Kitz Forum

Internet => Web Hosting & Web Design => Topic started by: kitz on April 27, 2018, 10:07:21 PM

Title: DNS records or htaccess help please
Post by: kitz on April 27, 2018, 10:07:21 PM
Can anyone help me to see what I've done wrong and what I need to do to correct this.

Site has today gone over to SSL and I thought everything was ok and appears to be on face value but I just noticed the following with incoming links.
For example if you search on google, for the various subdomains Im getting different results than previously.

Google says www.kitz.co.uk yet now you end up at https://kitz.co.uk    (no www)
Google says forum.kitz.co.uk which directs to https://kitz.co.uk/forum  (want the subdomain not a folder)
Google says wiki.kitz.co.uk which now directs to https://kitz.co.uk/wiki (folder rather than the subdomain - which breaks the wikimedia software)

Title: Re: DNS records help please
Post by: kitz on April 27, 2018, 10:30:25 PM
or is this something to do with LetsEncrypt?
Title: Re: DNS records help please
Post by: g3uiss on April 27, 2018, 10:35:19 PM
A couple of potential issues

1) google hasnít complicated its crawl
2) if you have a site map that has been notified to google via analytics or webmaster tools has this been updated with the new itíll ( adding the ďsĒ )

The fact itís resolveable in a browser suggests itís DNS etc is fine. Google has got its links wrong. Best solution is pershaps a new site map uploaded to Google

Tony
Title: Re: DNS records help please
Post by: kitz on April 27, 2018, 11:09:57 PM
Sorry I perhaps didn't explain too well the problem.

Google has all the following results cached in its search results for the site which are correct and how I want them to be

www.kitz.co.uk
forum.kitz.co.uk
wiki.kitz.co.uk

Yet if you click on any of those links you end up at the following respectively - which isnt what I want.

https://kitz.co.uk/
https://kitz.co.uk/forum
https://kitz.co.uk/wiki

So it appears to be ignoring the subdomains and I think perhaps its the redirect thats wrong.  This is part of my htaccess added by my hosts

Code: [Select]
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://kitz.co.uk/$1 [R=301,L]

#RewriteCond %{HTTP_HOST} ^kitz.co.uk
#RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
#RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
#RewriteCond %{REQUEST_URI}

Perhaps something else needs adding there, or could it be..and something which I'm beginning to suspect may not be helping, I think they may have requested just one cert for everything on the kitzcouk account.

The server was orig config in my name using WHM but is further split into 2 cpanel accounts
The first one has a couple of parked domains which arent really used for anything other than my personal mail.
The second one is where all the traffic is and anything related to the broadband site.

If I check the certificate it says

Code: [Select]
Common name: kitz.co.uk
SANs: broadbandinfo.kitz.co.uk, broadbandinfo.net, cpanel.kitz.co.uk, forum.kitz.co.uk, kitz.co.uk, mail.broadbandinfo.net, mail.kitz.co.uk, webdisk.broadbandinfo.net, webdisk.kitz.co.uk, webmail.kitz.co.uk, wiki.kitz.co.uk, www.broadbandinfo.kitz.co.uk, www.broadbandinfo.net, www.forum.kitz.co.uk, www.kitz.co.uk, www.wiki.kitz.co.uk
Valid from April 27, 2018 to July 26, 2018

which is basically everything on the 2nd account.

Title: Re: DNS records help please
Post by: Weaver on April 28, 2018, 02:01:28 AM
I don't understand the first rewrite rule in your .htaccess. $1 is going to be the whole match string, so if you pass it "fred" it will just convert that to "https://kitz.co.uk/fred" won't it?

have I misunderstood?

If something like fred is being passed to it, then what about
"^([^.]+)$" to "https://$1.kitz.co.uk"

or even

"^(http:\/\/)?([^.]+)(.kitz.co.uk)?$" to "https://$2.kitz.co.uk"

Do forgive me as I suspect I haven't understood at all.
Title: Re: DNS records help please
Post by: Chrysalis on April 28, 2018, 08:20:56 AM
(edited post to reduce confusion)

Ok here is what should be happening with the rewrite. I hate regex tho makes my head explode when looking at it.

RewriteCond %{HTTPS} !on

matches anything not https, so matches http

RewriteRule ^(.*)$ https://kitz.co.uk/$1 [R=301,L]

Now this is matching anything with a . in the name so a hostname and forcing it to the static https://kitz.co.uk/ address.
However it is not fully static it has the $1 variable which matches the first part of the name, the subdomain basically as weaver said.

This is why I initially thought was ok as I am originally accessing on https so I am not hitting the rewrite condition.
So basically when google crawls the https urls it will not be affected by the rewrite rule, but it will be when crawling on http.

Try this

Code: [Select]
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

HSTS may also be a consideration for enforcing https, but make sure you understand the downsides of it.
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://www.steveworkman.com/performance/2016/hsts-a-no-nonsense-guide/

I also just noticed you did a 301 not a 302 which might bite you if google bot caches it. :(
https://blog.mythic-beasts.com/2015/06/15/the-hazards-of-301-permanent-redirects/
Title: Re: DNS records help please
Post by: kitz on April 28, 2018, 09:17:06 AM
Quote
I don't understand the first rewrite rule in your .htaccess. $1 is going to be the whole match string, so if you pass it "fred" it will just convert that to "https://kitz.co.uk/fred" won't it?

I think that may have been inserted by cpanel then because I didn't put it there.   I don't understand the rewrite rules so havent touched anything, despite me spending ages last night trying to find out what to do for the subdomains.

Quote
can you provide a link kitz to the google page that has the search results, either provide the search terms or a direct link to the page.

Its any & all google search results.   https://www.google.com/search?q=kitz

hover over the results and you will see the main site takes you to www.kitz.co.uk, hover over kitz forum and it should take you to forum.kitz.co.uk etc

For the wiki look at this search result  https://www.google.com/search?q=kitz+wiki+bcm  which gives the url http://wiki.kitz.co.uk/index.php/BCM_routers yet look what happens when you click on it you end up at https://kitz.co.uk/wiki/index.php/BCM_routers which is broken because the wiki is configured to be on a subdomain.

----------------------------------------

Perhaps this explains its better,

1) If I type http://www.kitz.co.uk in my browser then you end up at https://kitz.co.uk/  - I'm ok with that
2) If I type http://forum.kitz.co.uk in my browser then you end up at https://kitz.co.uk/forum/ -  I don't want this

What I think I perhaps need then is some sort of 301 rewrite rule to ensure that any old links from the past redirects to the correct location?

I need something which does a 301 redirect/rewrite of any old forum urls that will be scattered around the internet everywhere to end up https://forum.kitz.co.uk  and similar with the wiki.  This is what I don't know how to do and despite searching I can't find anything concrete on how to handle subdomains. 

Do I need to put something in a htaccess file in root of the forum directory and wiki directory?



Title: Re: DNS records or htaccess help please
Post by: kitz on April 28, 2018, 09:25:28 AM
PS   I just noticed you edited your reply whilst I was typing mine.   I definitely want a 301 (https://www.hochmanconsultants.com/301-vs-302-redirect/) as they are permanent not temporary moves

Quote
When permanently moving a web site, or a web page, best practice is to use a 301 redirect. 302s in this situation seem incorrect. By saying ďtemporary moveĒ a 302 tells search engines to keep the old domain or page indexed, but it would be desirable for them to index the new location. In the past people have used 302 redirects in an effort to circumvent the Google aging delay. This workaround might have worked at some point, but it is not a current best practice.

Whether Google actually handles 302s properly is an open question. If a 302 is used instead of a 301, search engines might continue to index the old URL, and disregard the new one as a duplicate. Link popularity might be divided between the two urls, hurting search rankings.

Title: Re: DNS records or htaccess help please
Post by: Chrysalis on April 28, 2018, 09:28:23 AM
yes but 301 only after its tested its the behaviour you want. As it locks it in place.
Title: Re: DNS records or htaccess help please
Post by: Chrysalis on April 28, 2018, 09:29:31 AM
so to do as I said

remove these lines

RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://kitz.co.uk/$1 [R=301,L]

add these lines

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

All it should do is replace http with https and thats it, no changing of the url. You only actually need to swap one line, but just do both anyway. 
Title: Re: DNS records or htaccess help please
Post by: jelv on April 28, 2018, 09:43:40 AM
It's not just Google that is wrong. I have http://forum.kitz.co.uk/index.php?action=unread (http://forum.kitz.co.uk/index.php?action=unread) in my browser bookmarks and I end up at https://kitz.co.uk/forum/index.php?action=unread (https://kitz.co.uk/forum/index.php?action=unread)

I didn't notice at first because the forum software corrects it when you click the first link.
Title: Re: DNS records or htaccess help please
Post by: Chrysalis on April 28, 2018, 09:45:30 AM
kitz read on the link I gave you below this line

"Expiring permanent redirects"

That seems a sane solution to the search engine problem.

so e.g.

Code: [Select]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,E=limitcache:1]
Header always set Cache-Control "max-age=3600" env=limitcache
Title: Re: DNS records or htaccess help please
Post by: Chrysalis on April 28, 2018, 09:47:32 AM
It's not just Google that is wrong. I have http://forum.kitz.co.uk/index.php?action=unread (http://forum.kitz.co.uk/index.php?action=unread) in my browser bookmarks and I end up at https://kitz.co.uk/forum/index.php?action=unread (https://kitz.co.uk/forum/index.php?action=unread)

I didn't notice at first because the forum software corrects it when you click the first link.

yeah this will be ok when the htaccess is changed.

If the original link is https there is no redirect at all, so its only a problem when the original link is http.
Title: Re: DNS records or htaccess help please
Post by: jelv on April 28, 2018, 09:48:23 AM
I Googled "force http to https htaccess" and found

https://www.namecheap.com/support/knowledgebase/article.aspx/9770/38/how-to-force-https-using-htaccess-file-in-cpanel (https://www.namecheap.com/support/knowledgebase/article.aspx/9770/38/how-to-force-https-using-htaccess-file-in-cpanel)

Does that help?

There's loads of other results on the same search.
Title: Re: DNS records or htaccess help please
Post by: jelv on April 28, 2018, 09:50:05 AM
yeah this will be ok when the htaccess is changed.

I know - I was reading the part of the beginning of the topic where Google crawl etc was mentioned.
Title: Re: DNS records or htaccess help please
Post by: kitz on April 28, 2018, 09:58:29 AM
Thanks guys.  Bear with me typing excruciatingly slow with just forefingers.

I've replaced the htaccess with this

Code: [Select]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

I think this may be working, can you see if its ok your side too please.
Title: Re: DNS records or htaccess help please
Post by: jelv on April 28, 2018, 10:03:59 AM
Looks OK here.
Title: Re: DNS records or htaccess help please
Post by: d2d4j on April 28, 2018, 10:10:08 AM
Hi Kitz

I hope your well

I am sorry, tapatalk failed to connect yesterday afternoon when I tried to look at kitz forum.  I thought it was tapatalk but guess it is SSL

It looks lovely from here in a browser

We sometimes use the following in vhost file, to save .htaccess

RewriteEngine On
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Either way works lovely

Apologies for any delays

Many thanks

John
Title: Re: DNS records or htaccess help please
Post by: kitz on April 28, 2018, 10:12:05 AM
Thank you.  It does seem to be doing the job and directly replacing http with https. :)

Whilst making changes and before making anything permanent, am I asking too much to add another rule so that it drops the www for kitz.co.uk?  and if so do you know how I'd do this please?

Title: Re: DNS records or htaccess help please
Post by: kitz on April 28, 2018, 10:21:09 AM
We sometimes use the following in vhost file, to save .htaccess

RewriteEngine On
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


Would I need to get my hosts to do that?   
Would that affect everything on my server including the domains which are parked on the other account eg http://www.kitz.me.uk/ which is on the first account.   I'm not quite sure how it was split up as my hosts did that..  other than know that it keeps all the site stuff (including broadbandinfo) on just one CPanel account.

TBH I really don't know what Im doing when it comes to server stuff, which is why I pay for managed hosting.   Problem being is they want >£200 pa to configure and sort a wildcard SSL (which is what I'd need because of the subdomains) so I'm trying to save some money and do it myself.
Title: Re: DNS records or htaccess help please
Post by: Chrysalis on April 28, 2018, 10:24:06 AM
Its fine as is kitz.

It can be done in a vhost instead of htaccess, both ways work.

The difference is that the vhost is a configuration file for the webserver, usually edited by the server admin or automatically by control panel software.

htaccess is easily edited by the webmaster (which is yourself), both work the same.  Vhost is arguably more secure as isnt accessible if your user area is compromised.

The regex supplied does the same thing as well, his just adds the 301 redirect, otherwise is same as what I gave you.

So when you happy with how its behaving, its just adding the 301 to satisfy google, this can be normal riskier way or using the cached method I supplied, its up to you.
Title: Re: DNS records or htaccess help please
Post by: d2d4j on April 28, 2018, 10:24:54 AM
Hi Kitz

Tapatalk now working lovely thank you

Yes, you can as follows:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

Should work but not tested it

Also, in Cpanel, you can complete all this from within Cpanel using GUI I believe.  It is same in Interworx (might be outdated as I do not use Cpanel sorry)

https://www.webhostinghub.com/help/learn/cpanel/redirect-domain-www-or-non-www-url

I hope that helps a little but sorry if I am wrong

Many thanks

John
Title: Re: DNS records or htaccess help please
Post by: d2d4j on April 28, 2018, 10:40:45 AM
Hi kitz

Sorry, just rereading and now using Tapatalk

Are you using letís encrypt for ssl. CPanel should have this as standard option. Interworx does

If so, you highlight all names you need LE to cover - eg common name, www, forum etc... as long as they are on your server and DNS points to your server for those you chose, it should create ssl and self install (about a minute to do from GUI)

Letís encrypt are changing to allow wild card ssl but not sure if itís out yet

Many thanks

John
Title: Re: DNS records or htaccess help please
Post by: Chrysalis on April 28, 2018, 10:40:45 AM
kitz you want the www. rewrite on all traffic or just http or just https?

I will post a rewrite for it then.

I will also include 301, and put that part of it in bold.
Title: Re: DNS records or htaccess help please
Post by: kitz on April 28, 2018, 10:49:14 AM
The difference is that the vhost is a configuration file for the webserver, usually edited by the server admin or automatically by control panel software.
I do have access to WHM for server admin, which supposedly controls everything but I'm not at all familiar with it so leave things well alone in there.
If I look in WMH I can see where the accounts have been partitioned into the separate cpanel accounts.    WHM has a lot of (for me) scary stuff such as long lists of config options, all the DNS records and other things such as ability to reboot server, restart http etc, ability to create accounts, set bandwidth limits etc. 

I just stick to CPanel for the site admin.

Quote
htaccess is easily edited by the webmaster (which is yourself), both work the same.  Vhost is arguably more secure as isnt accessible if your user area is compromised.

I've been directly accessing the htaccess file in the root and editing in notepad.


Quote
The regex supplied does the same thing as well, his just adds the 301 redirect, otherwise is same as what I gave you.

So when you happy with how its behaving, its just adding the 301 to satisfy google, this can be normal riskier way or using the cached method I supplied, its up to you.

Cheers Im going to try add in the code that d2d4j has given first and see if I can get that to work too before I do anything permanent
Title: Re: DNS records or htaccess help please
Post by: kitz on April 28, 2018, 10:53:00 AM
Are you using letís encrypt for ssl. CPanel should have this as standard option.

Yes I'm using LetsEncrypt.    I can't see anything in CPanel.    I got my webhosts to add it.    There may be something in WHM as I can see there is an SSL section in there now.
Title: Re: DNS records or htaccess help please
Post by: d2d4j on April 28, 2018, 10:58:00 AM
Hi kitz

Many thanks

That sounds like they have turned on ssl option. If so, you should see letís encrypt option, so when generating all using LE, one option should be names to cover. This is where you select all subdomain to cover as well as common name. Then generate and in less then a minute, itís completed

If using my script, please make sure you change http to https on last line. Sorry, too many years working on http

Most control panels look scary, but usually not too bad and self explanatory.

Many thanks

John
Title: Re: DNS records or htaccess help please
Post by: Chrysalis on April 28, 2018, 11:08:05 AM
yes sorry I missed he put http not https. 

Try not to confuse yourself here tho kitz, this does not need to be added to both the vhost and htaccess, one of them is fine.
Title: Re: DNS records or htaccess help please
Post by: kitz on April 28, 2018, 11:19:44 AM
No double checked nothing in my CPanel for the kitz partition.

I have this in WHM for which I have to log in as server admin which is separate name (ie me) to the kitz site admin for CPanel, but I can't see anything specific to LetsEncrypt in CP or WHM 

--
Info and image removed
Title: Re: DNS records or htaccess help please
Post by: kitz on April 28, 2018, 11:20:02 AM
Hang on someone at door BBL
Title: Re: DNS records or htaccess help please
Post by: Chrysalis on April 28, 2018, 11:28:35 AM
the certificate is fine kitz, I already checked in my browser when I read the first post, its a LE cert as well.

I am concerned here you have just had all sorts of information thrown at you which might be overwhelming.

The only thing here is the rewrite which you have already set, and the bit left is to add the 301 to satisfy google search requirements.

Possibly the www. redirect as well.  Thats it.

Chrome reports SAN record as follows.

DNS Name=broadbandinfo.kitz.co.uk
DNS Name=broadbandinfo.net
DNS Name=cpanel.kitz.co.uk
DNS Name=forum.kitz.co.uk
DNS Name=kitz.co.uk
DNS Name=mail.broadbandinfo.net
DNS Name=mail.kitz.co.uk
DNS Name=webdisk.broadbandinfo.net
DNS Name=webdisk.kitz.co.uk
DNS Name=webmail.kitz.co.uk
DNS Name=wiki.kitz.co.uk
DNS Name=www.broadbandinfo.kitz.co.uk
DNS Name=www.broadbandinfo.net
DNS Name=www.forum.kitz.co.uk
DNS Name=www.kitz.co.uk
DNS Name=www.wiki.kitz.co.uk

Its exactly as you detailed in the original information, so nothing to adjust in regards to what you have already done on the certificate.
Title: Re: DNS records or htaccess help please
Post by: d2d4j on April 28, 2018, 11:30:51 AM
Hi Kitz

You may want to chnage your SSL Cipher Suite, so you are A rated for SSL.  I am not too sure where you find this in Cpanel, but we use below as starting point for most common use.  You could always change to use set ciphers, but this becomes slightly involved and below suite will give you an A rating.

You may have to restart your hosting service (not server) to allow changes to be used

SSL Cipher Suite

HIGH:!MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW

Also, you may want to add a New DNS record

CAA

Add a CAA DNS record to your domain DNS, usually select tag issue, so you have domain name, TTL, TAG, certificate authority

for certificate authority, as your using Lets encrypt, you enter Let's Encrypt

save record

If using any CDN, you would need to find out their CAA records, and add them also.  CDN usually require issuewild for TAG, as they use a few CA

CAA records are used to stop CA's from issuing SSL certs if CAA record exists, and is loecked to certain CA's.  eg, if only lets encrypt is listed, and someone want a geotrust SSL for domain, it would fail and not be allowed

Many thanks

John
Title: Re: DNS records or htaccess help please
Post by: d2d4j on April 28, 2018, 11:38:17 AM
Hi Kitz

As Chrysalis has posted, you are fully covered on names (see below and this is public data, so it does not compromise your server)

I would think about changing cipher suite though, and adding CAA DNS record(s)

Many thanks

John


Server Key and Certificate #1

 

Subject kitz.co.uk
 Fingerprint SHA256: f23d051bab151f47fe0923b22a2e4738cfdb6bbd51199fef0192f11b7bda8e22
 Pin SHA256: A1/v5DHyUcr/SsuIdZxq2B6BUnnFyUHAGnoOjUoFUvU=   
Common names kitz.co.uk
Alternative names broadbandinfo.kitz.co.uk broadbandinfo.net cpanel.kitz.co.uk forum.kitz.co.uk kitz.co.uk mail.broadbandinfo.net mail.kitz.co.uk webdisk.broadbandinfo.net webdisk.kitz.co.uk webmail.kitz.co.uk wiki.kitz.co.uk www.broadbandinfo.kitz.co.uk www.broadbandinfo.net www.forum.kitz.co.uk www.kitz.co.uk www.wiki.kitz.co.uk
Serial Number 039d58992ba4ab77707b83069cdd6707128d
Valid from Fri, 27 Apr 2018 12:08:18 UTC
Valid until Thu, 26 Jul 2018 12:08:18 UTC (expires in 2 months and 28 days)
Key RSA 2048 bits (e 65537)
Weak key (Debian)  No 
Issuer Let's Encrypt Authority X3
 AIA: http://cert.int-x3.letsencrypt.org/
 
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency Yes (certificate)
OCSP Must Staple No
Revocation information OCSP
 OCSP: http://ocsp.int-x3.letsencrypt.org
 
Revocation status Good (not revoked)   
DNS CAA No (more info)
Trusted Yes
Mozilla  Apple  Android  Java  Windows   


 

Additional Certificates (if supplied)

 

Certificates provided 2 (3039 bytes)
Chain issues None
#2
Subject Let's Encrypt Authority X3
 Fingerprint SHA256: 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
 Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
Valid until Wed, 17 Mar 2021 16:40:46 UTC (expires in 2 years and 10 months)
Key RSA 2048 bits (e 65537)
Issuer DST Root CA X3
Signature algorithm SHA256withRSA
Title: Re: DNS records or htaccess help please
Post by: Chrysalis on April 28, 2018, 11:50:24 AM
John I had a look at the ssllabs report.

I think DNS CAA is nothing to worry about right now, nice to have but of no immediate importance.

The ciphers are not optimal but AES 128 GCM is supported and will be picked by any modern web browser.

The only immediate issue there is the weak key exchange, this wont be fixed by the changes you suggested, it requires the generation of a new DH file on the server.

In my view this is not what a webmaster would fix, this is managed hosting, So in regards to the cipher/DH stuff I suggest to kitz to just get the company managing the server to update the SSL configuration on the server, so bump DH to at least 2048 bits and to remove obsolete ciphers.  That would get ssllabs to an A grade as well (DNS CAA has no impact on grade).

Its good you checked the report, this probably would have came back to bite at some point when DH < 2048 support is removed from browsers, I am just trying to keep this as simple as possible for kitz to deal with as well.
Title: Re: DNS records or htaccess help please
Post by: d2d4j on April 28, 2018, 12:13:44 PM
Hi chrysalis

Agreed

CAA is due to be fully used very soon though, so better to have as itís quick

I was googling whm as we do not use it, and itís unclear if whm support this newer DH yet. However the threads I read were over a year old so well out dated.

Also, I am not sure if kitz managed server includes OpenSSL regen, as kitz posted a cost of circa 200 for ssl setup

There is 1 point though, which kitz may not understand or I may not understand how cPanel works. The rewrites in htaccess or vhost files, only act on that domain and none others. So to have other domains work the same, the same details need to be added to each htaccess or vhost file. Sorry if everyone knew this

Also, if I read correctly, whm may not auto add the ssl to other services, such as mail server and Iíve not tested. Again could be wrong so apologies in advance

There is not a lot left to do now anyway, sites up and running ssl but just needs a good check on all pages but suspect DH is the biggest job to complete if server admin wants to charge for this. The regen is simple enough but not sure on whm/cPanel. I would have thought latest whm should include this

Many thanks

John

Title: Re: DNS records or htaccess help please
Post by: Chrysalis on April 28, 2018, 12:18:31 PM
both ciphers and DH are global configurations, the DH regen is just a command run in the terminal.  If you know what you doing its just one command.  For a company offering managed services I would be shocked to find that a chargeable bit of work, managed services should include security maintenance which SSL would fall under.

If she is dealing with someone trying to charge 200 for that, I will do it for her, it will take me 2 minutes.

Posting a how to I am not keen on doing as it involves knowing where the file is, making sure you understand the current configuration of the server and a mistake can leave the entire web service offline which would drag this website offline.
Title: Re: DNS records or htaccess help please
Post by: d2d4j on April 28, 2018, 03:17:26 PM
Hi Kitz

you may want to try this rewrite in htaccess, which completes both http to https and non www url rewrite

I have provisionally tried it on one of our platforms, and it works as expected but there maybe differences been platforms so apologies in advance

Many thanks and I hope it helps a little

John

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !=forum.kitz.co.uk [NC]
RewriteRule ^(.*) https://forum.kitz.co.uk/$1 [NS,L,R=301]

or

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !=forum.kitz.co.uk [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}/$1 [NS,L,R=301]
Title: Re: DNS records or htaccess help please
Post by: kitz on April 28, 2018, 04:38:04 PM
Sorry someone came round, so hence the disappearnce for a couple of hours.

To recap, the following is correctly rewriting to http to https

Code: [Select]
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


Quote
kitz you want the www. rewrite on all traffic or just http or just https?
I will post a rewrite for it then. I will also include 301, and put that part of it in bold.

Yes please.  I presume it will be along the lines of what d2d posted earlier :)
Having thought about it just https should do, as all traffic should now be https
Title: Re: DNS records or htaccess help please
Post by: kitz on April 28, 2018, 04:38:27 PM
Quote
That sounds like they have turned on ssl option.

I asked them to do that and they got the certificate for me, then left me to do all the configuration for things like SMF, a proxy cache so that the forum doesnt throw errors if someone posts a http image, sort out wikimedia..  and any http images still on the site (there were a few I found).

Quote
Most control panels look scary
Although I do have access to all the WHM and SSH and various other configs because I'm not familar with that side of things they will do that.

Quote
If using any CDN

No its all server based

Quote
You may want to chnage your SSL Cipher Suite, so you are A rated for SSL.
Add a CAA DNS
Havent got a clue Im afraid,  I even get them to do the DNS records as part of the managed service.  I really don't want to mess with things that could muck something up which why I deliberately steer away from that side of things.

Quote
For a company offering managed services I would be shocked to find that a chargeable bit of work, managed services should include security maintenance which SSL would fall under.

Whilst it is a managed service and they will do most things, SSL is additional - see here (https://www.vidahost.com/ssl-certificates) :( 
Its £204.48 inc VAT per year for them to purchase, manage and install a wildcard SSL or £27.36 pa if you ask them to install a 3rd party cert.

They don't charge anything for LE but then it's down to me to sort anything other than them doing the basics they did such as turning on SSL and putting the cert in WHM.    My aim is once set up hopefully not having to touch anything again.   So I think I'm best sticking with directly editing the htaccess file which Im more comfortable doing rather than doing so in WHM/CPanel. 
Title: Re: DNS records or htaccess help please
Post by: kitz on April 28, 2018, 04:43:02 PM
you may want to try this rewrite in htaccess, which completes both http to https and non www url rewrite

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !=forum.kitz.co.uk [NC]
RewriteRule ^(.*) https://forum.kitz.co.uk/$1 [NS,L,R=301]

or

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !=forum.kitz.co.uk [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}/$1 [NS,L,R=301]

Thanks John :)

I think I'm a bit confused here.    What is the mention of the forum doing and would I need that for the wiki subdomain too?
I have no idea about re-write rules so sorry for being a bit thick on this topic :(
Title: Re: DNS records or htaccess help please
Post by: d2d4j on April 28, 2018, 04:59:05 PM
Hi kitz

Many thanks

Iím soo sorry I think as chrysalis posted, I may have given to much at once

For the moment, your in a B rate for SSL. Not a bad thing but could do with A rate

The last rewrite should work I think in htaccess and should do both changes for http://www to https://

If I have it wrong and you wanted it to go to www, just add www. before domain and % and it will make http:// rewrite to https://www

I hope that makes sense sorry and you must hash out or delete the code currently used for http to https

You do not need to add a CAA record and probably not needed for a year. However the CAís are going to start using them very soon. Most do now

You would need to do the htaccess rewrites for all domains you want to go to https automatically as each domain is separate (it could be centrally completed but you would need to edit hosting conf files, but this becomes involved if your not sure). So each htaccess only works in each domain

I hope that makes more sense

I would have a rest though, as itís working now and then test using your least domain first, so you can see if it works as expected

I hope that helps a little and have a lovely weekend

Many thanks

John

Title: Re: DNS records or htaccess help please
Post by: Chrysalis on April 29, 2018, 12:50:46 AM
Thanks for the info kitz.

From what you explained the fee is for cert installation and management of those certs.

The DH configuration has no ties with certificates, that's specifically a server configuration issue.

Discussion here https://forums.cpanel.net/threads/change-dh-group-key-size.603983/ (https://forums.cpanel.net/threads/change-dh-group-key-size.603983/)  confirms its a cli problem, in addition it also needs a newer enough build of openssl which again comes under server management aka security and not related to certificate installation.  That would be your argument with the server management company.  But I can fix this for you as I told you in PM with what access is needed to do it.

The rewrite is here. (keep existing rewrite in place as well, put this below it after an empty line).  Test first without the bold bit to make sure it is what you want, and then add the bold bit (if you consider the 301 important, remember 301 is "permanent")..

RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule (.*) https://kitz.co.uk/ [R=301,L]
Title: Re: DNS records or htaccess help please
Post by: jelv on April 29, 2018, 10:43:55 AM
I've seen something odd. On my Android phone using the Chrome browser http://forum.kitz.co.uk was still going to https://kitz.co.uk/forum (but then was using the correct address when I clicked any forum links). I cleared out all the browsing history and now it is working correctly.

Will at some point https://kitz.co.uk/forum stop working? If so would it be worth adding a rule to rewrite that to the correct location?
Title: Re: DNS records or htaccess help please
Post by: d2d4j on April 29, 2018, 10:54:36 AM
Hi

@chrysalis the DH from what I have read in your post requires Centos 7.4, which I do not know if Kitz is on centos 7.4 and is not needed to stop DH <1024.

All that is needed is to stop the cipher using DH <1024, which the cipher I posted would do or you could you could just add :!3DES:!DHE to the current cipher in use.  You would have to restart hosting service (not the server just the hosting service)

@jelv, it should be fine I think, but I do not know the configuration/setup.  However, given the time elapsed I would expect any failures to have surfaced by now. 

Sorry if I am wrong.

Many thanks

John
Title: Re: DNS records or htaccess help please
Post by: Weaver on April 29, 2018, 10:55:56 AM
It has been a long time since I did a lot of fiddling around with .htaccess so my memory has become shaky. The '.' means a literal '.' in the type of regex used there? I'm used to '.*' meaning zero or more characters or non-newline characters.
Title: Re: DNS records or htaccess help please
Post by: kitz on April 29, 2018, 02:38:15 PM
Can I take things one step at a time please to stop me getting confused  (easily done!)

atm I'm using Chrys's code   and I'll later put in R=301 when I'm ready

Code: [Select]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule (.*) https://kitz.co.uk/ [R,L]

I think this is handling all the main redirects correctly and how I want them to be
I'm aware that this has broken links (mostly images) both on here and the wiki which link to the main site & I'm currently working on fixing those one at a time.


When I've done all these, then the next important thing I need to look at is the point brought up by jelv to redirect kitz/forum & kitz/wiki to the relevant subdomains.
Title: Re: DNS records or htaccess help please
Post by: kitz on April 29, 2018, 02:51:35 PM
PS

I'm also aware that the ISP section is broken and unreachable

Title: Re: DNS records or htaccess help please
Post by: kitz on April 29, 2018, 03:47:48 PM
I'm still working my way through the images which are done for the forum, still working on the wiki.
But can anyone tell me why this is happening please and its not redirecting correctly please?   

http://www.kitz.co.uk/isp/isp_information.php?isp=aaisp

There's tons of stuff no longer working in the ISP section as anything with with .php? in the url redirects to the root.
eg

http://www.kitz.co.uk/isp/isp_information.php?isp=aaisp  becomes https://www.kitz.co.uk/isp_information.php?isp=aaisp


----
ETA     May have a fix for this - still testing.     ETA fix works :)

Code: [Select]
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
Title: Re: DNS records or htaccess help please
Post by: kitz on April 29, 2018, 03:59:15 PM
My TODO list


Title: Re: DNS records or htaccess help please
Post by: kitz on April 29, 2018, 04:52:29 PM
Will at some point https://kitz.co.uk/forum stop working? If so would it be worth adding a rule to rewrite that to the correct location?

Redirect added.   Should now be working.    Will 301 it if everything continues to work ok.


----
ETA   test wiki

http://wiki.kitz.co.uk/index.php/BCM_routers
Title: Re: DNS records or htaccess help please
Post by: Weaver on April 29, 2018, 06:03:45 PM
Kitz, I noticed that non-BT line thing last week. Don't know if that was even before you started the changes.
Title: Re: DNS records or htaccess help please
Post by: kitz on April 29, 2018, 06:17:14 PM
Kitz, I noticed that non-BT line thing last week. Don't know if that was even before you started the changes.

Thank you for the confirmation Weaver I was beginning to think it is totally unrelated to the changes, but it was the first time I'd seen it. 
I suspect BTw may have stopped the marker which indicates if the line is BT based or LLU, because they are still sending the data through.  If it was anything more serious, then it wouldn't continue to return data.  The message about non BT line will have to stay for a while until I get chance to sort it properly.
Title: Re: DNS records or htaccess help please
Post by: kitz on April 29, 2018, 06:24:23 PM
OK guys, thanks everyone for all your help so far.     

I think I've managed to sort all the most important issues.   I've added a couple of redirects to sort the subdomain -v-folder issue and I've tweaked the main rewrite rule so its now as follows

Code: [Select]
RewriteEngine on

RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R,L]

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

I will change these to R=301 when I'm certain that everything is working as it should be. 

Title: Re: DNS records or htaccess help please
Post by: Weaver on May 01, 2018, 02:25:47 AM
[off topic, apol] That non-bt line thing, disregarding weirdness - is it supposed to mean Ďnon BTORí ie a totally unrecognised phone number that BT have never heard of, or is it to do with ISP = BT Retail _ISP_ whatever they call themselves nowadays ?

I tried a couple of local phone numbers because I was trying to check up on FTTC in the area. I wonder how up-to-date their database is as I'm fairly sure there is more in the area now, based on speed test results with ISP given on maps which are definitely DSL, not 4G because of the ISP.
Title: Re: DNS records or htaccess help please
Post by: burakkucat on May 01, 2018, 02:49:22 AM
[off topic]
[off topic, apol] That non-bt line thing, disregarding weirdness - is it supposed to mean Ďnon BTORí ie a totally unrecognised phone number that BT have never heard of, or is it to do with ISP = BT Retail _ISP_ whatever they call themselves nowadays ?

My telephone number was originally BT and would be recognised. When I migrated to TalkTalk, taking the number with me, the BT Broadband Availability Checker (https://www.dslchecker.bt.com/) does not recognise the number.

It responds --

There is no data available for this number. This could be either because it is
not a BT line or it is a new BT number that has just been provided. Most new
numbers will appear on the checker 24 hours after BT has installed the line.

[/off topic]
Title: Re: DNS records or htaccess help please
Post by: kitz on May 04, 2018, 12:00:03 PM
They used to have a marker that identified BT based lines.   
Note this is NOT BTretail but BT Wholesale line rental (WLR) which in brief is basically any ISP not using Full Metallic Path LLU.
 
I used that marker as an aid to note which map to prepare for line length and the visual map markers..  knowing that no data would be returned for LLU lines therefore no point doing some of the steps.  There's actually 4 different map formats which depend upon data input by the user and data returned from BTw.
So the marker has gone, but BTw is still returning line data which likely means they stopped the marker for some equivalence rule or other (guessing!)

As it's not actually affecting the end results other than saying 'possible not BT line' it really is not a priority right now.   I'm up to my eyes in other admin work and keeping the site running.   It's no fun these days trying to run a site and keeping everything compliant and up to date..  because the amount of background stuff that no-one gets to see is no mean feat  :(

 
Title: Re: DNS records or htaccess help please
Post by: kitz on May 04, 2018, 12:07:58 PM
PS...  as an example, from my mail box yesterday.  Gmaps are changing their ToS and they want my bank account details to set up a billing account for gmaps usage.  When introduced it used to be free and no details required other than set up a key to confirm you own the site.   Things are getting way too complicated to run any sort of hobby site. :(

Quote
Beginning June 11th, we are launching our new pricing plan and providing all users access to support. Weíll continue to offer a free tier ó all developers will receive $200 of free monthly usage of our core products.
In addition, this change will require you to enable billing and associate it with all of your Google Maps Platform projects. Creating a billing account helps us better understand your usage so we can continue developing helpful products. It also allows you to scale easily with less downtime and fewer performance issues if your product grows beyond the $200 of free monthly usage.
Title: Re: DNS records or htaccess help please
Post by: Chrysalis on May 05, 2018, 01:09:02 AM
Is the free tier good enough for what this site needs?
Title: Re: DNS records or htaccess help please
Post by: Weaver on May 05, 2018, 01:16:43 AM
And using a different free service means a nightmare amount of work, unpaid, until that service decides to start charging.

AA uses a mapping service btw, https://find.me.uk/164978/817874/980x684 which is free, I think revk built it possibly. I have no idea if he or that service might be of any interest.