I have a wordpress website using free hosting of Open Shift. When I search goole for my website name. I received a result that contain https ssl. But when I click this links google chrome will go to:
Attackers might be trying to steal your information from phamquan.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
This server could not prove that it is phamquan.com; its security certificate is from *.rhcloud.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
Because my website doesn't have ssl cerification. How can i disallow google index all links of my website as https. Only allow http links.
The only way to prevent Google from indexing the HTTPS version of the site is to stop listening to HTTPS. The main problem here is that your webserver is currently listening to HTTPS requests, although your website is not configured to deliver a valid certificate.
If you can't access the server configuration, another approach described here and here is to use the canonical link tag to link to the HTTP version of the site as a hint that the correct version is the HTTP and not the HTTPS.
Related
Recently I have been working on a website project that allows users to login with their Discord accounts to browse the website with their account.
The website utilizes the Flask-Discord library, Quart as my WSGI web framework, Hypercorn as my production server and Nginx as a proxy to pass web requests to my Hypercorn socket. I have set up an SSL certificate using Certbot-Nginx with Let Encrypt as the Certificate Issuer. However, after users are redirected to the Discord login page, the user logs into Discord and the callback is requested to my Quart Server I am receiving the following error:
oauthlib.oauth2.rfc6749.errors.InsecureTransportError: (insecure_transport) OAuth 2 MUST utilize https.
The website is set up and working correctly with a domain setup with noip temporarily and the SSL certificate valid, making all requests redirect to HTTPS instead of HTTP.
Is it possible that because the SSL certificate is set up with Nginx that the Python OAuth2 library is just unaware of the SSL certificate? It seems unlikely considering all requests are being redirected to HTTPS.
I've found plenty of people recommending to prevent such an error to just change the OAuth environment variables to allow for insecure transport but I don't want to compromise the security of the website.
Any ideas as to why this might be happening would be extremely helpful.
Thanks
This is happening because requests coming from Nginx reverse proxy is in HTTP form. Since you're running Quart app locally at say http://127..0.0.1:5000 and when Nginx makes requests to this URL, its starts with http. So insecure transport is done only from Nginx to your Quart app. You can supress this by setting "OAUTHLIB_INSECURE_TRANSPORT" = "true". More highlight on this: https://github.com/thec0sm0s/Flask-Discord/issues/3#issuecomment-676567390
my fathers job requires him to use a VPN to access anything work related (emails, websites, etc) outside his office, and the VPN blocks facebook, currently whenever he wants to use facebook, he has to log off the VPN first. He asked me if I could set up something to try and get around that, so I am attempting to setup NGINX on Debian 9 to act as a reverse proxy, however I have very little experience with NGINX. I have found that if I include proxy_set_header Host $host; then I can get to facebook but see
"Sorry, something went wrong.
We're working on getting this fixed as soon as we can."
But if I don't include it the VPN still blocks facebook.
Any advice?
nginx config
You're not going to be able to reverse proxy Facebook, for a few reasons:
facebook.com isn't going to load from an alternative hostname, such as kyles-facebook-proxy-clone.com. The browser sends a request header, Host. Facebook's servers won't serve for a hostname that they aren't expecting.
Undoubtedly there's some client-side JavaScript that will be hardcoded to other hostnames you're not proxying (for API access, CDNs for images/video, etc.) that will break, unless you rewrote the page in your code as well (which isn't reasonably possible due to obfuscation).
You can't serve traffic for facebook.com without having a properly signed certificate for HTTPS. HTTPS is required for facebook.com due to HSTS.
Even if you managed to get a certificate, it isn't going to work due to key pinning.
What can you do?
Use a proper proxy server.
Use Tor.
Ask for Facebook to be let through on the VPN.
If a client is requesting a domain that does not have a valid CA signed certificate and the server not intend on supporting HTTPS but does support HTTP for this domain, what is the best way to handle this in the web server. Note, the server does handle requests for SSL (HTTPS) on other domains so it is listening on 443.
Example where this would apply is for multi sub-domains where the sub-domains are dynamically created and thus making it extremely difficult to register CA signed certificates.
I've seen people try to respond with HTTP error codes but these seem moot as the client (browser) will first verify the certificate and will present the hard warning to the user before processing any HTTP. Therefore the client will only see the error code if they "proceed" past the cert warning.
Is there a canonical way of handling this scenario?
There is no canonical way for this scenario. Clients don't automatically downgrade to HTTP if HTTPS is broken and it would be a very bad idea to change clients in this regard - all what an attacker would need to do to attack HTTPS would be to infer with the HTTPS traffic to make a client downgrade to unprotected HTTP traffic.
Thus, you need to make sure that the client either does not try to attempt to access URL's which do not work properly (i.e. don't publish such URL's) or to make sure that you have a working certificate for these subdomains, i.e. adapt the processes for creation of subdomains so that they not only have an IP address but also a valid certificate (maybe use wildcard certificates).
Considering these websites don't have to work with SSL, the webserver should close all SSL connections for them in a proper way.
There is no canonical way for this, but RFC 5246 implicitly suggests to interrupt the handshake on the server side by using the user_cancel + close_notify alerts. How to achieve this is another question, it will be a configuration of the default SSL virtual host.
user_canceled
This handshake is being canceled for some reason unrelated to a
protocol failure. If the user cancels an operation after the
handshake is complete, just closing the connection by sending a
close_notify is more appropriate. This alert should be followed
by a close_notify. This message is generally a warning.
If you are dealing with subdomains, you probably can use a wildcard certificate for all of your subdomains.
Adding the CA certificate to your client will remove the warning (that's what companies do, no worry).
When hosting with Apache, for example, you can use VirtualDocumentRoot to add domains without editing your configuration. Have a look at the solution provided here : Virtual Hosting in SSL with VirtualDocumentRoot
I have one wordpress website, in that am getting lot of errors day by day. So I like to change my normal HTTP to HTTPS. So please can you explain it is very useful and secure for my website.
If your website does not have https in the web link this means that you do not have installed SSL. Most of the modern web browsers treat any website without SSL installed as insecure. This may be one of the reasons for your website's issues.
I found the following answers to the question of the difference between HTTP and HTTPS.
Difference between HTTP and HTTPS
To know about the reasons for using SSL follow the link given below:
Reasons for using SSL
10,000ft view...
http is an unencrypted protocol for sending and retrieving data from servers in a web browser (among other uses). https is the same protocol but wrapper in SSL, a security tool that encrypts communications between the browser and server. This is what what banks and other websites use to ensure your data (like financial info) is protected when sent to your browser and cannot be read by someone on the same network.
Checkout articles like this and google the topic for more info.
Hope this helps.
Evening all,
I am having some difficulty with displaying my FTP connection content on a page with HTTPS encryption. It works on standard HTTP but not HTTPS. I am running Apache web server. I'm not fussed about the user being able to see the FTP details just want to secure the connection between both ends though.
Would FTPS on HTTPS work?
Regards
ftp:// does work on https websites, although by default its blocked by the "Mixed Content Blocking"
In firefox you can disable this protection by doing what the picture describes:
For IE:
ftp:// does not work because of mixed content (e.g. secure https and non-secure ftp).
ftps:// will not work because most browsers do not support it and maybe your ftp server doesn't even speak ftps.
And, how about just testing it before asking, it is not that hard to replace that ftp:// with ftps:// in your page, isn't it?