Enforced HTTPS - coming to a browser near you
Dave Higton (1515) 3525 posts |
While checking the links on my website, I find I can no longer access Musus Umbra’s website at all. It used to be at http://www.zen22994.zen.co.uk/musus/ A simple web search finds no hits for “Musus Umbra” (but plenty for “mucus” – thank you for nothing, DuckDuckGo). Does anyone know a working alternative? |
Rick Murray (539) 13840 posts |
Strange you got no hits. Google offered many for “musus umbra”, but they were relating to angband etc and were all old links. I haven’t found anything either as yet, it’s like it all just vanished a couple of years back. Unfortunately Adny’s name matches that of a musician, so guess what happens… yeah. Search engines really need a “this name but not that guy” option. ;) |
Vince M Hudd (116) 534 posts |
Adny has a blog here – though his latest post is about three years old. I can’t see any contact route, but depending how it’s set up, posting a comment might get his attention. Possibly. |
Rick Murray (539) 13840 posts |
Google says this should be put in the .htaccess file: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] Hope this helps. Edit: This is the one that worked for me. I have just applied it to my site. RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE] Note that if you have multiple .htaccess files, you may need to include this in each. I had to add it to the /.htaccess file and the /blog/.htaccess one. |
Rick Murray (539) 13840 posts |
I have his email address, it’s still valid. ;) His site was taken down due to his ISP no longer including hosting as part of their package, and he thought anything useful would have been mirrored elsewhere. I ought to ask if his domain name place offers any hosting. He reckons the site comes to about seven megabytes in total, well, OVH offers (as a part of having a domain) one mailbox (with up to a thousand aliases) and a plain hosting package of around 10MB (which, obviously, I don’t use). If his registrar offers something similar….? |
Glenn R (2369) 125 posts |
Whilst it can be done in the .htaccess file, it’s better to put the rewrite code into Apache’s configuration file. Inside the VirtualHost declaration for the non-HTTP virtual site put something like this just before the closing tag:
Make sure to put the second line in as redirecting requests to the .well-known directory will break everything when the time comes to renew the certificate! |
Stuart Swales (8827) 1357 posts |
I dare say most folk hereabouts don’t have access to the Apache config file on their hosting. |
Glenn R (2369) 125 posts |
I’m running my own server. But fair point. However the issuing and management of SSL certs is a server admin issue and something that the server administrator ought to be taking care of, not the ‘customer’ (quotes used as I know there’s a lot of goodwill hosting going on in the RISC OS world). For example, if I’m hosting a site (whether for a paying customer or as a favour for a friend) I’ll set up the SSL as part of the virtual host using CertBot to generate the certificate. Renewals are done automatically on a cron job. The redirect goes in the Apache config as part of setting up the vhost. The code I copied out of my own httpd.conf is similar to what Rick M quoted from Google, although his doesn’t include the exception for the .well-known directory. As per my previous post, the .well-known directory is where CertBot drops the response file to the authentication challenge – this must NOT be redirected to https otherwise the challenge will fail and the certificate will not be issued or renewed. A trap for the unwary! |
Rick Murray (539) 13840 posts |
I’ve just tossed a message to Rob asking how it works as I don’t appear to have a well-known directory. If I had, I’d have googled to find it what it was… |
Glenn R (2369) 125 posts |
CertBot creates it as needed then removes it afterwards. You just need to make sure that HTTP requests to the .well-known directory (don’t forget the initial dot!) don’t get redirected to HTTPS. Making sure this line is in your .htaccess file (if you can’t access httpd.conf) ought to do it:
(Edit: In the .htaccess file in the appropriate place as per the snippet I posted above – the order of directives does sometimes matter.) |