We're using Microsoft ARR with offloading for managing our new web farm. The site is split into 2 applications. 1 holds the content management system and the other holds the purchasing system. These need to be separated for functionality purposes. The link connecting the 2 has https in the url but when the page loads it's on http. If you manually change the url in the address bar to https then it works so why would it be loading the link as http in the first place?
Hopefully this isn't too vague. I am but a humble programmer and server configuration isn't my area of expertise.
Any thoughts?
For anyone with similar difficulties found the solution for creating the HTTPS rule in following article:
http://blogs.technet.com/b/exchange/archive/2013/10/16/iis-arr-as-a-reverse-proxy-and-load-balancing-solution-for-o365-exchange-online-in-a-hybrid-configuration.aspx
Related
I'm currently implementing Firebase to send Webpush notification on a not fully HTTPS webapp. As webpsuh is using service worker, I did some research and on Google Developers website it is stated:
You can only register service workers on pages served over HTTPS, so we know the service worker the browser receives hasn't been tampered with during its journey through the network.
Does this means it is possible to register a service worker from a HTTPS page even though the rest of the website is HTTP ?
Thanks in advance for any clarification !
EDIT
I've found this conversation on the w3c Github which say that service worker should be served over HTTPS, from what I understand it is possible to have other HTTP pages as long as communication with the service worker is served over HTTPS, am I getting this right?
From the debate about specifications, # jyasskin said :
If the page requesting the SW isn't secure, and the SW is https but on an attacker-controlled domain, you haven't gained anything at all. Yes, the whole app will need to be https.
But this was said before service worker specifications were completely set, so not sure if this was the final way it was specified.
I've opened direclty on github an issue related to this particular question.
They were quick to respond that it is possible to register from a HTTPS page even though the rest of the website is HTTP, as long as it's in a secure context.
The browser will consider the https and http pages as 2 different website though and the service worker will not be able to have control over the http one.
I have a Comodo SSL certificate on my host plan, however when accesing my site from google, it sends me automatically to
http://example.com, Where the green lock doesn't appear.
If I manually add "https", like: https://example.com it does show up!
Is there a way to access my website always with the green lock showing up? instead of manually having to write it everytime?
You can easily redirect to the https version of any page using rewrite rules/rewrite module of your web server (the exact way to do this depends on the webserver used). Ask your provider, this is a common case so there may even be a UI option in your console to do this.
Regarding google see this: https://webmasters.stackexchange.com/questions/67212/how-to-convince-google-to-list-https-version-of-website
It may also be good form to verify the protocol used to access the site in your authentication module and refuse authentication if the wrong protocol is used. Assuming web rules are used to redirect traffic this would to prevent leaking information due to a misconfiguration/bug.
Recently I added SSL to my WordPress site but it started causing some problems (conflicts with Woocommerce and WP Super Cache plugins). The problem the I was having because of SSL was that the the Woocommerce cart was sometimes showing empty even after adding a product ans sometime the cart was not proceeding to checkout page. Do you think it had something to do with WP Super Cache or SSL or both? Anyway, I couldn't get it solved and removed the SSL after 2 days. But meanwhile Google had indexed the HTTPS URLs of my site and was showing them in the search results and they were returning SSL connection error. Now my question is how can I redirect all those HTTPS URLs to the HTTP ones? I asked my web host for help but said the redirection is not possible through htaccess or any other method. Was he right? How long will Google take to 'forget' these HTTPS links and show the HTTPS links again in search Results?
There are two standard ways to redirect:
At the DNS level
At the HTTP level
The DNS level can't help you because it just changes hostname. You want to keep the same hostname but change the scheme. This means you need an HTTP server to do the redirect.
In order to redirect from https to http you need to have an HTTPS service running on the computer with the IP address that the hostname resolves to.
Without that, there is nothing the receive the HTTP request over SSL and response with "Oh, this has moved to plain HTTP".
If the SSL service isn't running, then there is nothing that can do that.
(.htaccess is just a (suboptimal) means to configure an HTTP server, that does no good if you don't have the HTTP server listening on SSL).
Personally I'd fix the https issues. The world is going more https everyday so it's a backwards step to go from https to http. If you elaborate on what issues you had someone might be able to help.
However if you really want to do this then you need to run both http and https and redirect all traffic from https to http. How you do this depends on your set up (in Apache you'd do it using htaccess config).
How long it takes Google to fronded your site depends on many factors including the size and popularity of your site - which governs how often Google crawls your website. Give it a month at least for a small site. You can give it a kick by submitting your site to Google Search Console (the new name for Google Webmaster Tools).
Btw StackOverflow is primarily for programming questions so questions like this might be better asked on the http://webmasters.stackexchange.com sister site.
Google Analytics recently started showing PHP scripts as referrers to my website, for example:
localhost/index.php
EDIT: This is a recent surge in activity coming from India. It is not coming from our own services, such as our web host, or a backup service. It is also coinciding with spam users on my websites from India, so I know this is intentionally malicious behavior.
Any suggestions on how to investigate further and prevent it? We are running on Django, hosted on AWS, if that helps.
If the server have subnet or the server is on your system it may cause that kind of referrers if request from the subnet.
Well, In case of Django if somebody from your team is running a development version of your application with the Google Analytics tracking code, then things like this can show up. Not only will localhost show up in your Referrers, but your aggregate metrics like Bounce Rate, Time On Site, Conversion, and others will be incorrect because the unusual behavior of a developer's will be mixed in with that of normal users and skew our results. There are basically 3 steps to fix it :
Add a Google Analytics exclusion filter
1) Open Google Analytics and choose your property view.
2) Navigate to Admin.
3) Click on Filters under the View column.
4) Click on New Filter.
5) Create a new "Predefined filter" which excludes traffic to the "localhost" hostname.
Edit: Configure ALLOWED_HOSTS in Django settings
This is a security measure to prevent an attacker from poisoning caches and password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header, which is possible even under many seemingly-safe web server configurations. Django 1.5 introduced the allowed hosts setting that is required for security reasons. A settings file created with Django 1.5 has this new section which you need to add:
ALLOWED_HOSTS = [
'.example.com', # Allow domain and subdomains
'.example.com.', # Also allow FQDN and subdomains
]
Add your host here like ['www.antodominic.com'] or ['*'] for a quick test, but don't use ['*'] for production.
Hope this helps ...!!
Cheers.. :)
If you have a website that is externally accessible, then yes- someone is trying to hack your website... and every other website in existence. It's a fact of life.
Your localhost referrer is not necessarily indicative of malicious behavior, however. It's more likely that your dev instance, or someone else's dev instance of their site with links to your site, is creating the entries in your analytics.
However, if it's a referer with a link to another site in the querystring, then what you're falling victim to is referer spam attempts. If you want to prevent them, you can block them via htaccess if you're running on Apache, or via web.config if you're running on IIS. Just replace the pertinent bits regular expressions, or better yet, add to them.
I have an Asp.net application 3.5. I want to be able to allow multiple/ different clients to access the same application but using different URL's. I have already managed to configure the database to allow this.
So here's the main part.
I want to host my application in a domain say...
wwww.myapplication.com
then allow different client to access the same application using
1) www.clientOne.myapplication.com
2) www.clientTwo.myapplication.com
Also the client subdomains i.e(clientone.myapplication.com and clienttwo.myapplication.com)
should be autocreated by the client upon registration.
How can I achieve this..Your help will be greatly appreciated
A good example of how I want my application to work is
www.quickschools.com
I finally found out the solution that I wanted, so I thought I would share with you my finding. It turns out I needed to create a web application from another running Asp.net web application (From C# Code)
This tutorial by Robbe Morris was really helpful if you need to get started on this.
Another article you might want to check out is this one.
To have different url's using the same application, i would use "301 redirect" subdomains. I'm not really sure how to have a webapp create these subdomains.
I think the way to do this is to make the website the default website on the server i.e. configure so all requests to the servers IP hit this website (unless the header matches another website that explicitly looks for it). You do this just by not specifying a header on the IIS settings (only an IP address and a port number) - you can only do this for one site per IP address/port combination on the server.
Then look at the request url in the website to determine which domain was requested.
This way there is no need to 'create' subdomains... but you do need to reject all request to a domain that you don't want to recognize.
If you can't do this then you would need to adjust the IIS metabase from the application - not impossible - but a very risky and probably a bad idea.
The common case is that you'll have to configure a new virtual site for each of your new tenants during account provisioning. See Creating a New Virtual Server on how to achieve this programatically. Some though argue (with convincing arguments...) that spinning up an appdomain for each tenant is a waste of resources and one should use routing in the application that inspect the HOST header, see Multi-tenant ASP.NET MVC – Introduction.
Configuring IIS/ASP to respond to your tenant sub-dmains is the easy part. The real problem will be to configure DNS for your tenants, and that depends on your DNS solution.