Jump to content

HTTPS vs HTTP


epretorious

Recommended Posts

Lately our installation of WordPress seems to be misbehaving with regards to HTTPS/SSL so we've been trying to understand why some pages are redirected to the unencrypted site (i.e., In some instances, vistors are redirected from https://www.domain.com to http://www.domain.com) and others are not.

 

While investigating this, we discovered that some WHMCS pages are redirected from https://www.domain.com/whmcs/foo.php to http://www.domain.com/whmcs/foo.php) and others are not. e.g.,

 

These scripts redirect from HTTPS to HTTP...

 

  • /whmcs/index.php
  • /whmcs/knowledgebase.php

...and these scripts do not redirect from HTTPS to HTTP...

 

  • /whmcs/domainchecker.php
  • /whmcs/clientarea.php

...so we started using openssl to determine what's really going on:

 

eric@eric-x1:~$ openssl s_client -connect domain.com:443

...

---
GET /whmcs/index.php HTTP/1.1
HOST:www.domain.com

HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 16 Apr 2014 23:54:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: WHMCS1c2qbdetsdVY=e0a8l02gj4t14tnth97nljcit4; path=/; HttpOnly
Location: http://www.domain.com/whmcs/index.php
X-Powered-By: PleskLin
MS-Author-Via: DAV

GET /whmcs/knowledgebase.php HTTP/1.1
HOST:www.domain.com

HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 16 Apr 2014 23:55:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: WHMCS1c2qbdetsdVY=2mo13cjhoshst68nqqcf8bcgu6; path=/; HttpOnly
Location: http://www.domain.com/whmcs/knowledgebase.php
X-Powered-By: PleskLin
MS-Author-Via: DAV

GET /whmcs/clientarea.php HTTP/1.1
HOST:www.domain.com

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 16 Apr 2014 23:57:07 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: WHMCS1c2qbdetsdVY=ha591al583jvjj6sdckfu35d60; path=/; HttpOnly
X-Powered-By: PleskLin
MS-Author-Via: DAV

1207
...<HTML OUTPUT>...

GET /whmcs/domainchecker.php HTTP/1.1 
HOST:www.rocket-powered.com

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 17 Apr 2014 00:01:12 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: WHMCS1c2qbdetsdVY=drd70dq09klifj4enmupkb6mb2; path=/; HttpOnly
X-Powered-By: PleskLin
MS-Author-Via: DAV

2ae6
...<HTML OUTPUT>...

 

...so now we're wondering if some of these PHP scripts (e.g., index.php, knowledgebase.php) force a redirect to the unencrypted page or if there's some other mechanism at work.

Link to comment
Share on other sites

I think that you might have misunderstood the question, Dennis:

 

...we've been trying to understand why some pages are redirected to the unencrypted site (i.e., In some instances, vistors are redirected from https://www.domain.com to http://www.domain.com) and others are not.

 

...we discovered that some WHMCS pages are redirected from https://www.domain.com/whmcs/foo.php to http://www.domain.com/whmcs/foo.php) and others are not. e.g.,

 

These scripts redirect from HTTPS to HTTP...

 

  • /whmcs/index.php
  • /whmcs/knowledgebase.php

...and these scripts do not redirect from HTTPS to HTTP...

 

  • /whmcs/domainchecker.php
  • /whmcs/clientarea.php

 

...

eric@eric-x1:~$ openssl s_client -connect domain.com:443

...

---
GET /whmcs/index.php HTTP/1.1
HOST:www.domain.com

HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 16 Apr 2014 23:54:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: WHMCS1c2qbdetsdVY=e0a8l02gj4t14tnth97nljcit4; path=/; HttpOnly
Location: http://www.domain.com/whmcs/index.php
X-Powered-By: PleskLin
MS-Author-Via: DAV

GET /whmcs/knowledgebase.php HTTP/1.1
HOST:www.domain.com

HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 16 Apr 2014 23:55:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: WHMCS1c2qbdetsdVY=2mo13cjhoshst68nqqcf8bcgu6; path=/; HttpOnly
Location: http://www.domain.com/whmcs/knowledgebase.php
X-Powered-By: PleskLin
MS-Author-Via: DAV

GET /whmcs/clientarea.php HTTP/1.1
HOST:www.domain.com

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 16 Apr 2014 23:57:07 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: WHMCS1c2qbdetsdVY=ha591al583jvjj6sdckfu35d60; path=/; HttpOnly
X-Powered-By: PleskLin
MS-Author-Via: DAV

1207
...<HTML OUTPUT>...

GET /whmcs/domainchecker.php HTTP/1.1 
HOST:www.domain.com

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 17 Apr 2014 00:01:12 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: WHMCS1c2qbdetsdVY=drd70dq09klifj4enmupkb6mb2; path=/; HttpOnly
X-Powered-By: PleskLin
MS-Author-Via: DAV

2ae6
...<HTML OUTPUT>...

 

...so now we're wondering if some of these PHP scripts (e.g., index.php, knowledgebase.php) force a redirect to the unencrypted page or if there's some other mechanism at work.

 

Looking at the code (above) would indicate that these scripts redirect from HTTPS to HTTP...

 

  • /whmcs/index.php
  • /whmcs/knowledgebase.php

...and these scripts do not redirect from HTTPS to HTTP...

 

  • /whmcs/domainchecker.php
  • /whmcs/clientarea.php

Is this the expected behavior of these scripts to force a redirect to the unencrypted page? Or is there's some other mechanism at work (e.g., mod_rewrite)?

Link to comment
Share on other sites

I can confirm that even though we have a redirection setup for some reason the following pages get redirected BACK to http:

 

index.php

knowledgebase.php

downloads.php

announcements.php

 

It is driving me CRAZY! I can hover over the knowledgebase link for instance and it shows https://.... however when clicked it redirects to http://.... - Only the stated pages do this.

 

We use a Zomex Theme and within the theme you can even get it to do HTTP > HTTPS redirects and even that runs into the same issue.

 

We use .htaccess code to complete the redirects....every site I have tried the redirects on works fine...apart from WHMCS.

 

The code we use to redirect to www then to https://www. is:

 

RewriteCond %{HTTPS} (on)? [NC]

RewriteCond %{HTTP_HOST} ^(?!www\.)(.+)$ [NC]

RewriteCond %{REQUEST_URI} (.+)

RewriteRule .? http(?%1s)://www.%2%3 [R=301,L]

 

As mentioned, works fine on other sites.

Link to comment
Share on other sites

Within your General Settings, if you have an HTTP URL for "WHMCS System URL" and an HTTPS URL for "WHMCS SSL System URL", it will switch back and forth. It basically determines what pages needs SSL (ordering pages, account modifying pages, etc.). For things like the knowledgebase, or the front page (index.html) you most likely wouldn't need SSL.

 

However, if you want your entire site to be SSL, try this... Set the "WHMCS System URL" to your HTTPS URL. This will cause the "WHMCS SSL System URL" setting to blank itself. Leaving it this way (an HTTPS URL in "WHMCS System URL" and "WHMCS SSL System URL" blank), should cause the entire site to remain on your HTTPS URL.

Link to comment
Share on other sites

  • 6 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated