New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Forcing everything to use https
Hello all
How to make it so that nobody can have access to my website with out https?
Like this website for instance. I typed "lowendtalk.com" and when I lock in my browser address bar and when I look (hear) at it I see "https://www.lowendtalk.com/"
I am using ubuntu 16.04 with apache and my ssl is Letsincript
Comments
setup a redirect to https ?
By the dns? I tried that and firefox web browser was not happy.
I am using namecheep.
Or do you meen in apache itself?
`
. . .
`
Strangely when I type "www.example.com" I get https,
but when I type
"example.com" I get no https
no, in the .htaccess file!
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
https://www.inmotionhosting.com/support/website/ssl/how-to-force-https-using-the-htaccess-file
add to .htaccess
Just note that if your using CF, you should change to Full SSL mode first, or you will get redirection error
What the hell is this? Format it properly, man.
Plus, he can’t configure VirtualHosts anyway since he’s on a shared package with NC.
@doghouch
I am actually using a vps. Should have said that in my first post.
Can't help with apache but if you decided to try nginx this should work.
Thanks for suggestions so far. But like an ass, I made a perminant redirect in my basic dns in name cheep to https and even though I removed it it still seems to be active. It caused chaotic behaviour among the browsers.
On google chrome it worked like a dream.
On firefox it said the connection was not secure.
On edge it used http.
On safari (iphone) it also worked like a dream.
You're using a NC VPS? .... why?
Where do I put full ssl directive?
@doghouch
what is NC
@hammer NC = Namecheap
@hammer NameCheap
You add that to the .htaccess file. It is located in the main directory of your site. Have to turn on show hidden files.
Btw, if you are using wordpress, you have to change the settings so wordpress knows you are https, otherwise your website will go haywire. I believe all you have to do is change your site url to the https address.
IF you are using CloudFlare proxy, it's on the CRYPTO section
@hammer Listen to sanvit. If you’re using CloudFlare (proxy enabled), you’ll get an infinite redirect when you add a redirect in your .htaccess.
if you changed DNS entries/settings give it a moment to propagate correctly and make sure the old entries are not cached by provider/router/windows/browser whatsoever.
@hammer if on WordPress... use this plugin
https://wordpress.org/plugins/really-simple-ssl/
Also it's almost 2018 don't have www. In your redirect
Ok thanks all My issues have been solved thanks. I am not sure what did it. the Virtual host, or the HTaccess modifications.
I will remove the htaccess redirect thing though and see what happens.
Thank you all.
@doghouch
I am only using name cheep for the domane and basic dns it provides.
My vps is with vmhaus.
Visit google.com. What happens? Are they doing it all wrong?
It redirects to https://www.google.cctld, where ccTLD is your country code's TLD.
Set up a http redirect and use hsts.
Or, you could just set the IP for both, and ServerAlias them so you don't have a pointless redirect. NoWWW is so 2004.
This. Visitors who already visited you over HTTPS won't accidentally hit HTTP again, without the need for your server to redirect them to a TLS connection. It's better than 301 as it covers the entire domain and it is conceived with security in mind. In theory, you could even leave port 80 closed, returning visitors entering the domain name manually after a first contact over HTTPS will get automatically redirected by their browser, before accessing the server to HTTPS. Without HSTS and a using only a 301, a returning visitor who visited your site via HTTPS but who didn't visit it over HTTP yet would be theoretically vulnerable to MiTM attacks. HSTS uses a separate, typically long-expiring cache (usually set server-side to six months) separated from the one used by 301 redirects. The obvious downside is that you should be prepared to serve everything over a TLS connection for at least the period you declare in HSTS.
b-but muh SEO
http://lowendtalk.com redirects (301) to https://www.lowendtalk.com , but https://lowendtalk.com doesn't redirect
i let runcloud (aff in signature) take care of that for me. yes, I am lazy..
If you are using Nginx
if ( $scheme = http ){
return 301 https://$server_name$request_uri;
}