I want to disable https and want to access a site by http (for experimental purposes).I am using firefox on ubuntu 12.4. I tried by disabling SSL in browser.But then i am not able to access sites with https.
How can i do this?
Some sites, require using https (SSL) for accessing them. The site you try to access would probably redirect you to https (SSL), even if you decide to use http. In that case, you cannot disable the SSL use from your browser, because it is a demand from your target site.
Hope I helped...
Related
I have a client with a bunch of one-page websites that is hosting with Godaddy. Of course they don't offer Let's Encrypt SSLs and we don't want to have to renew SSL certificates every 3 months. They noticed that if they go to the HTTPS version of the site it says it is insecure (since it doesn't have an SSL certificate). They have asked me if I can force these to redirect to HTTP. I have found .htaccess rules but they don't work because modern browsers check for certs before hitting .htaccess.
Is there a way to make them redirect? We are using Wordpress for all of them.
we have activated HTTP Strict Transport Security in production. It works well. But now, when wanting to use a subdomain to develop, the website is automatically redirected to https:
https://dev.tokeeen.com/app_dev.php/my-habits
Event if the host is set to 127.0.0.1
127.0.0.1 dev.tokeeen.com
Is there something to avoid this behavior? Of course I don't want to force the host for the main domain.
You are currently setting this on your main site:
Strict-Transport-Security max-age=63072000; includeSubDomain
If you change this to remove the includeSubDomain bit then it will only apply to your top level domain and not the dev sub domain:
Strict-Transport-Security max-age=63072000;
You then need to visit your production site to load this header and overwrite the existing one in your browser’s cache.
However this is less secure (for example someone could set up www.tokeeen.com and pretend to be your site with a bit of DNS manipulation for example).
But to be honest you should just use https on you’re dev site. The Internet is moving towards HTTPS and many new features do not work under plain HTTP. Additionally what you are developing is not similar to your production site so if you include http:// links instead of https:// for example you’ll suddenly see this failing when you release to production.
You look to use LetsEncrypt on your site so the cert is free. Do yourself a favour and just get another free one for your dev subdomain.
You have to get yourself a wildcard certificate as the ssl certificate is only for that domain. That's the whole point of having a secure site.
I'm not sure what server system you are using but in case you don't want to use wildcards and are ok with less secure, you can bind the other domains to
port 80 with the binding type http`
I am having a problem with an old school asp.net site that has been moved behind a SSL terminated loadbalancer. All traffic to IIS is coming from the load balancer as port 80 http traffic. IIS is rendering all the script/image/link urls into http://....
The problem for us is the client browers are seeing pages with absolute URLs containing http protocol links within a https:// page. The browsers are warning about mixing secure and insecure content.
How can this be fixed so that the links are generated with https:// instead of http://
Thanks in Advance
bille
We solved our issue. The problem turned out to be the load balancer configuration. The client is very compartmentalized and denied us access to the LB swearing that the config was correct. After proving to them that telnetting into 443 was being blocked for some stuff we were allowed access to the LB. In addition to just being set up wrong (cut and paste) the LB url rewrite rules were messed up. Fixing those all is good.
I have an IIS6 ASP.NET 2/3.5 site that ALWAYS seems to be caching anything that goes through a https request. HTTP requests always work the same, but i see old/invalid data on https requests.
I see this a lot with pages where i'm doing http rewriting--but in general, it almost seems like the site has one set of values it shows to http requests and another to https requests-- without having any backend code that renders differently based upon the scheme.
Any ideas? Does IIS have a weird ssl caching option i'm not aware of?
The ports were set up wrong in IIS-- although the domain was correct because i was using port 443 it got forwarded to another site (because of host headers setup).
I'm using the IIS 7 rewrite module to redirect a page to use https if http is detected.
Is it possible that the rewrite module can be bypassed? Would be overkill to also put in an https check in the page_load code as well?
If you want to force SSL the best way to do it is using only the port 443. If you only need SSL in some pages of your website my recommendation is to move these files into a special web application or virtual directory. Doing this you can force the SSL connection for these files without worrying about rewrite rules. You can check how to do it here: http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/
Allowing HTTP and HTTPS connections to the same resource can be used to perform a cookie stealing attack if the application cookies are not using the "Secure" attribute.