RISC OS Open: Forum: Enforced HTTPS - coming to a browser near you

Jun 16, 2024 8:31pm

While checking the links on my website, I find I can no longer access Musus Umbra’s website at all. It used to be at http://www.zen22994.zen.co.uk/musus/ A simple web search finds no hits for “Musus Umbra” (but plenty for “mucus” – thank you for nothing, DuckDuckGo). Does anyone know a working alternative?

Jun 16, 2024 8:50pm

Rick Murray (539) 13806 posts

Strange you got no hits. Google offered many for “musus umbra”, but they were relating to angband etc and were all old links.

I haven’t found anything either as yet, it’s like it all just vanished a couple of years back. Unfortunately Adny’s name matches that of a musician, so guess what happens… yeah. Search engines really need a “this name but not that guy” option. ;)

Jun 16, 2024 9:36pm

Vince M Hudd (116) 534 posts

Adny has a blog here – though his latest post is about three years old. I can’t see any contact route, but depending how it’s set up, posting a comment might get his attention. Possibly.

Jun 17, 2024 3:45pm

Rick Murray (539) 13806 posts

Any advice from you experts out there?

Google says this should be put in the .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Hope this helps.

Edit: This is the one that worked for me. I have just applied it to my site.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

Note that if you have multiple .htaccess files, you may need to include this in each. I had to add it to the /.htaccess file and the /blog/.htaccess one.

Jun 17, 2024 4:09pm

Rick Murray (539) 13806 posts

I can’t see any contact route

I have his email address, it’s still valid. ;) His site was taken down due to his ISP no longer including hosting as part of their package, and he thought anything useful would have been mirrored elsewhere.

I ought to ask if his domain name place offers any hosting. He reckons the site comes to about seven megabytes in total, well, OVH offers (as a part of having a domain) one mailbox (with up to a thousand aliases) and a plain hosting package of around 10MB (which, obviously, I don’t use). If his registrar offers something similar….?

Jun 25, 2024 12:24pm

Glenn R (2369) 125 posts

Whilst it can be done in the .htaccess file, it’s better to put the rewrite code into Apache’s configuration file. Inside the VirtualHost declaration for the non-HTTP virtual site put something like this just before the closing tag:

RewriteEngine On 
RewriteCond %{REQUEST_URI} !^/.well-known/(.*) 
RewriteCond %{HTTPS} off 
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Make sure to put the second line in as redirecting requests to the .well-known directory will break everything when the time comes to renew the certificate!

Jun 25, 2024 12:27pm

Stuart Swales (8827) 1349 posts

Whilst it can be done in the .htaccess file, it’s better to put the rewrite code into Apache’s configuration file

I dare say most folk hereabouts don’t have access to the Apache config file on their hosting.

Jun 25, 2024 4:29pm

Glenn R (2369) 125 posts

I dare say most folk hereabouts don’t have access to the Apache config file on their hosting.

I’m running my own server. But fair point. However the issuing and management of SSL certs is a server admin issue and something that the server administrator ought to be taking care of, not the ‘customer’ (quotes used as I know there’s a lot of goodwill hosting going on in the RISC OS world). For example, if I’m hosting a site (whether for a paying customer or as a favour for a friend) I’ll set up the SSL as part of the virtual host using CertBot to generate the certificate. Renewals are done automatically on a cron job. The redirect goes in the Apache config as part of setting up the vhost.

The code I copied out of my own httpd.conf is similar to what Rick M quoted from Google, although his doesn’t include the exception for the .well-known directory. As per my previous post, the .well-known directory is where CertBot drops the response file to the authentication challenge – this must NOT be redirected to https otherwise the challenge will fail and the certificate will not be issued or renewed. A trap for the unwary!

Jun 25, 2024 7:45pm

Rick Murray (539) 13806 posts

A trap for the unwary!

I’ve just tossed a message to Rob asking how it works as I don’t appear to have a well-known directory. If I had, I’d have googled to find it what it was…

Jun 25, 2024 7:50pm

Glenn R (2369) 125 posts

CertBot creates it as needed then removes it afterwards. You just need to make sure that HTTP requests to the .well-known directory (don’t forget the initial dot!) don’t get redirected to HTTPS.

Making sure this line is in your .htaccess file (if you can’t access httpd.conf) ought to do it:

RewriteCond %{REQUEST_URI} !^/.well-known/(.*)

(Edit: In the .htaccess file in the appropriate place as per the snippet I posted above – the order of directives does sometimes matter.)

Enforced HTTPS - coming to a browser near you

Reply

Search forums

Social

ROOL Store

Donate! Why?

RISC OS IPR

Description

Voices

Options

Jun 16, 2024 8:31pm Dave Higton (1515) 3497 posts	While checking the links on my website, I find I can no longer access Musus Umbra’s website at all. It used to be at http://www.zen22994.zen.co.uk/musus/ A simple web search finds no hits for “Musus Umbra” (but plenty for “mucus” – thank you for nothing, DuckDuckGo). Does anyone know a working alternative?

Jun 16, 2024 8:50pm Rick Murray (539) 13806 posts	Strange you got no hits. Google offered many for “musus umbra”, but they were relating to angband etc and were all old links. I haven’t found anything either as yet, it’s like it all just vanished a couple of years back. Unfortunately Adny’s name matches that of a musician, so guess what happens… yeah. Search engines really need a “this name but not that guy” option. ;)

Jun 16, 2024 9:36pm Vince M Hudd (116) 534 posts	Adny has a blog here – though his latest post is about three years old. I can’t see any contact route, but depending how it’s set up, posting a comment might get his attention. Possibly.

Jun 17, 2024 3:45pm Rick Murray (539) 13806 posts	Any advice from you experts out there? Google says this should be put in the .htaccess file: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] Hope this helps. Edit: This is the one that worked for me. I have just applied it to my site. RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE] Note that if you have multiple .htaccess files, you may need to include this in each. I had to add it to the /.htaccess file and the /blog/.htaccess one.

Jun 17, 2024 4:09pm Rick Murray (539) 13806 posts	I can’t see any contact route I have his email address, it’s still valid. ;) His site was taken down due to his ISP no longer including hosting as part of their package, and he thought anything useful would have been mirrored elsewhere. I ought to ask if his domain name place offers any hosting. He reckons the site comes to about seven megabytes in total, well, OVH offers (as a part of having a domain) one mailbox (with up to a thousand aliases) and a plain hosting package of around 10MB (which, obviously, I don’t use). If his registrar offers something similar….?

Jun 25, 2024 12:24pm Glenn R (2369) 125 posts	Whilst it can be done in the .htaccess file, it’s better to put the rewrite code into Apache’s configuration file. Inside the VirtualHost declaration for the non-HTTP virtual site put something like this just before the closing tag: `RewriteEngine On RewriteCond %{REQUEST_URI} !^/.well-known/(.) RewriteCond %{HTTPS} off RewriteRule (.) https://%{HTTP_HOST}%{REQUEST_URI}` Make sure to put the second line in as redirecting requests to the .well-known directory will break everything when the time comes to renew the certificate!

Jun 25, 2024 12:27pm Stuart Swales (8827) 1349 posts	Whilst it can be done in the .htaccess file, it’s better to put the rewrite code into Apache’s configuration file I dare say most folk hereabouts don’t have access to the Apache config file on their hosting.

Jun 25, 2024 4:29pm Glenn R (2369) 125 posts	I dare say most folk hereabouts don’t have access to the Apache config file on their hosting. I’m running my own server. But fair point. However the issuing and management of SSL certs is a server admin issue and something that the server administrator ought to be taking care of, not the ‘customer’ (quotes used as I know there’s a lot of goodwill hosting going on in the RISC OS world). For example, if I’m hosting a site (whether for a paying customer or as a favour for a friend) I’ll set up the SSL as part of the virtual host using CertBot to generate the certificate. Renewals are done automatically on a cron job. The redirect goes in the Apache config as part of setting up the vhost. The code I copied out of my own httpd.conf is similar to what Rick M quoted from Google, although his doesn’t include the exception for the .well-known directory. As per my previous post, the .well-known directory is where CertBot drops the response file to the authentication challenge – this must NOT be redirected to https otherwise the challenge will fail and the certificate will not be issued or renewed. A trap for the unwary!

Jun 25, 2024 7:45pm Rick Murray (539) 13806 posts	A trap for the unwary! I’ve just tossed a message to Rob asking how it works as I don’t appear to have a well-known directory. If I had, I’d have googled to find it what it was…

Jun 25, 2024 7:50pm Glenn R (2369) 125 posts	CertBot creates it as needed then removes it afterwards. You just need to make sure that HTTP requests to the .well-known directory (don’t forget the initial dot!) don’t get redirected to HTTPS. Making sure this line is in your .htaccess file (if you can’t access httpd.conf) ought to do it: `RewriteCond %{REQUEST_URI} !^/.well-known/(.)` (Edit: In the .htaccess file in the appropriate place as per the snippet I posted above – the order of directives does* sometimes matter.)