English Amiga Board

English Amiga Board (http://eab.abime.net/index.php)
-   project.EAB (http://eab.abime.net/forumdisplay.php?f=14)
-   -   Add http redirect to https (http://eab.abime.net/showthread.php?t=109505)

Anubis 14 January 2022 14:26

Add http redirect to https
 
Can you please add http redirect for https site?


For some reason browser defaults to http and trows 404 error.:crazy

gimbal 14 January 2022 15:48

But what 404's? The http route works just fine for me. I want the redirect because I'm too lazy to type it out myself :)

Radertified 14 January 2022 16:48

The http:// site works fine for me. There's something wrong on your end if it doesn't work.

Making the site redirect http:// redirect to https:// could hurt Amiga browsers. Whether or not that matters is up to RCK and the rest.

gimbal 14 January 2022 17:16

Maybe redirect is the wrong word, the default protocol that should be picked if all you type in is "eab.abime.net" should be https. If you type http:// then that should just go to the http site because that is what you specifically ask for.

deimos 14 January 2022 17:59

Quote:

Originally Posted by gimbal (Post 1526978)
Maybe redirect is the wrong word, the default protocol that should be picked if all you type in is "eab.abime.net" should be https. If you type http:// then that should just go to the http site because that is what you specifically ask for.

Redirect is the right word.

The problem is that it would have to be for all non-https requests to eab.abime.net, there's no way to infer the user's intent.

(I believe) the only way to make eab.abime.net "secure", but allow people who insist that it must also be "insecure", would be to move the insecure part to a separate hostname, and also ensure that no cookies will be shared between the two (sharing cookies between secure and insecure sites negates much of the security), and all that would have negative impacts on other things, and stuff.

Maybe there are other options. Maybe there's a header that can tell recent browsers to prefer https. I don't know, I've been out of the game for a while.

desiv 14 January 2022 18:27

I would think that would be a client issue.
It is the browser that decides what protocol to use if you only type in the domain name with no HTTP: or HTTPS:

So that sounds like a browser issue.
As mentioned, a redirect on the server side would probably break all HTTP, because it would be redirecting it to HTTPS.

deimos 14 January 2022 18:43

Quote:

Originally Posted by desiv (Post 1526997)
I would think that would be a client issue.
It is the browser that decides what protocol to use if you only type in the domain name with no HTTP: or HTTPS:

So that sounds like a browser issue.
As mentioned, a redirect on the server side would probably break all HTTP, because it would be redirecting it to HTTPS.

You'd think so, but no, https-first is a new thing, and relies on people running up-to-date software (on an Amiga forum). The only way to fix security is to do it on the server side. Clients can't be trusted.

NoX1911 14 January 2022 19:07

As far as i know there are only two methods to do that on the server-side. Port redirect and HSTS. Both do not allow optional HTTP.

deimos 14 January 2022 19:51

Quote:

Originally Posted by NoX1911 (Post 1527010)
As far as i know there are only two methods to do that on the server-side. Port redirect and HSTS. Both do not allow optional HTTP.

I'm not sure what you could mean by "port redirect", but HSTS looks like the magical header that I'd hoped for a couple of posts ago. It still requires that HTTP exists though, and that it doesn't emit any cookies or private information.

NoX1911 14 January 2022 20:15

Quote:

Originally Posted by deimos (Post 1527028)
I'm not sure what you could mean by "port redirect"

Server redirection of port 80 (http) to 443 (https) via http/301 or similar.
You enter the site by "http://" and the server replies with "Go to https:// instead" and your browser does so.

Quote:

Originally Posted by deimos (Post 1527028)
HSTS looks like the magical header that I'd hoped for a couple of posts ago.

If the below quote is true its probably not what we want. Firefox has a file in the profile folder (SiteSecurityServiceState.txt) that remembers the server-side requested hsts/https state (for a specific time). If that entry is valid there is no way to enter the site by http (that's enforced by the client/firefox. That's how HSTS is intended).
Edit: On the other hand, Amiga browser is not Firefox. It could theoretically ignore HSTS. But that's a quirk. Getting 'hurt by redirection' is a major quirk as well though. I can't tell anything about Amiga browsers though. Not sure what's wrong with them.
Quote:

Originally Posted by Radertified (Post 1526973)
Making the site redirect http:// redirect to https:// could hurt Amiga browsers.


Anubis 14 January 2022 23:01

Reason I posted this as I had the same thing happen on 3 computers (work, gaming and laptop I use at home) and after further check, it seems it is one of cookies that caused 404 - Page not found error. Removing cookies fixed this.

If anyone else has the same problem, just remove cookies.

I still think that https should have president over http access to site. (be first to be reached if you just type eab.abime.net )

coldacid 15 January 2022 03:35

HTTPS versus HTTP should be decided by the browser if you don't explicitly specify that you want one or the other. Not everyone accessing this site has a browser that does HTTPS, especially if they're connecting from their Amiga.

meynaf 16 January 2022 15:36

It seems 404 error on EAB is not linked to https at all. At least, not for me.
And no link with cookies either.

If i try :
http://eab.abime.net/
then i get 404.

But if i do :
http://eab.abime.net/index.php
then it works...

hooverphonique 16 January 2022 17:48

Quote:

Originally Posted by meynaf (Post 1527316)
If i try :
http://eab.abime.net/
then i get 404.

But if i do :
http://eab.abime.net/index.php
then it works...


Same here (Firefox 96)...

zipper 16 January 2022 18:50

Both do work - Firefox, Chrome and Edge. And IB2.4 on WinUAE...

gimbal 17 January 2022 11:38

In this other thread 404 problems are being linked specifically to Firefox usage

hooverphonique 17 January 2022 16:53

Quote:

Originally Posted by zipper (Post 1527347)
Both do work - Firefox, Chrome and Edge. And IB2.4 on WinUAE...

When using https, yes. using http://eab.abime.net on firefox results in 404 - I'm pretty sure that wasn't the case a week ago.

NoX1911 17 January 2022 18:16

Http works properly here as well. Maybe try a new Firefox profile for testing.
The forum was down for 24h some days ago (the IRC server seems still down. At least the top banner has it still removed). Maybe there are still side-effects out there.

zipper 17 January 2022 21:19

http://eab.abime.net/ redirects to https on my Firefox as I checked.

RCK 21 January 2022 10:35

1 Attachment(s)
I won't force any https:// redirection on server side.
EAB is available to full HTTP or full HTTPS :

http://eab.abime.net/
https://eab.abime.net/

I just tested both url with Firefox 96 and Chrome 97 without any problem :)
So if your browser don't let you access the HTTP version, clean your cache and reset your privacy options.

edit: see FF96 screenshot with http://eab.abime.net


All times are GMT +2. The time now is 02:06.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2022, vBulletin Solutions Inc.

Page generated in 0.08929 seconds with 11 queries