I recently moved a website from https://www.ezacu.com to http://www.ezacu.com and I'm finding that the website loads for people who have never visited the https version, but not for people that have.
I believe that this is either because their browsers keep autocorrecting http to https (since it used to be https) or because their browser is trying to use a cached version. Im not sure how to find out or how to fix the issue, but it is especially difficult for me because it works on my computer/phone; The issue is with other users.
I am hosting the website on amazon S3
The simple solution is to create a CloudFront distribution with your domain name as its Alternate Domain Name, attach a free SSL cert from Amazon Certificate Manager, type the web site hosting endpoint from your bucket as the Origin Domain Name (don't select the bucket from the drop-down list -- that won't enable the web site hosting features of S3), then point your DNS to CloudFront.
When you use CloudFront with S3, you pay bandwidth charges to CloudFront instead of to S3, so the cost difference is negligible and in certain cases, bandwidth can actually cost slightly less.
There isn't a way to convince browsers not to try to use HTTPS once they believe it's available.
Related
I am looking for a way to limit access to AWS S3 hosted data in a controlled and at least semi-secure way. I have various resources in a number of S3 buckets, with CloudFront as CDN. I then have a WordPress based website using a theme that allows me to sell "courses". Finally I manage my domains so I can create a sub domain for the content download link, i.e. content.domainname.com.
Ideally I want to limit access to content to a specific set of courses, so only people who have bought the course, and are linking to the content from a web page in that course, can (easily) get at the data.
I know I can use an AWS Web ACL rule to check the referer, to limit downloads to links on my domain. And I think I can expand on that to test more of the URL, so in www.domainname.com/paid/coursename/page.html I could have a rule that tests for the bold portion of the path and refuses otherwise.
However, I also know that referer can be easily spoofed, and more importantly some browsers and internet security software will replace the referer, and I don't want my site security to force customers to change their security settings. So, is there another option, to include some sort of data in the HTTP request, that limits access in a way that is both somewhat secure, but not dependent on a client side settings? Perhaps something like a hash that I could include in the link itself? Or, maybe the WordPress API and AWS Web ACL Rules can communicate is some way so as to validate the logged on user has membership in the course? Grasping at straws here I suspect.
Additionally, there will be a PowerShell script that can be downloaded and run, which will access downloadable content as well. Again, I want to limit access, but in this case I need to be able to maintain the criteria on AWS as I have subscription and non subscription versions of the courses, and the PS script should only download for customers on subscription. So, I could provide the PS script with something like a customer ID, then maintain a list of customer IDs that are currently on subscription so the Web ACL rule could filter. But again, I suspect that HTTP header won't get the job done, because it could be changed by internet security at the customer location. But now I am limited by what PowerShell can do with regards to HTTP requests.
I know, rather an open ended question, but hopefully someone can at least point me in the right direction. It sure seems like both needs are something that AWS should be able to do, I am just so out of my depth here I don't know where to start, and AWS documentation requires that you have some clue to get you going.
I have seen that Google Firebase offers a static files hosting solution (for the front end) which is served in SSL and by CDN. That means, I can serve customers all around the world with a server located probably close to them and enjoying good speeds.
Now I want to do the same with my Node.js backend code.
That means, instead of hosting my backend code in my own VPS, that will be probably fast only for who lives close to my server, I want to deploy the same server to Firebase's CDN and ofcourse, over HTTPS.
What I have found for now is the Firebase Functions which is probably a Node.js server. However I am not sure if its running uppon a CDN, so it will be fast just as the static files serving, or that its just a server located somewhere in US that has to serve worldwide.
In addition, if there is such a service - where I can host my back end code with SSL, may I have the "standard" express configuration I have now on my VPS?
And what for about clusters/workers? How many workers I can have when using the Firebase solution (if there is one like that).
Thanks.
SSL and firebase functions & hosting?
You get HTTPS by default for hosting and functions. If you need functions to served from your custom domain and not https://us-central1-[projectname].cloudfunctions.net, you will need to configure your firebase.json file to rewrite your routes to your firebase functions. The main thing to flag here is both options you get HTTPS and certs issues directly from google/firebase.
When you bring a custom domain over it can take up to 1-2 hours for firebase to issue the certificate, but all this happens automatically without you having to do anything.
Does firebase functions integrate with a CDN?
Yes, but you need to set the correct s-maxage header in your response to ensure the firebase CDN will store it. See here for more info on this.
Cache invalidation is still hard with firebase so I would keep this in mind before you set anything.
How many workers I can have when using the Firebase solution (if there is one like that).
One benefit of using firebase functions is that you don't need to really give much thought to the resources behind the backend. If you have heavier workloads you can increase your ram/ cpu power in the google console for your selected function. The endpoint will scale up and down depending on how many requests it gets. On the flip side if it doesn't get any requests (usually in non prod environments) it'll go to an idle state. You need to be aware of a cold start problem before you fully commit to using this as a replacement to your current nodejs VPs hosting solution.
I personally use the cache control headers to ensure the functions responses are pushed into the CDN edge, which takes the edge off the cold start issue (for me and my use case).
I am using ampps server to develop a wordpress site. I have less storage on my pc so I started looking for a good cds(content delivery system). I downloaded cloud flare plugin and tried to make account on cloud flare but when I added my domain which I have created in hosts file it says that this is not a registered domian.12
Hosts file is for redirecting web addresses on your own computer. If you add a domain name in your computer hosts file, it tells to ONLY your own computer, that if you want to go to this given address, then it should be turning back to your own computer (127.0.0.1 for localhost) and not search it from internet. Try to change the "127.0.0.1" on that line of the hosts file to "stackoverflow.com", save the file and see what I mean. It should now redirect your given address to stackoverflow. Don't forget to change it again later or it will be redirected forever.
Registering your domain means that you pay for it and you get the right to use it temporary e.g. the term 'reservation'. If you buy your domain name from a certified registrar company, then you also have to validate your contact data etc. Different top level domains (.com .net .co.uk .eu etc.) are operated by different countries and they all have different regulations, expiration dates and prices. Forinstance today (january 2016) you can buy a .net domain for a year for around 10€. There are also some free registrars (.tk .me) but they have bad reputation and are not that easy to remember for your customers. Also some countries forbid certain content (porn forinstance)
It is convenient to get your domain reservation from where you will be hosting it. Then you don't have to transfer it and do all kinds of quite difficult stuff. You can also have discounts with bundles. Just look for a major registrar, search from Google or Bing or etc. for "domain registrar and web hosting"
Also I suggest you to search Youtube for videos about how to make your first website. Don't get me wrong, I know that you can make the page, but these videos usually include all about domain name buying and website hosting. Some videos also offer their own affiliate code with certain registrars so that if you type the given code in, you get some percentage off the service fee, maybe even a free domain name reservation for a year.
Never give out your planned domain name publicly before you have reserved it to your name. Someone else might be registering it before you with purpose to to sell it to you with higher price later. Also remember that you have to renew your domain reservation periodically, usually once a year. Good luck with your site!
I have been trying to migrate my site from divshot to firebase, since firebase has taken over divshot and shut it down.
Mine is a simple read only site that does not need https. It also contains links to external sites which do not support https. The site worked perfectly on divshot but it looks like firebase forces all sites to use https. Unfortunately, this causes the external sites that my site references to fail loading. The error being:
Mixed Content: The page at 'https://mysite.firebaseapp.com/' was loaded over HTTPS, but requested an insecure resource 'http://www.externalsite.com/'. This request has been blocked; the content must be served over HTTPS.
I tried to remove the http: so the external site is just //www.externalsite.com/, but this causes certificate errors. I can't change it to https since this external site doesn't support it.
Is there any way around this problem?
The short answer is no. This is completely by design. It's a security flaw to allow http on a https site. Therefore it's blocked.
However,
Solution 1: Find a https version of resource This might not be possible in your case.
Solution 2: convert resource to https It might be possible to host the file or resource yourself with https. This may require you to copy a file or something, which I say carefully, don't pirate stuff that you shouldn't.
Solution 3: Redirect This one is probably the most involved solution to do but if you are trying to access some service then you could make your own service to redirect it. You are on firebase which means you could probably hack together some cloud function to make a http request (How to make an HTTP request in Cloud Functions for Firebase?)
Solution 4: Don't use Firebase Don't want to do any of the above and you can't live with out the http call? You might just dump firebase and move to some other hosting service.
Hope you find this helpful it might not be the answer your looking for but it might point you in the right direction.
I am currently developing an MVC4 web application for eCommerce. The site will contain a login and users can visit the site, input their details and submit orders etc. This is a traditional eCommerce site.
To boost the security of the site, I am looking to set up the entire site in https. As the user will be supplying their log in credentials and storing personal information in cookies, I would like the site to be fully secured.
I have concerns though, these being if I set up the site in https, will it detriment performance? Will it impact negatively on search engine optimization? Are there any other implications of having an entire site in https?
I use output caching to cache the content of my views - with https will these still get cached?
I have been reviewing security guidelines and documentation, such as this from OWASP and they recommend this. Also, I see that sites such as twitter are fully https.
Generally speaking, no - whole-site encryption is not a problem for performance.
(Just make sure you disable SSL 2.0 on your server, as it's vulnerable to the BEAST attack; you should use TLS 1.0 or SSL3.0 which have been supported by pretty much every browser since 2000).
The performance issues were a problem years ago, but not anymore. Modern servers have the capacity to deal with the encryption of hundreds of requests and responses every second.
You haven't mentioned deploying a load-balancer or failover system, which implies your site won't be subject to thousands of pageviews every second. That's when you need to start using SSL offloaders - but you're okay for now.
Output caching is not affected by encryption - just make sure you're not serving one person's output to another (i.e. cache a shopping cart or banking details in Session or with the Session ID in the Cache key).