Website folders do not have full SSL lock - apache

So I am making a new website, Link, but for some reason no folders have the full SSL icon. The top-level index.php file has the lock, but anything inside a folder, try /blog, has partial-ssl. It has the lock, but hides it because of the "Someone can change the look of this page" type error. Please help, as I do not know why this is hapenning. I do use cloudflare, and have set a http://qualexcraft.tk/* page rule to force https.
UPDATE: Now no folders or files have the full lock
For anyone interested, here is my htaccess file:
# Do not remove this line, otherwise mod_rewrite rules will stop working
RewriteBase /
ErrorDocument 404 http://qualexcraft.tk/404
# Redirect www urls to non-www
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.qualexcraft\.tk [NC]
RewriteRule (.*) https://qualexcraft.tk/$1 [R=301,L]
Directory Structure:
index.php
404
index.php
old.php
assets
images
blog
allPosts
index.php
includes
headers
head.html
index.html
layout
footer.html
navbar.html
maps
mdl
[mdl files]

One of the reasons for the bahaviour is the following line in your htaccess file:
ErrorDocument 404 http://qualexcraft.tk/404
When the client requests for the image https://qualexcraft.tk/blog/images/android-desktop.png, a 302 redirection to http://qualexcraft.tk/404 is triggered. This page, in turn, has a permanent redirection set to https://qualexcraft.tk/404.
Now, as I asked in the comment, there is another rule which adds a trailing / in the URLs and redirects it to http://qualexcraft.tk/404/. This, lastly; redirects with the status code 301 to the secure page: https://qualexcraft.tk/404/.
The intermediate redirects to http pages is the root cause of your problem. The same occurs when someone visits the blog link on your website.
The request to https://qualexcraft.tk/blog gets redirected to http://qualexcraft.tk/blog/ and then to https://qualexcraft.tk/blog/.
After your changes to the website, the behaviour is still the same, except that the request is now for https://qualexcraft.tk/favicon.ico.
Try updating your htaccess to the following:
Options -MultiViews
DirectorySlash Off
ErrorDocument 404 https://qualexcraft.tk/404
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+)/?$ $1/index.php [L]
RewriteCond %{HTTP_HOST} ^www\.qualexcraft\.tk [NC]
RewriteRule (.*) https://qualexcraft.tk/$1 [R=301,L]

Add your favicon image to favicon.ico, to images/touch/ms-touch-icon-144x144-precomposed.png and to images/android-desktop.png. That is the only insecure content error that can be seen so once that is fixed you should be okay after clearing your browser cache.
In order to spot mixed content errors in the future, you can go to the console in Chrome (right click > Inspect Element > console) and your insecure content errors will be displayed there.

Related

.htaccess skips mod_rewrite and directs to ErrorDocument 404

I have the following .htaccess which works wonderfully on a few websites of mine. However, I have uploaded it to another website (on the same host, different domain) and it is now defaulting to the error 404 page; which is displaying correctly.
Example URL: https://www.example.ca/resources-and-links/documents/
The .htaccess first checks to see if there is a actual .php file with first sub-directory, in the example resources-and-links.php. If it does exists it will serve up that page and break down the rest of the sub-directories into the query strings provided.
If the resources-and-link.php doesn't exsits, it directs it to the content.php to check it against pages in the database and serve it if the url matches one of that in the database. If it doesn't the content.php page shows a custom error 404 page.
This works on a sub-domain of said website https://sub.example.com which runs the cms system I built but not the root domain and as said before; shows the ErrorDocument instead. As well, I've used this same .htaccess on many of my other websites without a problem.
I used PHP to show that mod_rewrite is available so are there any reasons why it would not work on the root domain? Why is it skipping straight to the ErrorDocument and serving /404.php?
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/([^/]*)
RewriteCond %{DOCUMENT_ROOT}/%1.php -f
RewriteRule ^([^/]*)(/([^/]*))?(/([^/]*))?(/([^/]*))?(/([^/]*)) /$1.php?ax=$3&do=$5&third=$7&fourth=$9 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-zA-Z]*)/(.*)$ /content.php?url=$1/$2 [L]
Options +FollowSymLinks
ErrorDocument 404 /404.php
</IfModule>

htaccess that redirects non-https to https site causing pages that should be 404 to show the homepage instead. How do i fix this?

I have little to no experience with htaccess so this may be incredibly simple to fix. The following is in my htaccess file:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^url.co.uk
RewriteRule ^(.*)$ https://www.url.co.uk/$1 [R=301,L]
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.url.co.uk/$1 [R=301,L]
This is used to 301 redirect anyone accessing my sites old non https address and send them to the https version. It also directs the url.co.uk version to the www.url.co.ukversion.
Since using this, I've noticed that 404 pages no longer show and any time it should, the user is taken to the homepage instead. What needs changed/added to show the 404 page?
Pretty easy in this case, simply add
ErrorDocument 404 /404.html
Change the doc as required

How to setup request proxy using URL rewriting

I have an e-commerce site that resides in:
http://dev.gworks.mobi/
When a customer clicks on the signin link, the browser gets redirected to another domain, in order for authentication:
http://frock.gworks.mobi:8080/openam/XUI/#login/&goto=http%3A%2F%2Fdev.gworks.mobi%3A80%2Fcustomer%2Faccount%2Flogin%2Freferer%2FaHR0cDovL2Rldi5nd29ya3MubW9iaS8%2C%2F
I'm trying to rewrite http://dev.gworks.mobi/* to http://frock.gworks.mobi:8080/openam/*, without redirection.
I've tried this in the .htaccess of the dev.gworks.mobi site:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/openam(.*)$ [NC]
RewriteRule ^(.*)$ http://frock.gworks.mobi:8080/$1 [P,L]
</IfModule>
But when I access http://dev.gworks.mobi/openam, it shows a 404 page not found page.
Can anyone help me to achieve my use case?
Try this:
RewriteEngine on
RewriteBase /
# Make sure it's not an actual file being accessed
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Match the host
RewriteCond %{HTTP_HOST} ^dev\.gworks\.mobi
# Rewrite the request if it starts with "openam"
RewriteRule ^openam(.*)$ http://frock.gworks.mobi:8080/$1 [L,QSA]
This will rewrite all the requests to dev.gworks.mobi/openam to frock.gworks.mobi:8080.
If you want to mask the URI in a way that it's not visible to the visitor that she's visiting the authentication app, you need to add a P flag. Please note that it needs Apache's mod_proxy module in place:
RewriteRule ^openam(.*)$ http://frock.gworks.mobi:8080/$1 [P,L,QSA]
Feel free to drop the L flag, if it's not the last rewrite rule. See RewriteRule Flags for more information.
The 404
If it's all in place and you're still getting a 404 error, make sure that the target URL is not throwing 404 errors in the first place.
Second, check if you're still getting the error with the correct referrer URI set. It might be designed in a way to throw a 404, if the referrer is not correctly set. If that's the case, which I suspect, you need to use the R flag and redirect instead of proxying the request.
Last thing that comes to my mind, some webapps are not built in a way to figure out the URI address. The host, as well as the port number, might be hard-coded somewhere in the config files. Make sure that the authentication app is able to be run from another URL without the need to edit the configs.
Test
You can test the rewriterule online:

Problems redirecting from a 403 using .htaccess (Yourls)

I'm using a php app called Yourls. It's a self-hosted url shortener and it's pretty great, I'm happy with its overall functionality. Due to the nature of its development however there isn't much in the way of support. Let's pretend the base url is af.to, where a shortened url would be af.to/goo that might redirect to whatever url is defined by 'goo'. The problem I'm facing is that if someone goes to af.to, they end up on a 403-Forbidden. I'd rather the client is redirected to a specific url instead. I have already picked up a plugin for Yourls which redirects to a url when a shortlink is not found or mis-typed, but this does not cover the base of af.to
I attempted to put in a 403 redirect in the .htaccess, but that broke the whole yourls script resulting in a 500 server error.
Current .htaccess looks like this:
# BEGIN YOURLS
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /yourls-loader.php [L]
</IfModule>
# END YOURLS
Any help on what I need to do?
Thank you.
The RewriteCond blocks tell the RewriteRule to skip existing files / folders. When you go to http://af.to/, the root folder exists : no redirection. The apache server doesn't find any index.html (or index.php) file, isn't allowed to list the content of the folder, give up and returns a 403 Forbidden.
You can create the index.html file to show some content or you can add these lines to redirect to an other url :
# just after RewriteEngine On
RewriteRule ^/$ http://my-compagny.com/ [L,R=301]

Specify maintenance page in .htaccess without redirecting to error page

I have to make a maintenance page for my website with the .htaccess, I've searched on the internet and could only find snippets/scripts which redirect but I only want that it displays a message on the page itself for people, but not for a specified ip-address. So when I enable the script in the .htaccess it has to show a message on every page/ file(=css, etc.) except for my ip-address
This should work.
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !=123.45.67.89
RewriteCond %{REQUEST_URI} !^/construction.php
RewriteRule ^ /construction.php [L]