We have a main address which example1.example.com and we have a Https certificate issued for this address. But the main code is on example2.example.com and we used to redirect the first one to this one.
Now we want to use https and I want to know if it's possible for us to do so. We don't have any https certificate on the 2nd server.
For me the best and easiest method on IIS 7.x to do redirection is with the URL Rewite module of Microsoft:
to find here
and many different configuration examples for it, here
In Global.asax I have this block:
if (Request.ServerVariables["HTTPS"] != "on")
{
Response.Redirect(Request.Url.AbsoluteUri.Replace("http://", "https://"), true);
return;
}
This turns http requests into https, which you will want to do on example1, if example2 refers back to example1.
For what you want to do, this should work:
if (Request.ServerVariables["HTTPS"] == "on")
{
Response.Redirect(Request.Url.AbsoluteUri.Replace("https://", "http://"), true);
return;
}
Related
I was looking at how to redirect from HTTP to HTTPS on the Lighttpd website, and it looked really easy. (https://redmine.lighttpd.net/projects/1/wiki/HowToRedirectHttpToHttps)
$HTTP["scheme"] == "http" {
# capture vhost name with regex conditiona -> %0 in redirect pattern
# must be the most inner block to the redirect rule
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
but it doesn't reroute at all.
I have been trying to access the websites by way of www.test.com, http://www.test.com, and http://test.com but it doesnt seem to work.
It just says: ERR Connection Refused. I have confirmed that the website works in http and https without this code, but when doing this, it doesnt seem to work.
I would like to understand it more since I will have a bunch of other domains routing through here eventually.
I have also tried more specific calls as well which didnt work:
$HTTP["scheme"] == "http" {
# capture vhost name with regex conditiona -> %0 in redirect pattern
# must be the most inner block to the redirect rule
$HTTP["host"] =~ "www.test.com" {
url.redirect = (".*" => "https://%0$0")
}
}
Doing the above code in the question is actually valid. The issue is, as pointed out by #Gstrauss is that in order to have redirect capabilities, you need to make sure that module is actually enabled. I looked into the modules.conf file and noticed it was not enabled.
Upon enabling the mod_redirect, and restarting the server, no matter if i went to HTTP or HTTPS version of my site, it would forward me to the HTTPS version of the site.
I'm interested in sending folks who go to the root/homepage of my site to another server.
If they go anywhere else (/news or /contact or /hi.html or any of the dozens of other pages) they get proxied to a different server.
Since "/" is the nginx catchall to send anything that's not defined to a particular server, and since "/" also represents the homepage, you can see my predicament.
Essentially the root/homepage is its own server. Everything else is on a different server.
Thoughts?
location =/ {
# only "/" requests
}
location / {
# everything else
}
More information: http://nginx.org/en/docs/http/ngx_http_core_module.html#location
I am using response.sendRedirect() to redirect the user to Home page, once the user gets authenticated successfully. This is to avoid the "Login redirect vulnerability".
However, because of above change, One of my customer is facing issue where his HTTPS request are getting converted to HTTP (with ip address in the URL). The reason for the same is explained here
http://geekexplains.blogspot.in/2008/06/https-becoming-http-in-case-of.html
Now, How can i reproduce the issue (or setup the environment) so that I can verify my fix. I thought I could reproduce by setting up Apache server infront of tomcat but I am not able to reproduce above mentioned issue.
In Apache httpd.conf i have below entries
ProxyPass /myconsole ajp://localhost:8009/myconsole
ProxyPassReverse /myconsole ajp://localhost:8009/myconsole
Accessed the application like,
http://myapacheserver/myconsole/Login.jsp
After the successful login, I am getting redirected to
http://myapacheserver/myconsole/Home.jsp
I am expecting to redirect to the IP address. something like http://10.32.24.14:8080/myconsole/Home.jsp.
In the customer environment he is getting redirected to the ip address of App server (tomcat).
Any pointer would be helpful.
Thanks
Note:
For those interested, I am building the full URL by getting the first part of URI from the configuration file.
//Get the LB URI part. Eg: https://dev.loadbalancer.com/
String loadBalancerURI = getConfig().getLoadBalancerRequestURI();
String redirectURL = request.getContextPath() + "/Home.jsp";
//Prepend the LoadBalancer URI with redirect URI
if(loadBalancerURI != null)
{
redirectURL = loadBalancerURI + "/" + redirectURL;
}
//redirect to home page
response.sendRedirect(redirectURL);
return;
Edit: More info on the setup. The customer has F5 load balancer where the SSL traffic stops and then there is a Apache Reverse Proxy servers which proxy to pool of tomcat servers. The issue is when we do redirect the redirect URL is for Tomcat Servers. What we are expecting is to have the load balancer URL in the redirect URL.
Is it possible to do some change in the Apache server which will rewrite the URL in the HTTP header in the response send by Tomcat?
I'm not sure if you're really using a load balancer or if you just called one of your methods getLoadBalancerRequestURI, but where you only have one server, just use :
response.sendRedirect("./Home.jsp");
Its not necessary to specify the full url.
But if you do need to build the full url as you are doing, you can use something like this to check if its https://
String protocol = "https";
if( request.getRequestURL().toString().toLowerCase().startsWith("http://" ) )
{
protocol = "http";
}
Then make sure to build the url with the proper protocol.
See this link ..
So when an https request redirect happens, the target server has no clue what's the original request's protocol. It only receives an http request. Thus, the response for that would be an http response.
http://www.hoitikwong.com/2013/03/the-mystery-case-of-https-becoming-http.html
I was able to reproduce the issue (when HTTP-HTTPS redirect) which my customer was facing.
The communication from Apache (HTTPD server) to Tomcat (Web container) generally happens by using one of the following connectors (may be some other way as well).
mod_jk
mod_proxy_ajp
mod_proxy_http
mod_rewrite
I am able to reproduce the issue only when i use the mod_rewrite. If i use either mod_jk or mod_proxy_ajp or mod_proxy_http approach then the redirect works fine. But when i use mod_rewrite then when the redirect happens I am able to observe the HTTPS-HTTP conversion.
Right now, I am migrating the domain of my app from app.example.com to app.newexample.com using the following nginx config:
server {
server_name app.example.com;
location /app/ {
rewrite ^/app/(.*)$ http://app.newexample.com/$1;
}
}
I need to show-up a popup-banner to notify the user of the domain name migration.
And I want to this based upon the referrer or some-kind-of-other-header at app.newexample.com
But how can I attach an extra header on the above rewrite so that the javascript would detect that header and show the banner only when that header is present coz the user going directly at app.newexample.com should not see that popup-banner?
The thing is that, when you "rewrite" into URI having protocol and hostname (that is http://app.newexample.com/ in your case), Nginx issues fair HTTP redirect (I guess the code will be 301 aka "permanent redirect"). This leaves you only two mechanisms to transfer any information to the handler of new URL:
cookie
URL itself
Since you are redirecting users to the new domain, cookie is no-go. But even in the case of a common domain I would choose URL to transfer this kind of information, like
server_name app.example.com;
location /app/ {
rewrite ^/app/(.*)$ http://app.newexample.com/$1?from_old=yes;
}
This gives you the freedom to process at either Nginx or in a browser (using JavaScript). You may even do what you wanted intially, issuing a special HTTP header for JavaScript in new app server Nginx configuration:
server_name app.newexample.com;
location /app {
if ($arg_from_old) {
add_header X-From-Old-Site yes;
}
}
A similar problem was discussed here. You can try to use a third-party module HttpHeadersMore (I didn't try it myself). But even if it does not work at all, with the help of this module you can do absolutely everything. Example is here.
Your redirect is missing one thing, the redirect type/code, you should add permanent at the end of your rewrite line, I'm not sure what's the default redirect code if not explicitly mentioned.
rewrite ^/app/(.*)$ http://app.newexample.com/$1 permanent;
An even better way is using return
location /app {
return 301 $scheme://app.newexample.com$request_uri;
}
Adding a get parameter as mentioned above would also be a reliable way to do it, you can easily set a session ( flash ) and redirect again to the page it self but after removing the appended get parameter.
EDIT:
Redirecting doesn't send referrer header, if the old domain is still working you could put a simple php file that does the redirect with a header call.
header("Location: http://app.newexample.com")
One possible solution without any headers would be to check the document.referrer property:
if (document.referrer.indexOf("http://app.example.com") === 0) {
alert("We moved!");
}
Using a 301 will set the referrer to the old page. If the referrer doesn't start with the old page url, it was not directed by that page. Maybe a bit quick n dirty, but should work.
I have SSL installed at the root of a server. I have a page whose code behind code is supposed to redirect after certain validation to a secure page. Here's the redirect code:
switch (PageBase2.GetParameterValue("Environment")) //Retrieves App Setting named Environment from web.config
{
case "Server":
strURL = #"https://" + HttpContext.Current.Request.Url.Authority + "/checkout/payment.aspx";
break;
case "Local":
strURL = #"http://" + HttpContext.Current.Request.Url.Authority + "/checkout/payment.aspx";
break;
default:
strURL = #"https://" + HttpContext.Current.Request.Url.Authority + "/checkout/payment.aspx";
break;
}
Response.Redirect(strURL, false);
But the page that's been served by IIS is non-secure. I looked at the firebug console and it appears that the client does make a get request to https://server/checkout/payment.aspx but IIS responds with a 302 to http://server/checkout/payment.aspx
Any clues, as to what could be causing it. I've even tried forcing SSL for the page, but it doesn't work I get 403.4 error. (SSL is required to view this resource.)
And if i remove the redirection logic and code the payment page to redirect to its SSL version when the connection is not secure using Request.IsSecureConnection, i end up with an endless redirect loop, simply because IIS still won't serve the secure version without a 302.
Any ideas?
It sounds like you do not have the proper configuration of IIS, with the SSL applied to the specific website.
You can test this, by trying to visit a static resource, image or html file, via the https link. if that redirects as well, I would look into the IIS config.