HTTPS to HTTP Redirection on Apache Means Site is Not Secure

pratiklohia · May 12, 2017, 11:40am

Please fill out the fields below so we can help you better.

My domain is: www.freshculture.me

I ran this command:

It produced this output:

My operating system is (include version): Ubuntu 14.04

My web server is (include version): Apache 2.4.7

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

I have installed the SSL Certificate on my Server. However only the Homepage is https accesible. Any other internal page on the site is accessible only by http and not https.
Please let me know what am i doing wrong here.

sahsanu · May 12, 2017, 3:11pm

Hi @pratiklohia,

All your site is being redirected from https to http:

$ curl -IkL https://www.freshculture.me
HTTP/1.1 302 Found
Date: Fri, 12 May 2017 15:07:18 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Set-Cookie: adminhtml=m98l2r8audlttignstlf1evkh3; expires=Sat, 13-May-2017 15:07:18 GMT; Max-Age=86400; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: adminhtml_cid=ksa0Eq6oP00w9NOt; expires=Sat, 13-May-2017 15:07:18 GMT; Max-Age=86400; path=/; domain=freshculture.me; secure
Location: http://www.freshculture.me/             <---- here is the redirect to http
Access-Control-Allow-Origin: *
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 200 OK
Date: Fri, 12 May 2017 15:07:19 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Set-Cookie: adminhtml=2q82anbq5kr5i1t0fiqob1pd34; expires=Sat, 13-May-2017 15:07:19 GMT; Max-Age=86400; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Fpc-Cache-Id: FPC_REQUEST_deae781df7b2b72d251221e4500d49aa
Access-Control-Allow-Origin: *
Connection: close
Content-Type: text/html; charset=UTF-8

Maybe you have a redirect/rewrite rule on your apache... or in some .htaccess file.

Cheers,
sahsanu

pratiklohia · May 13, 2017, 7:26am

Thanks Sahsanu.

I added the following in the etc/apache2/sites-enabled/000-default.conf

Redirect permanent / https://www.freshculture.me

But I get an error that the website is not redirecting properly.

sahsanu · May 13, 2017, 9:27am

@pratiklohia, if you already have a redirect from https to http and you add a new redirect from http to https you only get a neverending loop. As I said, you need to find where is the redirect, you should search for Redirect or RewriteRule directives inside your apache conf files or in any .htaccess you are using in your site.

pratiklohia · May 13, 2017, 11:12am

Looked into the Server Config files… there are no rewrites there.

The only suspect the nwould have been .htaccess in the root folder of the Web App.
I am not able to clearly tell which of these directives could be doing the rewrite. Kindly assist.

############################################

workaround for HTTP authorization

in CGI environment

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

############################################

TRACE and TRACK HTTP methods disabled to prevent XSS attacks

RewriteCond %{REQUEST_METHOD} ^TRAC[EK]
RewriteRule .* - [L,R=405]

############################################

redirect for mobile user agents

#RewriteCond %{REQUEST_URI} !^/mobiledirectoryhere/.*$
#RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|googlebot-mobile" [NC]
#RewriteRule ^(.*)$ /mobiledirectoryhere/ [L,R=302]

############################################

always send 404 on missing files in these folders

RewriteCond %{REQUEST_URI} !^/(media|skin|js)/

############################################

never rewrite for existing files, directories and links

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l

############################################

rewrite everything else to index.php

RewriteRule .* index.php [L]

sahsanu · May 13, 2017, 2:53pm

Hi @pratiklohia,

Those rules should not cause the redirection so I’m thinking that some php file is performing the redirect, maybe on index.php. Please, run the following grep command from the Document Root of your site:

grep -ri 'Location:' *

If it doesn’t provide any output, search for command header inside your php files.

grep -ri 'header' *

And show the output.

Next time, paste the text, select it and click on the icon </> so the output won’t be messed by the forum syntax.

Cheers,
sahsanu

system · June 12, 2017, 3:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.