We have our site setup and would like to have a secure members area. (e.g.: https://www.abc.com/members/).
Our host provides us an SSL URL to use for free though it isn't very pretty (www1234.sslurl.com/abc/members/).
Is it possible to use https://www1234.sslurl.com/abc/members/ and rewrite the URL to read as https://www.abc.com/members? If so, I'd appreciate some help with the rule to do this.
Note: This is NOT for a shopping cart and we aren't storing credit cards, or social security numbers or anything sensitive like that. We just want to provide users with a secure browser connection when logging in. Is rewriting the URL unethical?
Added details since someone voted to close my question though I'm not sure why. This is a valid question and is tagged appropriately.
================== SOME CODE I'VE BEGUN WORKING WITH==================
RewriteCond %{HTTP_HOST} abc.com
RewriteCond %{REQUEST_URI} !abc/
RewriteRule ^(.*)$ abc/$1 [L]
Does this look right?
Even if there was a way to do this (and I don't believe that you Apache supports such a redirect), the browser would likely complain anyway. Typically SSL certificates only work for domain.com and www.domain.com. If you try to access that certificate using a different URL, your browser will give an error about the certificate not being trusted.
Related
I have used the following redirect within .htaccess to force HTTPS for a long time with no problem.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
However, it seems that Google Chrome's latest update gives me a security warning.
Your connection is not private Attackers might be trying to steal your
information from ofertaclarocloud.com.co (for example, passwords,
messages or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID Automatically send some system
information and page content to Google to help detect dangerous apps
and sites. Privacy Policy
Does anyone know any way around this?
(Note: I am using a form on the page. It does not, however, have any sensitive information such as passwords, credit card information, etc. Just a simple form with name, phone, and email.)
(Note 2: I have also tried a few other solutions around StackOverflow to such as this.)
Thanks!
So I'm in the process of building my own web-application type project. However, I only want the website to be viewable through a web client of mine. I have set the web client's user agent setting to a custom name (MySecretClient) and am now attempting to only allow access from browsers with the user agent, MySecretClient. Everyone else gets redirected.
Is there a better way to go about doing this?
As with so many web technology questions, there is a strict, theoretical answer and a "good enough for what you probably want" answer: The strict answer is: You cant, it doesn't work that way. Since the client can send whatever user agent string it wants to, you have no way of knowing what client is actually behind any given request.
The "good enough" answer that will prevent the vast majority of users from seeing your site with the "wrong" user agent is documented here:
http://www.htaccesstools.com/articles/detect-and-redirect-iphone/
The relevant .htaccess block from the link, which redirects requests from iPhone user agents to an iPhone specific site is:
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} iPhone
RewriteCond %{REQUEST_URI} !^/my-iPhone-site/
RewriteRule .* /my-iPhone-site/ [R]
Which you could modify in your case to redirect users with the wrong client:
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !^MySecretClient$
RewriteRule .* <URL of a tropical island paradise> [R]
There is one other answer to what might be your intention in doing this. If this is part of your application's security strategy, it is a bad idea! This is what's known as "security through obscurity" and is a well-established anti-pattern that should be avoided. Any but the most casual attacker of your software will quickly realize what's going on, figure out what client your application is meant to run on, and spoof it.
<?php
define('MY_USER_AGENT', 'Custom User Agent');
define('REDIRECT_LOCATION', 'http://www.google.com');
if ($_SERVER['HTTP_USER_AGENT'] !== MY_USER_AGENT) {
header('Location: ' . REDIRECT_LOCATION);
die();
}
A drupal site is pushing International traffic over quota on my (Plesk 10.4) server, and it looks as though much of that of that (~250,000 visits/month) is direct access to the URL /user/register. We are already using the botcha module to filter out spambot registrations, but that approach is resulting in two full pages being served to each bot. And while Drupal
I'm thinking that a .htaccess rule which returns a 403 response to that URL unless the referer is from the site might be the way to go, but my .htaccess-fu is not strong, and I can only find examples for blocking hot-linking of images.
What do I need to add and where?
Thanks,
Richard
You'd be checking against the HTTP referer. It's not a guarantee way to block incoming traffic linked from a site other than yours, since the field can be easily forged. But you can try adding this to the htaccess file (above any rules that are already there):
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?your-domain\com/ [NC]
RewriteRule ^user/register - [L,F]
The website in question takes users to a password authentication page when they click on the members link. After they have provided the correct password it allows them to click on any page, such as a member's directory page. The issue is: when someone just uses Google or any type of search engine, they are able to get to the directory without being prompted for a password.
I am assuming I need to setup all of the unsecured pages to the secured password authenticated one. Could I get some assistance on how to do this?
Option 1: .htaccess files.
Option 2: put an index file (index.php, index.htm, index.html, etc.) in the directory. If they try to just browse to the directory, they'll get that page instead.
Option 3: If you're using IIS you can set the website so that the directory isn't browsable.
Option 4: You can tinker with the chksum values, but chksum seems to be more of a blanket thing.
There are several ways to go about securing a directory - it depends on your hosting environment and what your expected end-result behavior will be.
You can add redirect code in your .htaccess to redirect your domain from http to https.
A sample code would be like this but you need to modify it if it do not work properly.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^yourwebsite\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.yourwebsite\.com$
RewriteRule ^(.*)$ "https\:\/\/yourwebsite\.com\/$1"01,L] [R=3
Also, in order for your SSL cert to come back clean all external resources / links must come from https or else there will be a small security flag but your SSL will still be active and accepted.
You can google search for additional methods for using .htaccess
I´m forcing ssl in my site using:
RewriteCond %{ENV:HTTPS} !on [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
but im using an ad newtork that doesn´t have SSL enabled.
it is possible to displat that content without the alert of insecure content to the users?
maybe with an exception?
I don't believe you'll have any luck with that. The ad network needs to provide SSL code. The browser/client tells you that you are displaying insecure content and htaccess won't be able to hide that.
Even Google Adsense does not have SSL support. Internet explorer is typically the browser that gives the intrusive dialog warning versus other browsers show the error in the console. There are ad networks that do offer SSL though.
In Chrome, if the https connection is broken it shows it in the address bar crossed out in red. I personally don't want users to see that and think my site is not secure in certain areas just because of some ads.
I don't encrypt my whole site because I don't feel it's necessary. It seems to be a fad these days but I feel it's overkill and unnecessary most of the time. I only use SSL on important pages such as login pages, account settings or any type of payment area. Otherwise the whole site doesn't need it and will prevent users from seeing the insecure content warning. If you're whole site is not one big site of sensitive content and probably isn't sense it most likely public, maybe it's not necessary to force https on your entire site. Just a suggestion to get around the warning message.
Updated:
Try this code in regards to your comment.
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} (signup|settings)
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]