External sites link https issue - apache

I have a video website which I recently changed from http to https.
i.e http://example.com to https://www.example.com.
And I have also made an htaccess entry to automatically 301 redirect all http urls to https.
The old video embed code links given to external customer sites are like :
<script scr="http://example.com/embed_script.js"></script>
Some customer websites also changed to http to https. In those https websites the above link with http protocol won't work because of mixed content. I have no control over the customer sites to change those urls to https. Any automatic redirect solution exists for this ?

You can't fix this unless you get them to use https. You could perhaps locally cache a copy as a workaround, but I've never done that.

Related

How to ensure my website loads all resources via https?

URL in question: https://newyorkliquorgiftshop.com/admin/
When you open the above page, you can see in the console that there are lots of error messages saying "...was loaded over HTTPS, but requested an insecure stylesheet.."
This website was working well until all of a sudden this problem shows up. I am not very familiar with https, but I have contacted with Godaddy and the SSL certificate is valid, and there is no obvious problem with "https://newyorkliquorgiftshop.com". And I am stuck here, I've some experiences with HTTPS website before, if the URL of website's homepage is "https", then every resources it loads is via "https" too. I don't know why my website behave differently and I don't know where to start to solve the problem? Any hint is appreciated especially articles about HTTPS that is related to my problem.(I have done a brief research regarding HTTPS but most of the articles I found are about the basic concepts.)
If you have access to the code (not sure what you built the website using), try using https instead of http for the URL's you use to load your style sheets and script files.
For example one of the errors is
Mixed Content: The page at 'https://newyorkliquorgiftshop.com/admin/' was loaded over HTTPS, but requested an insecure script 'http://www.newyorkliquorgiftshop.com/admin/view/javascript/common.js'. This request has been blocked; the content must be served over HTTPS.
You are requesting the .js file using HTTP, try using HTTPS like so:
https://www.newyorkliquorgiftshop.com/admin/view/javascript/common.js

Which URL variations to add in to Analytics and Search Console?

I have a domain example.co.uk on an Apache web server that is secured with a letsencrypt ssl certificate. Currently it redirects all http requests to https. I have also setup redirects from non-www to www, meaning all traffic ends up at https://www.example.co.uk
So I have four variations of the URL that always end up at this location:
http://example.co.uk
https://example.co.uk
http://www.example.co.uk
https://www.example.co.uk
I am trying to set up Google Search Console and Analytics. My question is which URLs do I need to add in to the two? Currently I have all four variations set up in Search Console with a sitemap attached to them all, or do I only need to do this for one? I have told the https www URL to prefer www in search results, which changes it for all four variations.
In Analytics should I only add https://www.example.co.uk as this is where all the traffic ends up, or do I need to add all variations of the URL to see all the traffic?
Short answer: no, unless you are migrating an existing site to https for the first time.
If all requests for your site eventually redirect to https://www.example.co.uk via a permanent 301 status code, then there isn't any benefit to adding all the links in Google Search Console. This feature is useful if you have duplicate content, such as an http site that you can't redirect to your https version for some reason, or if you've just migrated your site to a different domain name or URL scheme. If you're migrating an existing site to https, you can track how many http pages are still indexed while watching your https pages get indexed separately.
Otherwise, if you add all four links, you'll only see pages on the https://www.example.co.uk site get indexed. The Search Console allows you to track your site in the Google index, and if you are using 301 redirects then Google should never index the non-http versions of your site.

What htaccess rule would you use to redirect users already using the secure version of your site to purely secure links without affecting HTTP access?

Basically if somebody is already on an HTTPS page, I don't want them to be capable of being redirected to/accidentally clicking an HTTP one (on the same site at least). It seems to me like you would use the referer as a RewriteCond to accomplish this, except for the fact that it is apparently browser policy not to send referers when going from HTTPS pages to HTTP ones. So if a user loads an HTTP page, how can I detect if they came from an HTTPS one and make sure they are redirected to the secure version of the page they are trying to access?
Unfortunately the software we are using has many hardcoded HTTP links so it is necessary to use some sort of redirection.

Optional SSL in TYPO3

I want to make our TYPO3 v4.5 website accessible by HTTP and HTTPS. I already configured SSL for Apache and requesting the main page displays it... partially.
The baseurl within the page links to my http-site (and is not a https-URL), and therefore the browser won't load the css files, because they come from an unsafe part of my domain.
I believe I could switch my whole site to HTTPS, but don't want it. I would like that when the site is called by HTTP, all URLs are generated as http:// and when called over SSL, all urls should be generated as https:// URLs.
Did anybody achieve something like that?
Use a TypoScript condition to output the base URL dependent on the used protocol:
config.baseURL = http://example.com
[globalString = ENV:HTTPS=on]
config.baseURL = https://example.com
[global]
That's a bit ugly (as both variants will not share caches), but Protocol-relative tags are not possible. The only alternative (to baseURL) is config.absRefPrefix.

In apache, if i go to https://example.com, all images/links are http://. Is there way to auto rewrite the html so it's all https://?

I'm sure i've seen a feature in apache that can rewrite urls so you can point domain2.com at domain1.com and it rewrites everything domain1.com to domain2.com on the fly.
is there a similar thing for https?
In apache, if i go to https://example.com, the page itself is over https, but all images/links are http://. Is there way to auto rewrite the html so its all https://?
(it's running zen cart by the way)
Try this:
Using a protocol-independent absolute
path:
<img src="//domain.com/img/logo.png"/>
If the browser is viewing an page in
SSL through HTTPS, then it'll request
that asset with the https protocol,
otherwise it'll request it with HTTP.
This prevents that awful "This Page
Contains Both Secure and Non-Secure
Items" error message in IE, keeping
all your asset requests within the
same protocol.
Unless you use absolute URLs everyhwere, this should work "automagically". So you only need to check two things:
use relative URLs to point to resources on your own server and
make sure you're not using <base href="http://something">
You can just link to /path/to/page.html instead of http://example.com/path/to/page.html. That way, if it's HTTP it'll stay HTTP, and if it's HTTPS it'll stay HTTPS.
If Zen Cart is adding the domain to all links, though, you'll need to edit the software.
The apache module you referenced is called mod_rewrite, and yes it can handle what you are asking for, although I agree with the above answers that using a protocol independent path is the best solution.