Site is refusing to treat relative URLs as secure - apache

I have a PHP app running on an Apache/RHEL setup. I have the SSL certificate installed and it all checks out okay. I am using the .htaccess file to redirect to 'https://' with this snippet
RewriteCond %{HTTPS} !^on$
RewriteRule (.*) https://example.com/$1 [R,L]
All assets on the site use relative URLs for assets, however some of them are served with 'https://' and some are served with 'http://'.
In Chrome, the stylesheets and javascripts are blocked using a relative URL. If you visit the stylesheet directly (with the https://) it loads just fine and even gives the green company name in the URL bar.
Some of the images return '302 Found' and looking at the request information via the Chrome dev tools I can see the Request Url is 'http://' while further down in the response headers section I see under location 'https://'. It seems to only do this with some images and some it doesn't - I can't find a pattern. If I visit some of the problem images directly they, again, load just fine.
Is that .htaccess redirect interfering with how the assets are served? I've restarted browsers, cleared cache, etc. I'm at a complete loss. I can provide more details about the setup if they are necessary. Thanks in advance.
edit
Just to clarify - this isn't an issue with a single absolute URL in the document giving an insecure content warning. Relative URLs are being accessed by 'http://' despite being a relative URL.

Related

How to redirect 404 errors (and 403) to index.html with a 200 response

I am building a static website that uses JS to parse a URL in order to work out what to display.
I need every URL to actually open index.html where the JS can pull apart the path and act accordingly.
For example http://my.site/action/params will be parsed as an action with some parameters params.
Background, this will be served from AWS S3 via CloudFront using custom error redirection - and this works fine on AWS.
I am, however, trying to build a dev environment under Ubuntu running apache and want to emulate the redirection locally.
I have found a couple of pages that come close, but not quite.
This page shows how to do the redirect to a custom error page on the server housed in a file called "404". As 404 is the actual error response code, the example looks a bit confusing and I am having trouble modifying the example to point to index.html.
The example in the accepted answer suggests:
Redirect 200 /404
ErrorDocument 404 /404
which I have modified to:
Redirect 200 /index.html
ErrorDocument 404 /index.html
However this returns a standard 404 Not Found error page.
If I remove the Redirect line, leaving just the ErrorDocument line, I get the index.html page returned as required, but the https status response is still a 404 code where I need it to be a 200.
If I leave the Redirect line as per the example I actually get the same result as my modified version, so I suspect this is the line that is incorrect, but I can't figure it out.
(I'm using the Chrome Dev Tools console to see the status codes etc).
I think I have found a solution using Rewrite rules instead of error docs.
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.html [L]
The key I was missing in this approach seems to be not including an R=??? status response code at the end of the rewrite rule. It took me a while to find that!
As it uses mod_rewrite rather than defining error pages I assume that the mechanism is different to how CloudFront does it, but for my dev system needs it seems that the result is the same - which means I can work on the site without having to invalidate the CloudFront cache after every code change and upload.

Specify to load index.html file for every request in apache config file

I have a React application hosted on my server and I need to always load index.html file for every request users make.
Let's say that I have a website that has the address xyz.com, and the root directory contains the React build files, including this index.html file. There are many routes that users can specify to access to certain parts of the website, for example to register on the website they can access xyz.com/register. So, what I want to accomplish is instruct server to always serve this index.html every time users access my site, even though they are visiting different routes of the website.
So I'm assuming that this is something that I can set up in the .conf file for the website, and if it is, can you please let me know how I can achieve it?
You can use the below rewrite rule.
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/index.html$
RewriteRule .* /index.html [L,R=302]

Configure apache server to pick up the HTML5 base tag href for angularjs one page app

I read at least a dozen of posts about it, and found something like to setup in my site's root folder (which is www/pg-dev). htaccess file:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^weiadesigner/pg-dev
RewriteRule ^subdir/(.*)$ http://weiadesigner/pg-dev/$1 [L,R=301]
it suppose to (I think), redirect from any attempt to access weiadesigner/pg-dev to http://weiadesigner/pg-dev/$1. However, still nothing happen, I still receive the 404 Not Found issue.
I access the WAMP server through my computer name which is weiadesigner with chrome. /pg-dev is the folder where my site is. I try to tell the Apache to redirect all subdomain access (meaning, if someone access weiadesigner/pg-dev/events in a url bar in a browser) , for example weiadesigner/pg-dev/events, will respond with AngularJS router instead of the 404 Not Found from the Apache server, because I am using the HTML base tag that is setup in the index.php in its with
<base href="/pg-dev/">
<base target="_blank" href="http://weiadesigner/pg-dev/">
I am having a big hard time to find any valid solution on this.

SSL script issue

I am currently using this htaccess code to force all users to use ssl :
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
However my website uses many scripts to load variety of images and i get tons off errors like this one :
Mixed Content: The page at 'https://website.com/' was loaded over HTTPS, but requested an insecure image 'http://website.com/3.jpg'. This content should also be served over HTTPS.
Is there a way of forcing scripts to load https images or i have to edit them manually ?
You would have to edit them manually. Of course, if any of those resources, i. e. other sources than yours, don't have https-alternatives, you will always get errors. With newer versions of some browsers those scripts will actually be blocked, and not loaded at all.
You can edit your script URLs to use the protocol relative format. Modern browsers understand that they should load the script using whatever protocol (https or http) you're using in the calling page.
Example:
Change <script src=”https://ajax.microsoft.com/ajax/jquery/jquery-1.3.2.min.js” type=”text/javascript”></script>
To <script src=”//ajax.microsoft.com/ajax/jquery/jquery-1.3.2.min.js” type=”text/javascript”></script>
Article explaining:
http://blog.httpwatch.com/2010/02/10/using-protocol-relative-urls-to-switch-between-http-and-https/

Rewrite URL .htaccess - Apache server

On my website, I would rename the URL on address bar, from
domain.com/economy/article.php?id=00
to
domain.com/economy/id-name-article.html
I wrote this .htaccess file:
RewriteEngine On
RewriteRule ^([0-9]+)-([^\.]*)\.html$ http://domain.com/economy/article.php?id=$1 [L]
I have an anchor with this href: href="economy/id-name-article.html" and when I click on it, the server is redirected on article.php, it runs the script in the correct way and I can view the article, but on the address bar is still written domain.com/economy/article.php?id=00 instead domain.com/economy/id-name-article.html. Why?
This happens only on my online server, while locally it's all right.
The mod_rewrite module is issuing a redirect to your browser rather than transparently rewriting the url, causing you to see the new url in your browser.
Try removing the http://domain.com portion from your RewriteRule to see if it avoids the redirect to your browser by changing the rule to:
RewriteRule ^([0-9]+)-([^\.]*)\.html$ /economy/article.php?id=$1 [L]
If that fails, you could also use the proxy flag [P] to force apache to transparently fetch the page and return it to your users without the redirect. I don't recommend this approach since it can have security implications but it should work if the above doesn't.
EDIT: To clarify, rewriting the url with a fully-qualified domain rather than a relative uri tells apache that the redirect is on a different server, and therefore it doesn't know that the new url is accessible on the same host without redirecting the client.