网络解决方案的 https 重定向

发布于 2024-10-11 19:16:28 字数 797 浏览 3 评论 0原文

我使用 Network Solutions 作为带有 UNIX 托管包的托管提供商。我需要将某些页面重定向到 https（登录等）。经过大量测试后，我最终得到了以下 .htaccess 条目：

RewriteEngine on

RewriteCond %{SERVER_PORT} !^443$ [OR]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://[domain_redacted]/$1 [R=301,L]

这导致了无限重定向循环。在与 Network Solutions 讨论后，他们告诉我我需要 301 重定向（显然我所做的不是 301 重定向...），所以我然后在 .htaccess 中尝试了以下操作：

Redirect 301 / https://[domain_redacted]/

这当然导致了无限循环，正如人们所期望的那样。由于这些方法都不起作用，我将以下 php 脚本放在我的服务器上，以通过 PHP 测试 https 检测：

<?php 
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { 
    echo 'HTTPS IS ON';
} else {
    echo 'HTTPS IS OFF';
} 
?>

通过 HTTP 和 HTTPS 请求此页面时，脚本返回 OFF。

那么，还有哪些其他方法可以在 Apache 或 PHP 中检测 HTTPS 服务器端呢？

原文

I am using Network Solutions as a hosting provider with a UNIX hosting package. I need to redirect certain pages to https (login, etc). After going through a lot of testing, I ended up with the following .htaccess entry:

RewriteEngine on

RewriteCond %{SERVER_PORT} !^443$ [OR]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://[domain_redacted]/$1 [R=301,L]

This resulted in an infinite redirect loop. After discussions with Network Solutions, they told me I needed to 301 redirect (apparently what I was doing is not a 301 redirect ...), so I then tried the following in .htaccess:

Redirect 301 / https://[domain_redacted]/

This, of course, resulted in an infinite loop, as one would expect. Since none of these methods worked, I put the following php script on my server to test https detection through PHP:

<?php 
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { 
    echo 'HTTPS IS ON';
} else {
    echo 'HTTPS IS OFF';
} 
?>

When requesting this page over both HTTP and HTTPS, the script returns OFF.

So, what other methods exist to detect HTTPS server side in Apache or PHP?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

掀纱窥君容 2024-10-18 19:16:28

我问这个问题只是为了回答这个问题，主要是因为我在任何地方都找不到解决方案。

背景：
网络解决方案处理其共享托管系统的方式，您实际上并不连接到服务器，而是连接到代理服务器（这是有道理的）。当您执行 https 重定向时，例如：

RewriteEngine on

RewriteCond %{SERVER_PORT} !^443$ [OR]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://[domain_redacted]/$1 [R=301,L]

事实上，您确实将页面重定向到 HTTPS。但是，您正在使用代理服务器而不是托管服务器执行 HTTPS 事务。代理服务器将您与它的 HTTPS 连接转换为通过端口 80 的 HTTP。当尝试使用 .htaccess 检测此情况时，服务器看不到 HTTPS，因为您的托管服务器和代理之间的连接将始终是端口 80 上的 HTTP。 PHP 从 Apache 中提取 HTTPS 变量，它将具有与通过 .htaccess 检测 HTTP 相同的结果。

因此，除非我弄错了，否则在 Network Solutions 的共享托管上时不可能执行自引用 HTTP 到 HTTPS 重定向。请求必须以某种方式发生更改（通过 URI 或查询字符串的更改），以便服务器检测到更改。当然，这是完全可以欺骗的（例如，无论您如何更改 URI/查询字符串，都可以简单地将其作为 http 输入到浏览器中，而服务器永远不会知道），从而否定了 HTTPS 的全部意义。

我尝试检查 %{HTTP_REFERER} 是否引用了自身，但它没有使用 mod_rewrite。

我能想到的唯一解决方法是通过 JavaScript 进行客户端检测。这有其自身的缺陷（NoScript 等）。但我无法想出另一个解决问题的方法。以下代码将近似 301 重定向。

if(document.URL.match(/^https/i) == null) {
    var NetworkSolutionsSucks = document.createElement('meta');
    with (NetworkSolutionsSucks) {
        httpEquiv = 'refresh';
        content = '0;url=' + document.URL.replace(/^http/i,'https');
    }
    document.head.appendChild(NetworkSolutionsSucks);

    var msg = document.createElement('div');
    with (msg) {
        innerHTML = 'This page requires a secure connection, you are being redirected.<br><br>';
        innerHTML += 'If the page does not load, please click <a href="' + document.URL.replace(/^http/i,'https') + '">Here</a>';
    }
    var newBody = document.createElement('body');

    newBody.appendChild(msg);
    document.replaceChild(newBody, document.body);
}

将上述脚本包含在您想要强制使用 HTTPS 的任何文档的标头中（强制 HTTP 留给读者作为练习 - 这是一个更简单的脚本，不需要在出现故障时进行手动重定向）。你应该使用 noscript 标签（显然）；您可以使用以下内容：

<noscript id="networkSolutionsHTTPSRedirect">This site requires javascript in order to operate properly. Please enable javascript and refresh this page.</noscript>
<style type="text/css">#networkSolutionsHTTPSRedirect{position: fixed; height: 100%; width: 100%; top: 0; left: 0; z-index: 500;}</style>
<script type="text/javascript">
<!--
document.getElementById("networkSolutionsHTTPSRedirect").style.visibility = "hidden";
document.getElementById("networkSolutionsHTTPSRedirect").style.display = "none";
-->
</script>

编辑：我想出了一种方法来执行此服务器端操作：

如果您在每个页面上执行以下操作，则可以尝试强制整个站点使用 HTTPS：

<?php
if((!isset($_ENV['HTTP_REFERER']) || preg_match('/^http[s]{0,1}:\/\/' . $_ENV['SERVER_NAME'] . '/i',$_ENV['HTTP_REFERER']) == 0) && !isset($_ENV[HTTP_X_HTTPS_REDIRECT])) {
    header('X-HTTPS-REDIRECT: true\n');
    header('Location:' . preg_replace('/^http/','https', $_ENV['SCRIPT_URI']));
}
?>

这应该会重定向到所有不使用 HTTPS 的请求将 HTTP_REFERER 设置为您的站点，并且不携带您注入的自定义 X-HTTPS-REDIRECT 标头。这并没有真正检测 HTTPS，但执行合理的传真（至少是其服务器端）。

当然，您可以修改正则表达式，以便只有某些站点需要使用 HTTPS，方法是将 REFERER 与您想要保护的域部分相匹配，然后取消测试以强制使用 HTTP。

I asked only so I could answer the question, mostly because I couldn't find a solution anywhere.

Background:
The way Network Solutions handles their shared hosting systems, you don't actually connect to a server, you connect to a proxy server (this makes sense). When you perform an https redirect like:

RewriteEngine on

RewriteCond %{SERVER_PORT} !^443$ [OR]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://[domain_redacted]/$1 [R=301,L]

You do, in fact, redirect the page to HTTPS. However, you are performing your HTTPS transaction with the proxy server, not your hosting server. The proxy server translates your HTTPS connection with it to HTTP over port 80. When attempting to detect this with .htaccess, the server doesn't see HTTPS because the connection between your hosting server and the proxy will always be HTTP on port 80. Because PHP pulls the HTTPS variable from Apache, it will have the identical outcome to detecting HTTP through .htaccess.

Therefore, unless I am mistaken, it is impossible to perform a self-referencing HTTP to HTTPS redirect when on shared hosting from Network Solutions. The request must somehow change (either through a change in the URI or the Query String) in order for the server to detect the change. This, of course, is completely spoofable (e.g. no matter how you change the URI/Query String, one can simply type it into the browser as http and the server would never know), negating the whole point of HTTPS.

I tried checking if %{HTTP_REFERER} referenced itself, but it did not using mod_rewrite.

The only workaround I can come up with is through client-side detection with javascript. This has its own pitfalls (NoScript, etc). But I cannot come up with another solution to the problem. The following code will approximate a 301 redirect.

if(document.URL.match(/^https/i) == null) {
    var NetworkSolutionsSucks = document.createElement('meta');
    with (NetworkSolutionsSucks) {
        httpEquiv = 'refresh';
        content = '0;url=' + document.URL.replace(/^http/i,'https');
    }
    document.head.appendChild(NetworkSolutionsSucks);

    var msg = document.createElement('div');
    with (msg) {
        innerHTML = 'This page requires a secure connection, you are being redirected.<br><br>';
        innerHTML += 'If the page does not load, please click <a href="' + document.URL.replace(/^http/i,'https') + '">Here</a>';
    }
    var newBody = document.createElement('body');

    newBody.appendChild(msg);
    document.replaceChild(newBody, document.body);
}

Include the above script in the header of any document you want to force HTTPS (forcing HTTP is left as an exercise for the reader - it's a simpler script, not requiring the manual redirect on some failure). You should use a noscript tag with this (obviously); you can use the following:

<noscript id="networkSolutionsHTTPSRedirect">This site requires javascript in order to operate properly. Please enable javascript and refresh this page.</noscript>
<style type="text/css">#networkSolutionsHTTPSRedirect{position: fixed; height: 100%; width: 100%; top: 0; left: 0; z-index: 500;}</style>
<script type="text/javascript">
<!--
document.getElementById("networkSolutionsHTTPSRedirect").style.visibility = "hidden";
document.getElementById("networkSolutionsHTTPSRedirect").style.display = "none";
-->
</script>

EDIT: I figured out a way to do this server side:

You can try to force the entire site to HTTPS if you do the following on every page:

<?php
if((!isset($_ENV['HTTP_REFERER']) || preg_match('/^http[s]{0,1}:\/\/' . $_ENV['SERVER_NAME'] . '/i',$_ENV['HTTP_REFERER']) == 0) && !isset($_ENV[HTTP_X_HTTPS_REDIRECT])) {
    header('X-HTTPS-REDIRECT: true\n');
    header('Location:' . preg_replace('/^http/','https', $_ENV['SCRIPT_URI']));
}
?>

This should introduce a redirect to all requests that don't have HTTP_REFERER set to your site and do not carry the custom X-HTTPS-REDIRECT header that you inject. This doesn't really detect HTTPS, but performs a reasonable facsimile (at least its server side).

You could, of course, modify the regex so that only certain sites need to be HTTPS by matching the REFERER to the portion of your domain that you want secured and then negate the test to force HTTP.

回复收藏 0 原文

金兰素衣 2024-10-18 19:16:28

我也有 Network Solutions 作为我的提供商。最后一次尝试使用 PHP 编写脚本也没有成功，导致无限循环。

Network Solutions 提供以下代码作为 Javascript 中从 http:// 到 https:// 的最佳重定向，表示无法在服务器端执行此操作。

    <script language="javascript">
    if (document.location.protocol != "https:")
    {
    document.location.href = "https://subdomain.yourdomain.com" + document.location.pathname;
    };
    </script>

您可以在此处找到有关该主题的信息。 http://www.networksolutions.com/support/ssl-redirects/

I have Network Solutions as my provider as well. This last attempt at scripting with PHP also did not work, resulting in an infinite loop.

Network Solutions offers the following code as the best redirect available from http:// to https:// in Javascript, saying that there is no way to do it server side.

    <script language="javascript">
    if (document.location.protocol != "https:")
    {
    document.location.href = "https://subdomain.yourdomain.com" + document.location.pathname;
    };
    </script>

Their information on the subject can be found here. http://www.networksolutions.com/support/ssl-redirects/

回复收藏 0 原文

剧终人散尽 2024-10-18 19:16:28

使用以下命令仅强制某些页面使用 https。在强制使用 http 的部分中，只需包含以否定格式强制使用 https 的部分/页面即可。

也许是这样的：(.htaccess)

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

# Force https for mode= login, account or register, and the /admin directory:
RewriteCond %{HTTPS} !=on
RewriteCond %{QUERY_STRING} mode=(login|account|register) [OR]
RewriteCond %{REQUEST_URI} admin/
RewriteRule (.+) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

# force http for all NON login, account, register (query string)
# and anything else outside the /admin directory
RewriteCond %{HTTPS} on
RewriteCond %{QUERY_STRING} !mode=(login|account|register)
RewriteCond %{REQUEST_URI} !admin/
RewriteRule (.+) http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

Use the following to force only certain pages to https. In your section to force http, just include the sections/pages that force https in a negated format.

Something like this, perhaps: (.htaccess)

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

# Force https for mode= login, account or register, and the /admin directory:
RewriteCond %{HTTPS} !=on
RewriteCond %{QUERY_STRING} mode=(login|account|register) [OR]
RewriteCond %{REQUEST_URI} admin/
RewriteRule (.+) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

# force http for all NON login, account, register (query string)
# and anything else outside the /admin directory
RewriteCond %{HTTPS} on
RewriteCond %{QUERY_STRING} !mode=(login|account|register)
RewriteCond %{REQUEST_URI} !admin/
RewriteRule (.+) http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

回复收藏 0 原文

匿名的好友 2024-10-18 19:16:28

PHP 变量：

$_ENV['SCRIPT_URI']

将返回完整的请求字符串，包括协议。

<?php 
if(preg_match('/^https/i',$_ENV['SCRIPT_URI']) == 0) {
    header('Location: ' . preg_replace('/^http/i','https', $_ENV['SCRIPT_URI']));
} 
?>

The PHP variable:

$_ENV['SCRIPT_URI']

will return the full request string, including protocol.

<?php 
if(preg_match('/^https/i',$_ENV['SCRIPT_URI']) == 0) {
    header('Location: ' . preg_replace('/^http/i','https', $_ENV['SCRIPT_URI']));
} 
?>

回复收藏 0 原文

耀眼的星火 2024-10-18 19:16:28

这是使用网络解决方案进行重定向的唯一干净方法。我花了几个小时进行测试。最适合 SEO。 Network Solutions 是一个具有挑战性的托管平台。

这将起作用 .htaccess 您将changeexample.com 替换为您的域名。简单的。

## Base Redirects ##

# Turn on Rewrite Engine
RewriteEngine On

# Remove trailing slash from non-filepath urls
RewriteCond %{REQUEST_URI} /(.+)/$
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ https://changeexample.com/%1 [R=301,L]

# Include trailing slash on directory 
RewriteCond %{REQUEST_URI} !(.+)/$
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+)$ https://changeexample.com/$1/ [R=301,L]

# Force HTTPS and remove WWW
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [OR,NC]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://changeexample.com/$1 [R=301,L]

祝你好运！这是截至 2021 年 5 月 14 日的最新信息

This is the ONLY Clean way to Redirect with Networksolutions. Took me hours of testing. Works best for SEO. Network Solutions is a challenging Hosting platform.

This will work .htaccess all you replace is changeexample.com with your domain. Easy.

## Base Redirects ##

# Turn on Rewrite Engine
RewriteEngine On

# Remove trailing slash from non-filepath urls
RewriteCond %{REQUEST_URI} /(.+)/$
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ https://changeexample.com/%1 [R=301,L]

# Include trailing slash on directory 
RewriteCond %{REQUEST_URI} !(.+)/$
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+)$ https://changeexample.com/$1/ [R=301,L]

# Force HTTPS and remove WWW
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [OR,NC]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://changeexample.com/$1 [R=301,L]

Best of Luck! This is current as of 05/14/2021

回复收藏 0 原文

~没有更多了~