaccess and filter somehow but I've not idea how.
How can I do?
Use a secret QUERY_STRING parameter while making an HTTP request from the desktop software. The htaccess can check this parameter name/value and grant access accordingly. If all your textures were present at /textures your htaccess would look like:
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_URI} ^/textures [NC]
RewriteCond %{QUERY_STRING} !(^|&)password(=|&|$) [NC]
RewriteRule ^ - [F]
If the request URL is beyond your control, you need to look at things like IP Address (in case of a static IP), or software's User-Agent HTTP header that can be used to uniquely identify and grant access to it.
RewriteCond %{HTTP_USER_AGENT} !software_id [NC]
Here, software_id denotes some part of your software's User-Agent. For example, to grant access only to iPhones one would use !iphone [NC] above.
We have our site setup and would like to have a secure members area. (e.g.: https://www.abc.com/members/).
Our host provides us an SSL URL to use for free though it isn't very pretty (www1234.sslurl.com/abc/members/).
Is it possible to use https://www1234.sslurl.com/abc/members/ and rewrite the URL to read as https://www.abc.com/members? If so, I'd appreciate some help with the rule to do this.
Note: This is NOT for a shopping cart and we aren't storing credit cards, or social security numbers or anything sensitive like that. We just want to provide users with a secure browser connection when logging in. Is rewriting the URL unethical?
Added details since someone voted to close my question though I'm not sure why. This is a valid question and is tagged appropriately.
================== SOME CODE I'VE BEGUN WORKING WITH==================
RewriteCond %{HTTP_HOST} abc.com
RewriteCond %{REQUEST_URI} !abc/
RewriteRule ^(.*)$ abc/$1 [L]
Does this look right?
Even if there was a way to do this (and I don't believe that you Apache supports such a redirect), the browser would likely complain anyway. Typically SSL certificates only work for domain.com and www.domain.com. If you try to access that certificate using a different URL, your browser will give an error about the certificate not being trusted.
I have a .htaccess file with the following:
RewriteCond %{REQUEST_URI} !^/mobiledirectoryhere/.*$
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|googlebot-mobile" [NC]
RewriteRule ^(.*)$ /mobiledirectoryhere/ [L,R=302]
Everything is fine and works great when viewing form a mobile phone - it detects and goes straight to the subfolder where the mobile site is located. But what I am trying to figure out is how to have a link at the bottom of the mobile site that will allow the user to view a desktop version. And when they're on the desktop version I want them to be able to get back to mobile...
Can anyone help me???
As for the "View Desktop Version" link, that should just be an HTML modification on the mobile site, huh?
In order to keep users on the desktop site after they've selected the option though, you'll need to implement a way to track their client-side preferences, e.g., a cookie. Here's some info about adding a cookie-based condition to your rewrite rule: How to do htaccess redirect based on cookie value
Yes, use a cookie. You can set them with the [CO] flag, and interrogate these through %{HTTP_COOKIE} condition, e.g. add cond to the rule
RewriteCond %{HTTP_COOKIE} !force_desktop
and detect the (un)set URIs to clear/set the cookie.
I wouldn't use cookies since that might not work properly for first-time visitors or users with cookies set to disabled. I would add a pre-defined GET-parameter that forces the site to go to the non-mobile version.
One example: If your domain is www.fancysite.com that could be www.fancysite.com/nomobile. For the "nomobile" URL you define an automatic forwarding in the .htaccess. Use the [L] condition for this rewrite rule so that other conditions are ignored. If the "nomobile" string is not present, your (already working) user agent detection kicks in and the user reaches the mobile site.
See these for some details (especially under "conditions"):
http://www.addedbytes.com/for-beginners/url-rewriting-for-beginners/
http://www.cheatography.com/davechild/cheat-sheets/mod-rewrite/
I have developed a website (A) that needs to connect with another website (B) i.e only members of B can see site A
I can limit the incoming traffic on site A with a .htaccess rule to only come from site B, but anyone would still be able to manually type in the URLs or send a link via email:
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !sitea\.co.uk [NC]
RewriteCond %{HTTP_REFERER} !siteb\.co.uk [NC]
RewriteRule .? - [F]
Is there something I could do with cookies? this does not have to be very secure, just stop casual users viewing site A without first logging into site B.
The cleanest approach here is to have both sites managed by the same MODx install, but use a different context for each site/domain. You can then develop a simple snippet or plugin to allow access to Site A only if the user is logged in on Site B.
Try modifying the following Domain Gateway plugin to do this:
http://rtfm.modx.com/display/revolution20/Using+One+Gateway+Plugin+to+Manage+Multiple+Domains
This is simple to accomplish and even though not necessary here it is also very secure ;)