https rewrite or redirect in a shared hosting environment - apache

My web host is hostgator.com with Apache, cPanel, etc.
A spammer somewhere has set links to my site somewhere, using https in the URL. I don't have an SSL certificate and would expect these links to resolve to the error 404 page.
However the links cause Firefox to say my domains are attack sites, due to their hookup with Google safe browsing.
Hostgator support is slow and clueless. Links are in the following format.
https://mydomainname.com/
https://mydomainname.com/digital-photography-forum-uk/
https://mydomainname.com/fastibl/
https://mydomainname.com/search-engine-marketing/
https://mydomainname.com/search-engine-optimisation/
https://mydomainname.com/website-programming-discussion/
I've edited .htaccess a dozen times, using online examples of redirecting https to http and nothing (yet) works.

Just try these configuration directives in your .htaccess file:
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://mydomainname.com/$1 [R=301,L]
But please considered the [R=301] flag with this link: https://stackoverflow.com/a/15999177/2007055
Or try to use a robots.txt file if it can block or remove the pages in HTTPS on search engines. And if any of those solutions did not work, then you've better purchase an SSL certificate to solve your problem.

Related

Where to handle the redirection from HTTP to HTTPs?

I have a heroku application with a domain from godaddy.
My site is built with node and express.
My website is www.juanitacalendar.de and I want it to always redirect to HTTPS (no matter if the users types the www or not).
Should I handle this within Heroku? Within node/express? In my index.html?
I've read in another answer that I'm suppose to use this code that has to do with apache. I am clueless on where to put this piece of code though.
RewriteEngine On
RewriteCond %{HTTPS} !^on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
There are many ways you could achieve this.
In your situation, it looks like you can get Node/Express.js to redirect for you. See this answer for more information: Heroku NodeJS http to https ssl forced redirect.

301 Redirect from http to https same page name

checked the Forum but could not find an ideal answer. I have recently installed a SSL Certificate on my site and in the process of creating 301 redirects via the .htaccess file for nearly 400 page urls (to keep Google happy). I thought of using;
redirect 301 /contact.php https://www.mydomainname.co.uk/contact.php
but it breaks the site. The only solution I have seen is;
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^contact\.php$ https://www.mydomainname.co.uk/contact.php [L,R=301]
The above seems a lot of code to use for each of the 400 pages! is there a quicker way with less code I can use in the .htaccess file?
Many thanks. Hope someone can advise.
There are two basic ways of redirecting pages with Apache: Redirect (of mod_alias) and RewriteRule etc. (of mod_rewrite).
Redirect is very simple: it will just redirect a single URL to another. It can be useful sometimes, but it's usefulness is limited to its simplicity: in the case of HTTP-to-HTTPS redirection, it can't differentiate between HTTP and HTTPS connections, so it will just try to redirect to HTTPS even if you're already on HTTPS (and thus you end up in an infinite redirect loop).
RewriteRule, on the other hand, is more advanced and flexible. You can use RewriteCond to conditionally redirect requests; in your case, you'd want to redirect requests only if they're on a HTTP connection.
As you mentioned, you want to redirect to HTTPS for many (I presume all) requests; you can easily do this with only a single rule:
# Enable rewrites
RewriteEngine on
# Only run next RewriteRule on HTTP connections (not HTTPS)
RewriteCond ${HTTPS} off
# Redirect any page to the same URL with https:// schema
RewriteRule (.*) https://${SERVER_NAME}/$1 [L,R=301]
(The ${SERVER_NAME} variable will automatically be equal to your domain name, so you can even use this on web servers with multiple domain names.)

My homepage wont go through HTTPS port

So my domain is [1] and as you can see whenever you go on that link it will get HTTP (without padlock) but if you go to any other link it will be HTTPS. Only my homepage goes through HTTP.
Important things to mention is that I use Apache.
Every my attempt to edit .htaccess file ends up by website stoping to work. My whole website is hosted on AWS and that is where I derived my SSL certificate.
I want to make that homepage load in HTTPS as well.
How should I do that?
Here is my app folder and place where I created my .htaccess file.
[1]:
Adding this to your .htaccess should do it:
RewriteEngine on
RewriteCond %{HTTPS} =off
RewriteRule ^$ https://www.urtina.com/ [L,R=301]
If it breaks Apache, check the error log. It is for the homepage only as requested.

"www" in URL is causing a 404

I'm having a very strange issue where having "www." in my URL is causing a 404. I temporarily edited my .htaccess file to password protect the domain for development. I have since restored access and now if I go to www.domain.com it returns a 404.
However, going to domain.com works. The host provider is hostgator, and per their .htaccess guide (http://support.hostgator.com/articles/-htaccess-guidance) I have reverted back to the default config with the same situation:
DirectoryIndex index.html index.shtml index.php default.html home.html
I have even gone as far as deleting .htaccess alltogether in hopes that it would restore but no such luck.
What needs to happen here to allow a website to be accessed via "www.domain.com" and "domain.com?"
Your .htaccess file looks good as it stands; there is nothing preventing it through www.domain.com. The most likely issue here is an IP propagation one. www.domain.com is technically a subdomain of domain.com. Therefor, they use different IP addresses. It's possible that HostGator has cached the .htaccess information incorrectly for one IP, and not the other.
First port of call, try pinging both domains. Open up Command Prompt, and type:
ping www.domain.com
ping domain.com
See if one of them times out.
Ultimately, give it a few days, and try again. Your .htaccess file should copy over automatically, and the problem should be resolved. It's also possible that HostGator has configured something incorrectly on their end.
If after a few days simply waiting doesn't fix the issue, take it up with HostGator, or forcibly redirect your users to the non-www site:
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]
Hope this helps!

Apache force SSL

I am trying to redirect incoming requests to https://www.domain.com/ and all https://www.domain.com/{all pages} and having little trouble. Methods I tried:
Adding this line: Redirect permanent / https://www.domain.com/ to my httpd.conf is causing too many redirect
Using .htaccess to redirect with mod_rewrite is ending in 302 Moved page with a broken link.
What I want is:
Redirect all requests to https://www.domain.com/, including http://www.domain.com/signup and pages like that to https version
I've searched many threads on this but they don't seem to apply to my setup. How should I approach this?
There's a distinct problem with this approach - if you do a automatic non-SSL redirect to an SSL webpage, you lose the security that SSL should provide. i.e. If someone can MITM your non-SSL web server, they can redirect to their own valid SSL server (with a real certificate), and the browser won't know the difference.
i.e. http://www.example.com redirects to https://www.example.com, can be subverted by a man in the middle attack where fake http://www.example.com redirects to https://i-will-steal-your-credit-card.com, and as long as i-will-steal-your-creditcard.com has a valid certificate, the browser won't alert the user that anything is awry, the user will see the little lock icon and think everything's cool and start putting in credit card numbers.
It's a better practice to have a page that explains that what they really want is the SSL version of the URL and a clickable link. Of course, bad-guy could do the same exact thing, but paranoid people always verify the link they're clicking actually links to what it says.
Granted, most people aren't paranoid and will be grumpy about the extra step - so if you have any marketing people making decisions about this upstream from you - odds are you'll end up doing it http->https automatic redirect. This is because Marketing and customers usually don't understand SSL.
It goes like:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Source: http://systembash.com/content/force-https-ssl-access-url-apache/
RewriteEngine On
RewriteCond %{HTTPS} Off
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]
Notice the $1 which appends the path information