HTTP access was forced to visit HTTPS - apache

I have a few web sites that are hosted in a VPS.
Today, I found that when visiting "http://api.rsywx.com", it forces me to visit "https://api.rsywx.com", and the redirects me to "https://rsywx.net" (which is SSL enabled).
I checked my virtual host files, and did not find out anything forcing this redirect.
Anyone can point me some direction on how this can happen?

Redirects can be done on different ways and levels. Most elegant ways in descending order (my opinion):
Apache conf (mostly in /etc/apache2/apache2.conf)
.htaccess - file
in the index.php or the used backend script/code
(- could be even done in the frontend with javascript files but for that the page must be loaded and then will be redirected.. So nothing somebody should use)

Problem solved. I added one line in my Silex application's entry index.php to require HTTPS access, which is meant to be locally tested only.

Related

HTACCESS ignores images

I have the following very simple htaccess file:
RewriteEngine On
RewriteRule a.jpg b.jpg
RewriteRule c.php d.php
All four resources are in the root folder.
The PHP rule works as expected, however, the JPG rule is just ignored as if it were not there. The image a.jpg continues to display.
I am completely clueless on why that would happen.
The only explanation I could think of is that Apache is somehow configured not to INVOKE htaccess at all if the requested resource is an image. Is that even possible?
I found out the reason and I am posting my answer in case anyone faces the same issue.
It appears that both Nginx and Apache are configured on the server. Nginx is internet facing and Apache is internal.
It appears that the web hosting company has done so to benefit from Nginx's better performance and to provide compatibility to anyone coming from Apache environment at the same time.
When Nginx receives a PHP request from the internet it allows the request to pass through and reach Apache but when the resource is a static resource (image, css, js) Nginx delivers the resource itself for optimum performance.
The htaccess image rule above is not processed because the request is not even reaching Apache.
I temporarily solved the problem by not allowing Nginx to handle the images itself and allowing them to proceed to Apache.
The better solution of course is to remove htaccess dependency and handle everything within Nginx configuration file, which I will be doing soon.
The best solution of course is to remove Apache completely but it is a shared server and I don't have full control.

Correct Apache Configuration And Htaccess

I've just reset my Ubuntu 14.04 LAMP server hosted with digital ocean. Could someone tell me the 'proper' way to do server configuration. My goal is to do everything as clean as possible (and hopefully well structured).
I intend on using the server mainly for programming and data analytics, however I do plan on hosting my website in /var/www/html. I also plan on using letsencrypt/certbot to get an easy SSL. With this in mind, these are the main goals I would like to accomplish:
1) Redirect the website to ALWAYS be served through https AND www.
2) Enable HSTS for the entire website.
3) Enable clean url's (remove .php extensions and what not).
Since I would like all of these properties to be used across the entire website, should the configuration be done inside of the /etc/apache2/ folder? Or should it be done inside of .htaccess?
And if it should be done inside of apache2 configuration, which file should I add it to? And finally, how exactly should it be added? (for example vhost 80/443, inside of a mod_something section, etc).
Thank you in advance, I would appreciate and consider any advice about Apache and htaccess!

Using apache for dns blocking page and removing all jargon in URL

I have a little DNS Spoofing / Blocking system I setup for work. It simply uses a blacklist to spoof the dns records and simply points them to a BLOCK / DENY page.
If I go to the URL directly for instance http://www.redtube.com the system works as expected and displays my index.html and what it should
The problem arises if I go to http://www.redtube.com/video?/43 or anything other than the full domain I get a not found.
I need to to configure Apache so that it drops all the junk after the TLD and simply displays my page such as http://blocked.project.com
Another way to look at it would be to say redirect to index.html if the url entered is not known to the webserver.
Any help greatly appreciated.
Used an apache FallbackResource to achieve exactly what I was after. Had to make sure my image paths on the website were absolute but works a treat.
http://httpd.apache.org/docs/2.2/mod/mod_dir.html#fallbackresource

Is there an Apache/Plesk server setting that governs https:// behavior?

Context:
I've recently moved a site to a new host, and moved the SSL certificate from the old host to the new one. The code, written in PHP, is a big mess made by someone no longer available many years ago. Because of this, I'm hoping to figure out something related to the configuration of the server that can fix the issue so I don't have to reverse-engineer the rather messy code.
Problem:
When users navigate to an area of the site that uses https://, all goes according to plan. The problem, however, arises when they click a link in the navigation that is normally to an http:// part of the site. On hover, you can see that the target URL incorrectly includes "https://". When the user tries to go to a non-secure area with https:// in front, either by clicking one of those altered links or by typing it into the location bar of the browser, they are redirected to the directory without any domain. For example, if you try to go to "https://domain.org/site/", the browser is redirected to only "/site", which of course cannot be found.
Theoretical solutions:
Is there a setting in Plesk which governs the "stickiness" of https? One way to fix the problem is to stop the non-secure links from acquiring https://.
Is there an obvious reason why whatever script or file the site is using to redirect would break when an un-secure area is accessed via https://? Is there a server setting that would have made this function differently on the new server via the old server?
I don't have access to see what exactly the configuration of the old server was. Is it likely that this could be caused by a difference in PHP version? If so, any suspicions about what the problem would be?
Is there some workaround with .htaccess that can manually redirect all but certain secure areas of the site to http:// when they are accessed via https://, presumably before the site's redirect script is activated?
Thank you for any help!!
Yes, since Plesk 17 (Onyx):
For older versions you can create .htaccess files which will rewrite request from https pages to http, based on referrer:
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^https://domain.org [NC]
RewriteRule ^(.*)$ http://domain.org/$1 [L,R=301]

Apache / htaccess rewrite - From domain to subdomain

I'm trying to find out how to edit my htaccess to push all requests for files in:
http://www.domain.com/images
to head off to:
http://cdn.domain.com/images
The reasoning being i'd like to parrelise http requests over a number of domains/subdomains to speed up page load. Is this possible through apache scripting, or will I have to go and edit all the links?
also... if there is a scripting solution, will it still give the end user the benefit of serving files from multiple domains?
Thanks,
Hugh
That would be more taxing than editing the links. The browser would have to make 2 HTTP requests for each image. Your main server would still have to serve the redirection. Then, the browser would make a second request to the actual image.
My judgment: edit your links.
Is there any reason you can't make cdn.domain.com be a cname for www.domain.com? If not, do this through bind, not apache.