HTTPS重定向网络解决方案 [英] https redirect for Network Solutions

问题描述

我使用的网络解决方案与一个UNIX主机包一个托管服务提供商。我需要某些页面重定向到https（登录等）。在经历了大量的测试，我结束了以下的.htaccess项：

I am using Network Solutions as a hosting provider with a UNIX hosting package. I need to redirect certain pages to https (login, etc). After going through a lot of testing, I ended up with the following .htaccess entry:

RewriteEngine on

RewriteCond %{SERVER_PORT} !^443$ [OR]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://[domain_redacted]/$1 [R=301,L]

这导致了一个无限重定向循环。经过与网络解决方案的讨论，他们告诉我，我需要301重定向（很明显我在做什么不是一个301重定向...），所以后来我试图在.htaccess如下：

This resulted in an infinite redirect loop. After discussions with Network Solutions, they told me I needed to 301 redirect (apparently what I was doing is not a 301 redirect ...), so I then tried the following in .htaccess:

Redirect 301 / https://[domain_redacted]/

这当然导致了一个无限循环，正如人们所期望的那样。由于这些方法都合作过，我把下面的PHP脚本我的服务器上测试HTTPS检测通过PHP：

This, of course, resulted in an infinite loop, as one would expect. Since none of these methods worked, I put the following php script on my server to test https detection through PHP:

<?php 
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { 
    echo 'HTTPS IS ON';
} else {
    echo 'HTTPS IS OFF';
} 
?>

当请求该页面通过HTTP和HTTPS，该脚本返回OFF。

When requesting this page over both HTTP and HTTPS, the script returns OFF.

那么，还有什么其他方法可用来检测HTTPS服务器端在Apache或者PHP？

So, what other methods exist to detect HTTPS server side in Apache or PHP?

推荐答案

我只问，所以我可以回答这个问题，主要是因为我无法找到一个解决办法的任何地方。

I asked only so I could answer the question, mostly because I couldn't find a solution anywhere.

背景： 该方式的网络解决方案处理他们的共享主机系统，你实际上并没有连接到服务器，您连接到代理服务器（这是有道理的）。当您执行HTTPS重定向这样的：

Background: The way Network Solutions handles their shared hosting systems, you don't actually connect to a server, you connect to a proxy server (this makes sense). When you perform an https redirect like:

RewriteEngine on

RewriteCond %{SERVER_PORT} !^443$ [OR]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://[domain_redacted]/$1 [R=301,L]

您呢，其实，页面重定向到HTTPS。但是，你的代理服务器执行的HTTPS交易，不是你的托管服务器。代理服务器会将它通过端口80的HTTPS连接HTTP当尝试使用的.htaccess检测此，服务器不会看到HTTPS，因为你的托管服务器和代理服务器之间的连接将永远是HTTP端口80。因为PHP拉Apache的HTTPS变量，它将具有相同的结果，通过的.htaccess检测HTTP。

You do, in fact, redirect the page to HTTPS. However, you are performing your HTTPS transaction with the proxy server, not your hosting server. The proxy server translates your HTTPS connection with it to HTTP over port 80. When attempting to detect this with .htaccess, the server doesn't see HTTPS because the connection between your hosting server and the proxy will always be HTTP on port 80. Because PHP pulls the HTTPS variable from Apache, it will have the identical outcome to detecting HTTP through .htaccess.

因此​​，除非我错了，这是不可能执行自引用HTTP到HTTPS重定向时，分享了网络解决方案托管。该请求必须以某种方式改变（无论是通过在URI或查询字符串的变化），以便使服务器来检测变化。当然，这，完全是欺骗性（比如无论你怎么改变URI /查询字符串，我们可以简单地把它输入到浏览器中的HTTP和服务器永远不会知道），否定HTTPS的整点。

Therefore, unless I am mistaken, it is impossible to perform a self-referencing HTTP to HTTPS redirect when on shared hosting from Network Solutions. The request must somehow change (either through a change in the URI or the Query String) in order for the server to detect the change. This, of course, is completely spoofable (e.g. no matter how you change the URI/Query String, one can simply type it into the browser as http and the server would never know), negating the whole point of HTTPS.

我想检查是否％{HTTP_REFERER}引用本身，但它并没有使用mod_rewrite。

I tried checking if %{HTTP_REFERER} referenced itself, but it did not using mod_rewrite.

唯一的解决办法我能想出是通过客户端检测与JavaScript。这有它自己的缺陷（NoScript的，等）。但我不能想出另一种解决问题的办法。下面code将接近301重定向。

The only workaround I can come up with is through client-side detection with javascript. This has its own pitfalls (NoScript, etc). But I cannot come up with another solution to the problem. The following code will approximate a 301 redirect.

if(document.URL.match(/^https/i) == null) {
    var NetworkSolutionsSucks = document.createElement('meta');
    with (NetworkSolutionsSucks) {
        httpEquiv = 'refresh';
        content = '0;url=' + document.URL.replace(/^http/i,'https');
    }
    document.head.appendChild(NetworkSolutionsSucks);

    var msg = document.createElement('div');
    with (msg) {
        innerHTML = 'This page requires a secure connection, you are being redirected.<br><br>';
        innerHTML += 'If the page does not load, please click <a href="' + document.URL.replace(/^http/i,'https') + '">Here</a>';
    }
    var newBody = document.createElement('body');

    newBody.appendChild(msg);
    document.replaceChild(newBody, document.body);
}

在包含要强制HTTPS的任何文档的页眉上面的脚本（强制HTTP是留给作为练习读者 - 这是一个简单的脚本，而不需要手动重新定向某些故障）。你应该使用这个（显然）无脚本标签;您可以使用以下命令：

Include the above script in the header of any document you want to force HTTPS (forcing HTTP is left as an exercise for the reader - it's a simpler script, not requiring the manual redirect on some failure). You should use a noscript tag with this (obviously); you can use the following:

<noscript id="networkSolutionsHTTPSRedirect">This site requires javascript in order to operate properly. Please enable javascript and refresh this page.</noscript>
<style type="text/css">#networkSolutionsHTTPSRedirect{position: fixed; height: 100%; width: 100%; top: 0; left: 0; z-index: 500;}</style>
<script type="text/javascript">
<!--
document.getElementById("networkSolutionsHTTPSRedirect").style.visibility = "hidden";
document.getElementById("networkSolutionsHTTPSRedirect").style.display = "none";
-->
</script>

修改：我想出了一个办法做到这一点的服务器端：

您可以尝试强制整个网站到HTTPS如果你在每一页上如下：

I figured out a way to do this server side:

You can try to force the entire site to HTTPS if you do the following on every page:

<?php
if((!isset($_ENV['HTTP_REFERER']) || preg_match('/^http[s]{0,1}:\/\/' . $_ENV['SERVER_NAME'] . '/i',$_ENV['HTTP_REFERER']) == 0) && !isset($_ENV[HTTP_X_HTTPS_REDIRECT])) {
    header('X-HTTPS-REDIRECT: true\n');
    header('Location:' . preg_replace('/^http/','https', $_ENV['SCRIPT_URI']));
}
?>

这应该引入重定向到没有HTTP_REFERER设置为您的网站，不要携带你注入的自定义X-HTTPS的重定向头所有请求。这并不能真正检测到HTTPS，但进行合理的传真（至少它的服务器端）。

This should introduce a redirect to all requests that don't have HTTP_REFERER set to your site and do not carry the custom X-HTTPS-REDIRECT header that you inject. This doesn't really detect HTTPS, but performs a reasonable facsimile (at least its server side).

您可以，当然，修改正则表达式，这样只有某些站点需要由REFERER匹配域的部分是HTTPS要担保和再否定测试，以迫使HTTP。

You could, of course, modify the regex so that only certain sites need to be HTTPS by matching the REFERER to the portion of your domain that you want secured and then negate the test to force HTTP.

这篇关于HTTPS重定向网络解决方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！