Jump to content

Recommended Posts

21 minutes ago, requinix said:

What they do show is the use of X-Forwarded-Proto. It suggests that your CloudFlare configuration is middleman-ing the HTTPS: browser thinks it wants HTTPS, goes to CloudFlare, CloudFlare handles the SSL and then forwards it as HTTP to your server.

Is that what it's doing? Are you seeing many duplicate entries in your access log?

I set up a free CloudFlare account to hide my actual server from the outside world, and to learn more about proxy-servers and CDN's for an ecommerce site that I am working on separately.

My CloudFlare account comes with a free shared SSL certificate, and I also have a free SSL certificate on my VPS that cPanel provides.

As such, this is how a tech at my webhost explained things to me...

Someone clicks on a link or type sin the URL to my website.  The request ultimately ends up at CloudFlare which creates an encrypted tunnel between their server and the person requesting my website.  CloudFlare's SSL cert is shared, but should protect traffic between the requester and CloudFlare.

CloudFlare then takes this user's request, figures out the IP to my VPS, and then sends that request to my server over an encrypted tunnel that was established by cPanel's SSL cert that is on my VPS.

So when a user makes a request to my website, there are two "legs" over which the request must travel, and they should both be encrypted.

How does all of this relate to my desire to have mod_rewrites that take a non-WWW or WWW request and make it "proper" by redirecting to an "HTTPS://WWW." address?

I have no clue....

You make it sound like if I use this, then it should work fine with CloudFlare, right?

	RewriteCond %{HTTP_HOST} !^www\. [OR]
RewriteCond %{HTTPS} off
RewriteRule ^https://www.mysite.com%{REQUEST_URI} [L,R=301]
	

Since my webhost suggested using {HTTP:X-Forwarded-Proto} I wan't sure.

 

Stepping back for a minute... 

Am I using SESSIONS properly on my website?  Or am I missing some necessary PHP code?

 

Back to CloudFlare, I don't know anything about reading logs...

 

32 minutes ago, requinix said:

Their version is not proper because it will result in multiple redirects: http and mysite.com -> https and mysite.com -> https and www.mysite.com.

I'm wrong, nevermind.

6 minutes ago, SaranacLake said:

CloudFlare then takes this user's request, figures out the IP to my VPS, and then sends that request to my server over an encrypted tunnel that was established by cPanel's SSL cert that is on my VPS.

So when a user makes a request to my website, there are two "legs" over which the request must travel, and they should both be encrypted.

Should be, yes. But what you're describing makes it sound like that second leg is not being encrypted right now.

If it was not, with my version of the URL rewriting, it would always think the connection was HTTP and would always redirect. Every time. The browser would keep being redirected to https://www.mysite.com over and over, which could appear to you as a "loop" because the CPU usage of Apache handling the same request over and over.

Quote

How does all of this relate to my desire to have mod_rewrites that take a non-WWW or WWW request and make it "proper" by redirecting to an "HTTPS://WWW." address?

You don't see how understanding HTTPS on your site has anything to do with redirections to HTTPS?

Quote

You make it sound like if I use this, then it should work fine with CloudFlare, right?


	RewriteCond %{HTTP_HOST} !^www\. [OR]
RewriteCond %{HTTPS} off
RewriteRule ^https://www.mysite.com%{REQUEST_URI} [L,R=301]
	

Not necessarily. It should in theory, sure, but if they're unwrapping the SSL then this will not work, and if they're forcing SSL even if the original connection to them was not then this will not work.

Quote

Am I using SESSIONS properly on my website?  Or am I missing some necessary PHP code?

You've said that sessions are not working properly on your site. I've said that it was a configuration problem. You decide.

7 minutes ago, requinix said:

Should be, yes. But what you're describing makes it sound like that second leg is not being encrypted right now.

How would I verify that?

While I was on the phone a few nights ago, the tech installed the free cPanel SSL for me and confirmed it was working.

 

7 minutes ago, requinix said:

If it was not, with my version of the URL rewriting, it would always think the connection was HTTP and would always redirect. Every time. The browser would keep being redirected to https://www.mysite.com over and over, which could appear to you as a "loop" because the CPU usage of Apache handling the same request over and over.

You don't see how understanding HTTPS on your site has anything to do with redirections to HTTPS?

I wasn't understanding why I needed this code to make things work...

#RewriteCond %{HTTP_HOST} !^www\.
#RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#RewriteCond %{HTTPS} off
#RewriteCond %{HTTP:X-Forwarded-Proto} !https
#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

 

BTW, I decided to brave things, and tried your code, and no crashes or infinite loops - based only on observation - appear to have occurred.  So maybe I do not need the {HTTP X-Forwarded-Proto} thing?!

Things seem to be working okay, but for some strange reason, when I go to: https://www.mysite.com/client1/gallery/2019-holiday-party and then I delete off the https:// and/or www. then my code goes to "Access Denied".

Otherwise yourc ode seems to be working okay with CloudFlare turned ON.

 

7 minutes ago, requinix said:

Not necessarily. It should in theory, sure, but if they're unwrapping the SSL then this will not work, and if they're forcing SSL even if the original connection to them was not then this will not work.

I have no clue how CloudFlare is handling things...

 

7 minutes ago, requinix said:

You've said that sessions are not working properly on your site. I've said that it was a configuration problem. You decide.

It appears there may be a issue with how cPanel is set up, however, I was asking if maybe my PHP code isn't coded so great?

You mentioned there might be an issue with my SESSONS and an incorrect subdomain or something?

How would I fix that?

 

16 minutes ago, SaranacLake said:

How would I verify that?

Disable all redirections, put this on your server, and browse to it. What does it say? For both http:// and https://.

<?php

var_dump($_SERVER["HTTPS"] ?? "unset");
16 minutes ago, SaranacLake said:

 

Things seem to be working okay, but for some strange reason, when I go to: https://www.mysite.com/client1/gallery/2019-holiday-party and then I delete off the https:// and/or www. then my code goes to "Access Denied".

:psychic:

Check your error log.

16 minutes ago, SaranacLake said:

You mentioned there might be an issue with my SESSONS and an incorrect subdomain or something?

How would I fix that?

What are the session cookie settings?

4 minutes ago, requinix said:

Disable all redirections, put this on your server, and browse to it. What does it say? For both http:// and https://.


<?php

var_dump($_SERVER["HTTPS"] ?? "unset");

Do you mean comment out all of the mod_rewrites in my .htaccess file?

Or by redirects do you mean in each script like when I do this...

menu.php

	    // Check if Logged-In.
    if (isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == TRUE){
        // Member Logged In.
        // Continue processing...
	    }else{
        // Not Logged In.
        // Redirect to Access-Denied.
        header("Location: " . BASE_URL . "/utilities/access-denied");
	        // End script.
        exit();
	    }//End of CHECK IF LOGGED-IN
	

 

 

4 minutes ago, requinix said:

Check your error log.

Not sure how to do this...

 

4 minutes ago, requinix said:

What are the session cookie settings?

Like in the php.ini file?

Anything in particular you want to know about?

 

P.S. 

To make sure I am working from a clean workspace, I just yo-yo'ed my server, and I rebooted my MacBook.  With CLoudFlare turned ON or OFF, and using your mod_rewrite code, when I go to mysite.com in either Chrome or Firefox, the mod_rewrite doesn't work.  By that I mean the URL stays as mysite.com

I feel like I am going in circles....

(Please see my previous post as well.)

Edited by SaranacLake
45 minutes ago, SaranacLake said:

Do you mean comment out all of the mod_rewrites in my .htaccess file?

Yes.

45 minutes ago, SaranacLake said:

Not sure how to do this...

Apache is logging errors to a file. Open the file and look at what is inside.

45 minutes ago, SaranacLake said:

Like in the php.ini file?

Or wherever.

45 minutes ago, SaranacLake said:

Anything in particular you want to know about?

Yes: the session cookie settings.

@requinix,

Never in my life has I spent so much time trying to get a 4-page website working?!  :facewall:

I made a backup of my current files on the server and am trying to leave no stone unturned on all of this.

It would help if my web host would help me figure out the cPanel side of things.

Did you see my last post?

Why did your mod-rewrites suddenly stop working??  :shrug:

8 hours ago, requinix said:

Disable all redirections, put this on your server, and browse to it. What does it say? For both http:// and https://.


<?php

var_dump($_SERVER["HTTPS"] ?? "unset");

 

@requinix

I didn't really follow what you are saying...

I commented out the mod_rewrites you helped me with, and in index.php added this at the top...

	var_dump($_SERVER["HTTPS"]);
	exit();
	

 

When I go to mysite.com Firefox reloads the screen as broken padlock http://mysite.com/

My home page displayed NULL

I do NOT understand how the nifty 3 line mod_rewrite you showed me went from working perfectly last night to dead in the water today?!

My webhost gave me another mod_rewrite that works for the https://www. issue, but I would prefer to use the one we worked on...

 

Edited by SaranacLake

@requinix

After extensive testing, here is the poop...

Your code doesn't work with Cloudflare...

This code from my web host - which I cleaned up a bit - does work in Chrome and Firefox with Cloudflare turned on...

	RewriteCond %{HTTP_HOST} !^www\.
	RewriteRule ^ https://www.mysite.com%{REQUEST_URI} [L,R=301]
	 
	RewriteCond %{HTTPS} off
	RewriteCond %{HTTP:X-Forwarded-Proto} !htts
	RewriteRule ^ https://www.mysite.com%{REQUEST_URI} [L,R=301] 
	

 

The key line being the 4th one!!

 

if you have a way to reduce that down into less lines I am all ears, but for now, I will go with that...

By the way, I haven't been able to recreate my SESSION issue, so I guess it had something to do with the redirects, but who knows?!

One thing I did accomplish in like 3 hours on the phone tonight with my web host was getting a better understanding of how cPanel works with php.ini files - it is WAY more complicated than locally on my MAMP instance!!!

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.