Jump to content

Forcing website access using https


Recommended Posts

Hi. Intending to force usage of https when accessing my site, I only noticed now, that SSL seems to be installed and work.
Sorry for these "stupid" questions, but I just want to be really sure, that what I intend to do is correct.
1. Certificates and keys have been generated and validated. On the "Manage installed SSL websites" page in C-panel, there
is a button to install the certificates on the server. Have I to put this button, or is everything as it should be, nothing
to do by me and, when expired, all renews by itself?
2. To force http to https, is adding a rewrite rule to .htaccess the best method?
3. Some older browsers (probably still used by lots of people in some parts of the world) do not support SNI. Does that mean
that these people couldn't any longer access the site, if I do the rewrite? How to solve this issue?

Thanks for answer. And thanks to the HelioHost team for this nice thing called AutoSSL.

 

Link to comment
Share on other sites

Forcing HTTPS will break automatic renewal unless you exclude the .well-known folder. Using htaccess is the most common method, just make sure here's an exception for that folder, as plain http must work for thst folder or certs will not renew.

 

Also, forcing HTTPS will break all support for non-SNI capable browsers and OSes, as well as support for devices that do not support TLS 1.2 or newer. If you need to support these devices and browsers, your best (and only) solution is to not force SSL.

 

Our own servers have an "insecure login" button on our site and support for plain HTTP logins for just this reason. Encryption doesn't work everywhere.

Link to comment
Share on other sites

You never sleep, or how do you do to answer so quickly? :)

 

What advise would a pro give me? Most sites on the web automatically go https if you type an address in the browser and they are indexed in Google Search with https urls. Mine are all indexed with http. Would a possibility be, to do no rewrite, but adding a https canonical meta tag for each page? Thus everyone should be able to access the site, autoSSL renewal would be automatic and all those coming from a Google link would use https, as I would prefer (not sure, non-pro, who I am)... Thanks...

Link to comment
Share on other sites

I've never heard of a meta tag for HTTPS, so not sure what if anything that would actually do.

 

This in theory can be made to work even on old devices, but it's not free ($12/yr for a dedicated IP which would eliminate the SNI issue) and also would need Krydos to enable some outdated TLS protocols (1.0 and 1.1) for your domains if he's able to do so (protocols newer than 1.1 this are not supported on Windows XP). Is support for dead technology really that important for your site?

 

The only reason I've ever needed to make this sort of thing work was for an API. Old code on old OS needed to talk to Tommy, and I ended up removing the TLS entirely since it was a quick fix. I'm finally down to exactly one device left (from about 80 last year) still leaning on that code and API, so I personally could care less about legacy support on my own apps at this point.

 

Personally, I'd leave that stuff in the dust unless you have good reason to support it, and just put a redirect with a .well-known folder exception.

Link to comment
Share on other sites

Create the file /home/allu62/public_html/.htaccess (Be sure to note the . period at the beginning of .htaccess) and put this code

 

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/.well-known/ [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Link to comment
Share on other sites

There is no real need to make access possible to old OS/browsers, except my conviction, that the Internet should be shared resources accessible and usable by everyone (that's why all my programs will always be free of charge and open source, even though with just 0,50€ per download, I could have a comfortable life with several hot meals a week). On the other hand, I came to the same conclusion than you: OS that do not support TLS 1.2 are not far from 20 years old. And another consideration: the choice to make between increasing browsing security for a huge majority of users or not doing so because of probably very rare users, using these "very old" OS. Thus, it's ok for me to follow your advice. Just two last questions:

 - is there any possibility to detect such not working access and diaplay a personalized message?

 - is it normal, that the .well-known folder is empty?

Thanks a lot for the quick and helpful answers. Support on HelioHost is really great (AAA)!

Link to comment
Share on other sites

- is there any possibility to detect such not working access and diaplay a personalized message?

You could use .htaccess to detect user agents from old operating systems and old browser and redirect them to an error message page without ssl. Here is some discussion on how to redirect https://stackoverflow.com/a/14057883 and here is a database of all sorts of user agents https://developers.whatismybrowser.com/useragents/explore/

 

- is it normal, that the .well-known folder is empty?

When autossl is done verifying your domain it deletes its temporary test file.

 

Thanks a lot for the quick and helpful answers. Support on HelioHost is really great (AAA)!

Thanks!
Link to comment
Share on other sites

Sorry, that the last 2 questions weren't the last. The error page is for later, redirection works as I want, but not sure if my .htaccess file content is "as it should be" and I would appreciate if someone, who understands more about this stuff than myself, had a look at it. Redirect all http://www.streetinfo.lu and http://streetinfo.lu URIs (except the .wellknown folder) to https; redirect https://streetinfo.lu to https://www.streetinfo.lu. The index.php redirects are temporarily, just to avoid 404 errors from links, that have not yet be updated, after global changes on the site. Thanks and sorry for bothering you again.

 

RewriteOptions inherit
RewriteEngine on
 
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^streetinfo\.lu$ [OR]
RewriteCond %{HTTP_HOST} ^www\.streetinfo\.lu$
RewriteCond %{REQUEST_URI} !^/.well-known/ [NC]
RewriteRule ^index\.php$ https://www.streetinfo.lu/ [R]
RewriteRule ^computing/lazarus/index\.php$ https://www.streetinfo.lu/computing/lazarus/ [R]
 
RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^streetinfo\.lu$
RewriteRule ^index\.php$ https://www.streetinfo.lu/ [R]
RewriteRule ^computing/lazarus/index\.php$ https://www.streetinfo.lu/computing/lazarus/ [R]
 
Options -Indexes
Link to comment
Share on other sites

Something went wrong, when copy/paste .htaccess content. Here, what's really in:

 

RewriteOptions inherit
RewriteEngine on
 
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^streetinfo\.lu$ [OR]
RewriteCond %{HTTP_HOST} ^www\.streetinfo\.lu$
RewriteCond %{REQUEST_URI} !^/.well-known/ [NC]
RewriteRule ^index\.php$ https://www.streetinfo.lu/ [R]
RewriteRule ^computing/lazarus/index\.php$ https://www.streetinfo.lu/computing/lazarus/ [R]
 
RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^streetinfo\.lu$
RewriteRule ^index\.php$ https://www.streetinfo.lu/ [R]
RewriteRule ^computing/lazarus/index\.php$ https://www.streetinfo.lu/computing/lazarus/ [R]
 
Options -Indexes
Link to comment
Share on other sites

I don't think so. The first condition (with !=on) is for http, the second (with =on) for https. Anyway, redirection works (and I hope it will work with .wellknown, too). My question was in fact related to the flags (I do not really understand the explanations given in the Apache manual and using [L], where I now use [R] resulted in a "can't show page, because of to many redirects" error).

Link to comment
Share on other sites

[L] means last, so it processes the lines in order from top to bottom and if a [L]ast line matches, it stops and doesn't process the rest. https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_l

 

[R] means redirect, but you almost always want to use L and R at the same time because if you use [R] by itself it redirects, and then continues processing the rules following the [R] line which can be wonky or cause errors. https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_r

Edited by Krydos
missed a word
Link to comment
Share on other sites

I guess, that i'm to stupid to understand that... My actual .htaccess (the one in the file, that I attached to the post) works perfectly. With [R] for the index.php rules, whereas with [L], the page doesn't open because of to many redirects!? Anyway, thanks for your help. I have HTTPS now and that's what finally is important.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...