We have an ExpressionEngine site we’re accessing via both http and https. Our users get security warnings from IE when accessing via https because some assets are accessed insecurely (CSS and images referenced there, in this case).
This happens when the setting ‘General Config -> URL to the root directory of your site’ includes the http:// protocol identifier (With that field blank, set just to the site domain [example.com], or set without a protocol [//example.com/], we encounter other problems, so those are not really an option). The problematic URLs are, of course, those generated with {path=} or {stylesheet=} in the templates.
Is there a good way to get all assets delivered via the same protocol as the page?
Thanks,
Scott
It's because EE variables don't detect or utilise https by default, so you have to set them in code. The easiest way is to use an add-on:
http://devot-ee.com/add-ons/https-support
http://devot-ee.com/add-ons/dm-force-ssl
http://devot-ee.com/add-ons/force-ssl (commercial)
(In no particular order) I've not used any of these so can't recommend a specific one as I use my own plugin.
Do you need to include the root URL? Often times I'll set the root URL of a site to just '/'.
Another option would be to manually include those assets (not using path or style helpers).
If a URL is realtive it will automatically inherit the current protocol.
You can detect the protocol with PHP and set it dynamically in your system/expressionengine/config/config.php file. I use something like this:
$protocol = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") ? "https://" : "http://";
$base_url = $protocol . $_SERVER['HTTP_HOST'];
$config['base_url'] = $base_url . "/";
You can build your theme paths, various image paths, upload paths, etc all from that basis in config.php. But $config['site_url'] is what affects the output of {path=""} and {stylesheet} tags.
For more information, see NSM's Config Bootstrap file or the article Configuring ExpressionEngine for multiple servers. For all the paths you can set in config.php, see EE2 Config Overrides
Related
I want to follow Google's directive in terms of cache headers for images, scripts and styles.
After reading symfony's documentation about http cache, I decided to install FOSHttpCacheBundle. The I set up rules for path like ^/Resources/ or ^/css/. I then fail to see it the proper headers for my images using Chrome's console.
Alternatively, I have read that, since my server is handling the resource, this is not Symfony that deals with this matter (yet I read in the doc that Symfony Proxy was good for shared-hosting servers, which is what I have).
So should I just add lines to my .htaccess as explained in here, or am I simply misusing FOSHttpCacheBundle? (Or both.)
Static files (including javascript files, CSS stylesheets, images, fonts...) are served directly by the web server. As the PHP module is not even loaded for such files, you must configure the server to set proper HTTP headers. You can do it using a .htaccess file if you use Apache but doing it directly in httpd.conf/apache2.conf/vhost conf (depending of your configuration) will be better from a performance point of view.
If you also want want to set HTTP cache headers for dynamic content (HTML generated by Symfony...), then you must use FosHttpCache or any other method provided by Symfonny such as the #Cache annotation.
I'm using S3 and CloudFront to store the images, CSS and JS files of my web site - which is not static and is hosted on a proper web server
Since the CSS file changes frequently, I'm using a version number to make sure the user browser reloads it when it changes. When I was hosting the CSS file on my Apache web server, I was using the following redirect rule
RewriteEngine On
# CSS Redirection (whatever.min.5676.css is redirected to whatever.min.css)
RewriteRule ^(.*)\.min\.[0-9]+\.css$ $1.min.css
With this simple rule, http://www.example.com/all.min.15.css redirected to http://www.example.com/all.min.css
How can I reproduce such a rule with Amazon S3 and/or CloudFront ?
i.e. to have http://example.amazonaws.com/mybucket/css/all.min.3.css or http://example.amazonaws.com/mybucket/css/all.min.42.css redirected to http://example.amazonaws.com/mybucket/css/all.min.css
(Note : my S3 bucket is NOT configured as a website but should it be so to enable redirection rules?)
NOTE: this answer does not use any rule. It might not be the proper answer.
I would be using a query parameter to handle different versions, like:
http://example.amazonaws.com/mybucket/css/all.min.css?ver42
http://example.amazonaws.com/mybucket/css/all.min.css?42
http://example.amazonaws.com/mybucket/css/all.min.css?ver=42
http://example.amazonaws.com/mybucket/css/all.min.css?20141014
To be exact, in my dynamic web page, the version parameter is stored in a variable and appended to url (both CSS and JS). While in development I only have to increase/set one variable to force the browser to load a new version. This way, there is no need for rewrite rules, even on Apache.
Caching also works as the Last-Modified and ETag headers are kept in tact.
Hope this helps.
I'm having a problem with a clients magento site that has https enabled on the secure pages,
The website it built heavily around static block content and on the https pages images are pulled from static blocks (over 400 of them) using the media insert in the static block {{media url="media/bla/bla/bob.png"}} these images are comign through as http://site.com/media/bla/bla/bob.png
its not realistic, and it wouldn't make any sense to go through and change all these links to direct links.
Any ideas?
Cheers
Roly!
You are suppose to use the {{store url=""}} or the {{secure_base_url}}media/ in ur blocks
if ur not certain that ur page will be on HTTPS or HTTP the use first one if you know for sure that the request will be HTTPs use second one. (NOTE. Second is a system config path not the actual value that u'll put in the CMS block).
Hope it helps.
Whereas media files are not subject to a fallback, and with the awareness that if the directory level for Magento changes w/r/t the webroot (e.g. http://site.com/ vs. http://site.com/magento/) you can lead with the double-slash network location:
<img src="//media/bla/bob.png" />
Therefore, a search and replace against using the current data in cms_block.content is indicated.
I'll reiterate that this is not appropriate for skin assets due to the fallback.
I've received an email from Google saying my site contains phishing contents. When I checked the URL they sent, it was just a URL accessing another hosting account via my domain.
Ex: domain.com/~username
Is there a way to prevent this from either using .htaccess file or any other method.
To the disable the use of the feature you are describing (better known as UserDir) you could specify the following in either your httpd.conf or within your vhost configuration.
There is no way to change this setting from within .htaccess.
UserDir disabled
Read more about it by following the below link:
httpd.apache.org - Per-user web directories - Enable/Disable
httpd.apache.org - Apache Module mod_userdir
I have a server. Lets call it http://A.com
I also have an 'Enjin' forum board. Lets call it http://A.B.com.
The server is useful for many scripts and functional components for the admins. The forum boards are for the community, but I can only add HTML modules to it. No custom scripting.
Currently, I have it set up to redirect the index of http://A.com to http://A.B.com using HTML redirection, and so those who navigate to the root of A.com will be sent to the forums.
I would like to make it so if you navigate to http://A.com, it'll show the contents of http://A.B.com. We once used an iFrame, but that had a detrimental affect on the forums, so currently we just redirect them. I've seen someone using the same system have a URL such as http://C.com/forums/viewforum/212877 showing the contents of http://C.B.com/forums/viewforum/212877
I assume mod_rewrite could be capable of this, but how exactly?
It sounds like you want to set up a reverse proxy wherein a client requests a page from http://A.com/ retrieves the page from http://A.B.com/ using HTTP, and then returns that content as it own response to the client.
See http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyvia
"A reverse proxy is activated using the ProxyPass directive or the [P] flag to the RewriteRule directive. It is not necessary to turn ProxyRequests on in order to configure a reverse proxy."
You would need to check what happens regarding links on pages. If http://A.B.com/ uses absolute links then they will be to pages inside http://A.B.com/ . But relative links will still be under http://A.com/ .