We have a site which is running under SSL. But we have to show images and videos from some non secured sites. At present we are not able to show these images and videos. These non secured sites are running on the same server on which this secured site is running. Can any one please let us know how to solve this issue.
Regards
Tarunjit Singh
If the non-secure sites are on the same server as the secure then just setup new aliases pointing to that content in the SSL Vhost and modify your references to point to the new SSL versions.
If you want to use SSL on site B with a reference to a non-SSL item on Site A you can't. You'll need to do the above or enable SSL on site A and update your references to that.
Related
I recently bought a domain name at OVH for an app I hosted on Heroku. I then paid for the dynos in order to set an automatic SSL certificate.
Everything seems to me working fine:
Domain Status Last Updated
─────────── ─────────── ────────────
mpjrigot.eu Cert issued 2 minutes
mpjrigot.fr Cert issued 2 minutes
But my URL is still in HTTP. What am I missing?
EDIT
I'm using React.js for this app
I also have a Ruby on Rails back but for nom i'm keeping that on the heroku.app, works fine
2nd EDIT
Using react-https-redirect, force-https or react-ssl-redirect...
Basically, chrome tells me that "this is not a safe space", and that this is a fake https that might want to steal the user's passwords and stuff
So I got an SSL that is set on my HerokuApp,
I got a domain on OVH that points to the IP of the app
But the http isn't secure somehow
I really think I missed something obvious as I'm new to this...
You can add HTTPS to your app with the following methods.
Method1 (Recommended)
Since, you're using rails for the backend, you can configure your rails app to always use HTTPS.
in your production.rb add
config.force_ssl = true
More Info: https://help.heroku.com/J2R1S4T8/can-heroku-force-an-application-to-use-ssl-tls
ActionDispatch SSL: https://api.rubyonrails.org/v6.1.4/classes/ActionDispatch/SSL.html
Method2 (Easy Setup)
You can also signup for cloudflare's free plan and easily setup https redirects with cloudflare's 'Always Use HTTPS' or 'Automatic HTTPS Rewrites' feature.
The 'Always Use HTTPS' feature will redirect all http requests on your site to https address.
The 'Automatic HTTP Rewrites' feature will change the HTTP links on your site to HTTPS links.
More Info here:
Always use HTTPS: https://blog.cloudflare.com/how-to-make-your-site-https-only
Automatic HTTPS: https://www.cloudflare.com/website-optimization/automatic-https-rewrite/
Cloudflare's SSL: https://www.cloudflare.com/ssl/
cloudflare dashboard
What am I missing?
Heroku provides a certificate, so you should be able to access your application using https://. However it does not redirect HTTP requests to HTTPS for you:
Redirects need to be performed at the application level as the Heroku router does not provide this functionality. You should code the redirect logic into your application.
Exactly how you do that depends on the language and libraries or framework that you are using. Several common examples are listed in the link I provided above.
If you edit your question to tell us what technology you have used to build your application I'll be happy to add those details to this answer. In case you are using Scala, please see How to disable HTTP requests on Heroku and/or auto-redirect to HTTPS?
solution
I eventually read about Heroku needing a specific host that takes in the address they tell you to point to when setting a domain name...
So I switched to Gandi for my domain name and set the ALIAS to point to said adress
Works like a charm
I have my DNS settings as shown in the image
DNS Setting along with an additional CNAME with host www and value as my GitHub page. Next I setup a CNAME entry in my GitHub page with an apex entry to my domain. The issue I face is that whenever I visit my domain with an https protocol, it shows a warning that the connection is not secure. I get the following in Chrome:
NET::ERR_CERT_COMMON_NAME_INVALID
How do I fix this? I have both https and http access for my domain.
UPDATE: Github introduced custom domain support for HTTPS on May 1, 2018.
If you are using GoDaddy and want to upgrade to HTTPS, do the following:
Go to DNS settings for your site in your GoDaddy account.
Remove all existing A records.
Open a terminal and do dig +noall +answer <YOUR-USERNAME>.github.io. You should see a table listing 4 slightly different IP addresses:
On GoDaddy, create 4 new A records, each one pointing to one of the IPs. For host use # and set the TTL to a low user-defined value (if you are in a hurry).
Go to your page repository settings on Github, and clear the custom domain name and save. Wait a while (minutes).
When executing dig +noall +answer <YOUR-CUSTOM-DOMAIN> yields the 4 IP addresses that you entered in the A records, go back to the Github repository settings and re-enter and save your custom domain name (which you just cleared) in the custom domain cell.
Optionally, check the box Enforce HTTPS. But make sure that https://<YOUR-DOMAIN>is responsive first.
Make sure you have a CNAME record in your DNS settings also. Host should be www and it should point to your <YOUR-USERNAME>.github.io.
Make sure there is a file in your website repository named CNAME containing the name of your custom domain (in my case ulfaslak.com).
Reference
EDIT: Please see answer below by Arturo Herrero: https://stackoverflow.com/a/50203412/462015
GitHub pages does not support HTTPS for custom domains.
The only work around for doing so is to use an SSL provider as the middle man, such as Cloudflare. However, this would involve pointing your DNS name servers at Cloudflare's, which takes some time and complicates things.
If you want HTTPS support using GitHub pages you'll have to use GitHub's provided URL instead of your custom domain.
Another great option for static sites if you want custom domain name HTTPS is Amazon Web Services. You could set up an S3 bucket for your static website, configure CloudFront to distribute the static content, point your domain name at the CloudFront distribution, and use a free SSL certificate from Amazon's cert manager. This option comes out to less than $1/Month with a low-traffic website. A great in depth tutorial for that would be here.
I hope this answered your question! GitHub pages is a great hosting option, and it's not the end of the world if you decide to forget about HTTPS.
Custom domains on GitHub Pages gain support for HTTPS since May 01, 2018
https://blog.github.com/2018-05-01-github-pages-custom-domains-https/
Is there any way to use HTTPS/SSL on GitHub Pages sites that use a custom domain? SSL is recommended for better search engine ranking and there are a lot of other uses for it beyond that.
Custom domains on GitHub Pages do support HTTPS / SSL:
GitHub Pages has supported custom domains since 2009, and sites on the *.github.io domain have supported HTTPS since 2016. Today, custom domains on GitHub Pages are gaining support for HTTPS as well, meaning over a million GitHub Pages sites will be served over HTTPS.
https://blog.github.com/2018-05-01-github-pages-custom-domains-https/
Go to https://github.com/**username**/**repo**/settings
Check the checkbox "Enforce HTTPS":
Prior to May 1, 2018, SSL was supported by GitHub Pages only on sites using a *.github.io domain: https://help.github.com/articles/securing-your-github-pages-site-with-https/
It's now possible to use HTTPS on GitHub Pages sites with a custom domain
If you are using CNAME or ALIAS records for your custom domain, you’re all set and your site should be accessible over HTTPS.
If you are using A records, you must update your site’s DNS records with new IP addresses. Please see our guide to setting up your custom domain with Pages and update any A records you might have set.
Once you have HTTPS working:
You can optionally “Enforce HTTPS” for your domain in your repository’s settings, ensuring users who request your site over HTTP are upgraded to HTTPS.
You can read the full announcement here: https://blog.github.com/2018-05-01-github-pages-custom-domains-https/
I have been searching the internet for two days and I am stuck. I understand that I can purchase an SSL certificate to make my site work for HTTPS so that it is more secure and all that jazz.
My question is do I have to do anything special on the HTML/PHP pages I create for this site, like some PHP call to open a session, or does the fact that there is an SSL Cert on the server mean I don't have to change anything on the HTML pages?
Sorry if this is a dumb question, but I can't find the answer anywhere.
Its primary the setup of the server, e.g. that you have to make the site accessible by SSL (port etc) and configure the certificates.
But maybe you need to make adjustments to your HTML etc too, so that all resources (images, script, css..) will be loaded by SSL too, e.g. all these includes should be either be done with site-relative links or with explicite https:// links. In case the site gets served with both https and http you might also use protocol-relative links, e.g. //www.example.com/index.html will be served with http if the current protocol is http and with https if you currently use https.
I got a link-sharing website hosted on linux, which allows users to share links. I purchased a digital certificate SSL 123 to host it in a secure https mode. But the problem is it won't reflect in the address bar as a normal https connection, it displays https with an error:
Your connection is encrypted with 128bit encryption...However, this page includes other resources which are not secure.
I enquired with my hosting company, but they say that because of my website, which allows people to share links, The 'THWATE' company can't verify the other links which have been shared in my website, that is why, it is displaying an error. I am confused as to whether continue with SSL or just host it normally, as I don't want my users to feel insecure about their info.
No the links are not checked but everything you embed in the page is. For example images, scripts that are linked using HTTP. The browser will need to download the linked scripts, images, ... and complains that these were retrieved using http.
This is no problem:
Some link
but these are (EDITED):
<img src="http://example.org/picture.png"/>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
Download the scripts using HTTPS
Try to use secure scripts for including the scripts of sharethis.com
Use this script source : https://ws.sharethis.com/button/buttons.js
http://support.sharethis.com/customer/portal/articles/475097-ssl-support