SSL Website showing 404 error over non-SSL (HTTP) - ssl

I've set up an SSL site on server 2012 using CCS and SNI. When attempting to navigate to it over a non-SSL link (http), the site throws a 404 error.
How can I get it to show the "This site requires SSL" message?

You need to add HTTP to your bindings in IIS.
Instead of showing "This site requires SSL" you should redirect your user to the equivalent SSL page (e.g. http://twitter.com/about would redirect to https://twitter.com/about).
It is bad for both end-users and SEO to display a message with a message asking the user to change the URL. If you look at different websites on the Web you can notice that this is automatic and doesn't require any action from the user.

Related

Using cloudflare flexible ssl option causes login form to refresh instead of sending request

I am using cloudflare's "flexible ssl" as an intermediary between client and my site.
After setting this up, I went to the browser and tried accessing my site via https:
https://example.com/login
and everything works. I fill in my login info and log in successfully and am not on http://example.com . I manually enter https://example.com/* where * is many other pages and it all works fine.
Now I want to redirect all requests to use the seemingly working https. So i go to my cloudflare account on their website and create a page rule : http://example.com/* to always use https.
Now I go to example.com/login and successfully redirected to https://example.com/login, I fill in my log in information and submit the login form , the page refreshes and I am back to https://example.com/login with an empty login form.
Anyone know what the problem is or how to help troubleshoot?
I am using laravel as a framework for the site and apache as the webserver.
create a page rule : http://example.com/* to always use https
Noted. Be aware that CloudFlare does this by accepting every HTTP request on http://example.com/* and returning a 301 redirect to the equivalent HTTPS request. The browser completes the redirect by sending a GET request to the HTTPS URL.
I fill in my log in information and submit the login form
Check the login form source carefully and check what URL the login form is submitted to. My guess is that the form is submitted to http://example.com/login or something similar. CloudFlare will accept the POST request to http://example.com/login and return a 301 redirect to https://example.com/login -- which your browser will complete as a GET request and hence not sending the login data.
So your best solution is to make sure that your login form POSTs to the correct HTTPS URL not to the HTTP URL.
That's my best guess anyway.
how to help troubleshoot?
Ensure that you are using different log files to distinguish between HTTP and HTTPS requests on your server.
Some other suggestions:
Get a Let's Encrypt SSL certificate and put that on your site so that the communication between CloudFlare and your site is all SSL. https://letsencrypt.org/
Ensure that HSTS is turned on for all of your HTTPS requests so that the browser will know not to send any requests to any HTTP URLs.
Create a development server where you can test all of this working with HTTPS between the browser and the web server without CloudFlare. Once you've got it all working in HTTPS mode without CloudFlare then you can try it with CloudFlare and you should get essentially the same results. Your problem is with the HTTP -> HTTPS switch, not specifically with CloudFlare.

prestashop accessing the my-account link is unavilable

I am trying to access ayushho.com/my-account and getting the error message called "This page is not available". I have just installed a new SSL certificate and certifate checcker confirmed that SSL installation is correct.
Friendly URL set to Yes. and Shop Domain and SSL domain name set to ayushho.com and https://ayushho.com.
Why i am not able to access any other page apart from main page.

404 error with https redirect: how to exclude a browser non-secure connection warning

The web-site has ssl certificate.
Any http page is redirected to the same, but https page (if not https) by .htaccess.
Everything works fine, but 404.shtml gets a security warning "This webpage contains content that will not be delivered using a secure HTTPS connection..." in IE. The same behavior is in any other browser.
How to exclude that error?
404.shtml web-page was created using web-hosting control panel wizard. The file 404.shtml was created automatically.
Most likely the automatically generated file includes links, images or other resources fetched via http. If you can change them to https links, you should avoid the problem. There's afaik no other way to make the browser not warn about this, at least in a cross browser way.

http 403.4 error when using https

I'm getting the http error 403.4 - Forbidden: SSL is required to view the resource error using IIS6, even though the url starts with https.
It's a classic asp site, that used to work until the path to the files was changed. The path had to be changed because the site had to be upgraded. After getting the error; putting back the original path doesn't either.
Does anyone have any idea what I should check to resolve the above mentioned error?
Try following Configuring SSL on a Web Server or Web Site (IIS 6.0) from Microsoft. It specifically mentions the error you get:
If you set your Web site to require
SSL, as in step 6 above, and you have
not completed setting up SSL for the
site, then users browsing your site
will receive this error: "HTTP Error
403.4 - Forbidden: SSL is required to view this resource." To avoid this
condition, either complete all the
steps in the list above, or go back
and clear the Require Secure Channel
(SSL) check box (see step 6).

why no 403;4 error in IIS6 when user connects to SSL-secured site using plain HTTP

I was under the impression that if a user attempted to visit a website that had been secured with an SSL certificate, but did not use HTTPS and instead used plain HTTP in the address box, a 403;4 error would be generated, and that an errormessage something like this would be presented:
"This page must be viewed over a secure channel"
"The page you are trying to access is secured with Secure Sockets Layer (SSL)."
But that's not happening on our website. You can use http://secure.oursite.com or https://secure.oursite.com and both work fine.
The company that issued the SSL certificate says our certificate checks out OK in their certificate checking tool and that it's "chaining properly" and that this is an IIS configuration issue.
Does this SSL over HTTP error checking have to be explicitly enabled?
I was planning on creating a custom error for the 403;4 condition, pointing to a file, which redirects to https://secure.oursite.com. But the error condition is not being trapped by IIS.
EDIT: I've stopped and restarted the server. Not solved.
Thanks
As per this article have you checked the "Require secure channel (SSL)" box in the properties for your site? This is what triggers the error. You can then create the redirect using a custom error page.
a 403;4 error would be generated
That's not what happens in my site. My site automatically redirects to the HTTPS port. It's done free of charge by Tomcat.