I recently just setup my server to run over HTTPS with an SSL certificate. The website is an image host and the developers at ShareX have included my site in their application.
My problem is, all HTTP requests are automatically redirected to HTTPS. The website works a charm, ShareX runs into a problem.
How can I tell nginx to redirect HTTP POST requests to HTTPS, but still make the POST request? Hope that's as informative as it sounds.
You cannot redirect. Either you send a POST request over HTTP or over HTTPS. This is consistent with RFC 7231, Section 4.3.3.
You can do this with a 307 response.
When fired via POSTMAN this will redirect the POST from HTTP to HTTPS.
This is some expressJS code to do this (but you can convert the logic to any language).
Essentially, the logic is:
IF a request comes in that is not over SSL and there is an SSL server running THEN
SET the location response header to the URL you want to redirect to
SEND the response code 307
END IF
This causes POSTMAN to re-post over SSL automatically where the response location header uses the HTTPS protocol. I believe this logic will also work with browsers. There may be security issues doing this however since someone could "sniff" the incoming HTTP request and therefore know what was sent over HTTPS.
USE this approach at your own risk!
let middleware = (req, res, next) => {
if (!req.secure && req.httpsServer) {
let redirectUrl = `https://${req.hostname}:${config.httpsPort}${req.url}`;
res.location(redirectUrl);
return res.sendStatus(307);
}
return next();
};
module.exports = middleware;
Related
I am writing a test JSP-Servlet page that calls an HTTP API. But when I run the call in Chrome browser it is converting the call to HTTPS and the call fails. The API is not mine and the developer of the API insists that the call has to be on HTTP.
So is there a way to allow this API call using HTTP and prevent Chrome from converting it to an HTTPS call?
Note: I checked the Web and all are saying to change the browser settings. But we will not be able to tell each and every user of our site to do so!
Add this Script on top of your JSP File!
<script>
if (location.protocol == "https:") {
location.protocol = "http:";
</script>
Note:
First, location.protocol checks Url
and the second location.protocol will change it to http.
This will redirect your Client. If he visits your website as https: it will redirect him as http:
I am using cloudflare's "flexible ssl" as an intermediary between client and my site.
After setting this up, I went to the browser and tried accessing my site via https:
https://example.com/login
and everything works. I fill in my login info and log in successfully and am not on http://example.com . I manually enter https://example.com/* where * is many other pages and it all works fine.
Now I want to redirect all requests to use the seemingly working https. So i go to my cloudflare account on their website and create a page rule : http://example.com/* to always use https.
Now I go to example.com/login and successfully redirected to https://example.com/login, I fill in my log in information and submit the login form , the page refreshes and I am back to https://example.com/login with an empty login form.
Anyone know what the problem is or how to help troubleshoot?
I am using laravel as a framework for the site and apache as the webserver.
create a page rule : http://example.com/* to always use https
Noted. Be aware that CloudFlare does this by accepting every HTTP request on http://example.com/* and returning a 301 redirect to the equivalent HTTPS request. The browser completes the redirect by sending a GET request to the HTTPS URL.
I fill in my log in information and submit the login form
Check the login form source carefully and check what URL the login form is submitted to. My guess is that the form is submitted to http://example.com/login or something similar. CloudFlare will accept the POST request to http://example.com/login and return a 301 redirect to https://example.com/login -- which your browser will complete as a GET request and hence not sending the login data.
So your best solution is to make sure that your login form POSTs to the correct HTTPS URL not to the HTTP URL.
That's my best guess anyway.
how to help troubleshoot?
Ensure that you are using different log files to distinguish between HTTP and HTTPS requests on your server.
Some other suggestions:
Get a Let's Encrypt SSL certificate and put that on your site so that the communication between CloudFlare and your site is all SSL. https://letsencrypt.org/
Ensure that HSTS is turned on for all of your HTTPS requests so that the browser will know not to send any requests to any HTTP URLs.
Create a development server where you can test all of this working with HTTPS between the browser and the web server without CloudFlare. Once you've got it all working in HTTPS mode without CloudFlare then you can try it with CloudFlare and you should get essentially the same results. Your problem is with the HTTP -> HTTPS switch, not specifically with CloudFlare.
I have an api gateway endpoint and I want to be able to access it from my webpage; the api gateway will response with a string.
I would like to make an ajax request to the endpoint then use the response of that to do my work on the ui.
So in my proxy.conf file, I added:
ProxyPass /proxyme https://API_ENDPOINT
ProxyPassReverse /proxyme https://API_ENDPOINT
When I execute:
$.get("API_ENDPOINT")
I get a 404. Am I missing something to make this proxy work? I'm sure that I restarted my apache when I added the proxy.
Please let me know if additional detail is needed.
Edit:
Does it matter if my site is http and gateway is https?
Edit 2:
My object is to have my frontend js code hit some url:
/proxyme
and it should hit the api endpoint via a proxy:
https://API_ENDPOINT
once the data is received, my js will kick in and do rendering.
HTTP to HTTPS is a big no no and there's no way around it.
Setup HTTPS and a redirect from HTTP to HTTPS. Browsing to just the IP address with or without HTTP and HTTPS works great and redirects perfectly. But while browsing to X.X.X.X:443 the web server is displaying the 400 bad request in raw html. Can I either disable the 400 bad request or be able to redirect those requests to HTTPS? Please help. Thanks!
If such is possible, it would depend on which web server you are using and you didn't specify that. However...
Doing so would actually be a bad idea as it would encourage people to use HTTP (no S) to connect to your secure server. In doing so, they would send their request in plaintext. If the system just returned a "301 Moved Permanently" to the HTTPS url, the second request (with reply) would be protected but you still would have leaked the request to a potential attacker during the first attempt.
We are trying to access a local self-hosted WCF service from the browser.
The WCF service is located at http://localhost/myWcf.
The browser is running a website which is located at https://some.www.com.
We have enabled CORS and added CORS header to the hosted WCF. Access to the WCF service is done using jQuery’s $.ajax call. All browsers are working fine when not using SSL and we’re getting to the “success” callback.
When switching to SSL, IE is the only one that fails to make the request – “Access is denied”. We moved the website to the trusted sites section and basically allowed everything there and still no go. We’re using IE11/10 and we've tried previous versions through its emulator. None of them allows us to make that request.
We can address a picture that located in http from https like this:
<img src="http://asdasd">
but we try to use javascript it fails:
var img = new Image();
img.src="http://asdasd";
What are we missing? Is it really impossible to make a cross domain request from https to http in IE?
Check jsonp:
var script = document.createElement('script');
script.id = 'dynScript';
script.type='text/javascript';
script.src = 'http://localhost/myWcf';
document.getElementsByTagName('head')[0].appendChild(script);
JSONP is a great away to get around cross-domain scripting errors.