Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 2 [3] 4

Author Topic: DNS records or htaccess help please  (Read 2870 times)

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 5441
Re: DNS records or htaccess help please
« Reply #30 on: April 28, 2018, 11:28:35 AM »

the certificate is fine kitz, I already checked in my browser when I read the first post, its a LE cert as well.

I am concerned here you have just had all sorts of information thrown at you which might be overwhelming.

The only thing here is the rewrite which you have already set, and the bit left is to add the 301 to satisfy google search requirements.

Possibly the www. redirect as well.  Thats it.

Chrome reports SAN record as follows.

DNS Name=broadbandinfo.kitz.co.uk
DNS Name=broadbandinfo.net
DNS Name=cpanel.kitz.co.uk
DNS Name=forum.kitz.co.uk
DNS Name=kitz.co.uk
DNS Name=mail.broadbandinfo.net
DNS Name=mail.kitz.co.uk
DNS Name=webdisk.broadbandinfo.net
DNS Name=webdisk.kitz.co.uk
DNS Name=webmail.kitz.co.uk
DNS Name=wiki.kitz.co.uk
DNS Name=www.broadbandinfo.kitz.co.uk
DNS Name=www.broadbandinfo.net
DNS Name=www.forum.kitz.co.uk
DNS Name=www.kitz.co.uk
DNS Name=www.wiki.kitz.co.uk

Its exactly as you detailed in the original information, so nothing to adjust in regards to what you have already done on the certificate.
« Last Edit: April 28, 2018, 11:31:00 AM by Chrysalis »
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

d2d4j

  • Reg Member
  • ***
  • Posts: 724
Re: DNS records or htaccess help please
« Reply #31 on: April 28, 2018, 11:30:51 AM »

Hi Kitz

You may want to chnage your SSL Cipher Suite, so you are A rated for SSL.  I am not too sure where you find this in Cpanel, but we use below as starting point for most common use.  You could always change to use set ciphers, but this becomes slightly involved and below suite will give you an A rating.

You may have to restart your hosting service (not server) to allow changes to be used

SSL Cipher Suite

HIGH:!MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW

Also, you may want to add a New DNS record

CAA

Add a CAA DNS record to your domain DNS, usually select tag issue, so you have domain name, TTL, TAG, certificate authority

for certificate authority, as your using Lets encrypt, you enter Let's Encrypt

save record

If using any CDN, you would need to find out their CAA records, and add them also.  CDN usually require issuewild for TAG, as they use a few CA

CAA records are used to stop CA's from issuing SSL certs if CAA record exists, and is loecked to certain CA's.  eg, if only lets encrypt is listed, and someone want a geotrust SSL for domain, it would fail and not be allowed

Many thanks

John
Logged

d2d4j

  • Reg Member
  • ***
  • Posts: 724
Re: DNS records or htaccess help please
« Reply #32 on: April 28, 2018, 11:38:17 AM »

Hi Kitz

As Chrysalis has posted, you are fully covered on names (see below and this is public data, so it does not compromise your server)

I would think about changing cipher suite though, and adding CAA DNS record(s)

Many thanks

John


Server Key and Certificate #1

 

Subject kitz.co.uk
 Fingerprint SHA256: f23d051bab151f47fe0923b22a2e4738cfdb6bbd51199fef0192f11b7bda8e22
 Pin SHA256: A1/v5DHyUcr/SsuIdZxq2B6BUnnFyUHAGnoOjUoFUvU=   
Common names kitz.co.uk
Alternative names broadbandinfo.kitz.co.uk broadbandinfo.net cpanel.kitz.co.uk forum.kitz.co.uk kitz.co.uk mail.broadbandinfo.net mail.kitz.co.uk webdisk.broadbandinfo.net webdisk.kitz.co.uk webmail.kitz.co.uk wiki.kitz.co.uk www.broadbandinfo.kitz.co.uk www.broadbandinfo.net www.forum.kitz.co.uk www.kitz.co.uk www.wiki.kitz.co.uk
Serial Number 039d58992ba4ab77707b83069cdd6707128d
Valid from Fri, 27 Apr 2018 12:08:18 UTC
Valid until Thu, 26 Jul 2018 12:08:18 UTC (expires in 2 months and 28 days)
Key RSA 2048 bits (e 65537)
Weak key (Debian)  No 
Issuer Let's Encrypt Authority X3
 AIA: http://cert.int-x3.letsencrypt.org/
 
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency Yes (certificate)
OCSP Must Staple No
Revocation information OCSP
 OCSP: http://ocsp.int-x3.letsencrypt.org
 
Revocation status Good (not revoked)   
DNS CAA No (more info)
Trusted Yes
Mozilla  Apple  Android  Java  Windows   


 

Additional Certificates (if supplied)

 

Certificates provided 2 (3039 bytes)
Chain issues None
#2
Subject Let's Encrypt Authority X3
 Fingerprint SHA256: 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
 Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
Valid until Wed, 17 Mar 2021 16:40:46 UTC (expires in 2 years and 10 months)
Key RSA 2048 bits (e 65537)
Issuer DST Root CA X3
Signature algorithm SHA256withRSA
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 5441
Re: DNS records or htaccess help please
« Reply #33 on: April 28, 2018, 11:50:24 AM »

John I had a look at the ssllabs report.

I think DNS CAA is nothing to worry about right now, nice to have but of no immediate importance.

The ciphers are not optimal but AES 128 GCM is supported and will be picked by any modern web browser.

The only immediate issue there is the weak key exchange, this wont be fixed by the changes you suggested, it requires the generation of a new DH file on the server.

In my view this is not what a webmaster would fix, this is managed hosting, So in regards to the cipher/DH stuff I suggest to kitz to just get the company managing the server to update the SSL configuration on the server, so bump DH to at least 2048 bits and to remove obsolete ciphers.  That would get ssllabs to an A grade as well (DNS CAA has no impact on grade).

Its good you checked the report, this probably would have came back to bite at some point when DH < 2048 support is removed from browsers, I am just trying to keep this as simple as possible for kitz to deal with as well.
« Last Edit: April 28, 2018, 11:56:09 AM by Chrysalis »
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

d2d4j

  • Reg Member
  • ***
  • Posts: 724
Re: DNS records or htaccess help please
« Reply #34 on: April 28, 2018, 12:13:44 PM »

Hi chrysalis

Agreed

CAA is due to be fully used very soon though, so better to have as itís quick

I was googling whm as we do not use it, and itís unclear if whm support this newer DH yet. However the threads I read were over a year old so well out dated.

Also, I am not sure if kitz managed server includes OpenSSL regen, as kitz posted a cost of circa 200 for ssl setup

There is 1 point though, which kitz may not understand or I may not understand how cPanel works. The rewrites in htaccess or vhost files, only act on that domain and none others. So to have other domains work the same, the same details need to be added to each htaccess or vhost file. Sorry if everyone knew this

Also, if I read correctly, whm may not auto add the ssl to other services, such as mail server and Iíve not tested. Again could be wrong so apologies in advance

There is not a lot left to do now anyway, sites up and running ssl but just needs a good check on all pages but suspect DH is the biggest job to complete if server admin wants to charge for this. The regen is simple enough but not sure on whm/cPanel. I would have thought latest whm should include this

Many thanks

John

Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 5441
Re: DNS records or htaccess help please
« Reply #35 on: April 28, 2018, 12:18:31 PM »

both ciphers and DH are global configurations, the DH regen is just a command run in the terminal.  If you know what you doing its just one command.  For a company offering managed services I would be shocked to find that a chargeable bit of work, managed services should include security maintenance which SSL would fall under.

If she is dealing with someone trying to charge 200 for that, I will do it for her, it will take me 2 minutes.

Posting a how to I am not keen on doing as it involves knowing where the file is, making sure you understand the current configuration of the server and a mistake can leave the entire web service offline which would drag this website offline.
« Last Edit: April 28, 2018, 12:21:29 PM by Chrysalis »
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

d2d4j

  • Reg Member
  • ***
  • Posts: 724
Re: DNS records or htaccess help please
« Reply #36 on: April 28, 2018, 03:17:26 PM »

Hi Kitz

you may want to try this rewrite in htaccess, which completes both http to https and non www url rewrite

I have provisionally tried it on one of our platforms, and it works as expected but there maybe differences been platforms so apologies in advance

Many thanks and I hope it helps a little

John

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !=forum.kitz.co.uk [NC]
RewriteRule ^(.*) https://forum.kitz.co.uk/$1 [NS,L,R=301]

or

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !=forum.kitz.co.uk [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}/$1 [NS,L,R=301]
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 31649
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: DNS records or htaccess help please
« Reply #37 on: April 28, 2018, 04:38:04 PM »

Sorry someone came round, so hence the disappearnce for a couple of hours.

To recap, the following is correctly rewriting to http to https

Code: [Select]
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


Quote
kitz you want the www. rewrite on all traffic or just http or just https?
I will post a rewrite for it then. I will also include 301, and put that part of it in bold.

Yes please.  I presume it will be along the lines of what d2d posted earlier :)
Having thought about it just https should do, as all traffic should now be https
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 31649
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: DNS records or htaccess help please
« Reply #38 on: April 28, 2018, 04:38:27 PM »

Quote
That sounds like they have turned on ssl option.

I asked them to do that and they got the certificate for me, then left me to do all the configuration for things like SMF, a proxy cache so that the forum doesnt throw errors if someone posts a http image, sort out wikimedia..  and any http images still on the site (there were a few I found).

Quote
Most control panels look scary
Although I do have access to all the WHM and SSH and various other configs because I'm not familar with that side of things they will do that.

Quote
If using any CDN

No its all server based

Quote
You may want to chnage your SSL Cipher Suite, so you are A rated for SSL.
Add a CAA DNS
Havent got a clue Im afraid,  I even get them to do the DNS records as part of the managed service.  I really don't want to mess with things that could muck something up which why I deliberately steer away from that side of things.

Quote
For a company offering managed services I would be shocked to find that a chargeable bit of work, managed services should include security maintenance which SSL would fall under.

Whilst it is a managed service and they will do most things, SSL is additional - see here :( 
Its £204.48 inc VAT per year for them to purchase, manage and install a wildcard SSL or £27.36 pa if you ask them to install a 3rd party cert.

They don't charge anything for LE but then it's down to me to sort anything other than them doing the basics they did such as turning on SSL and putting the cert in WHM.    My aim is once set up hopefully not having to touch anything again.   So I think I'm best sticking with directly editing the htaccess file which Im more comfortable doing rather than doing so in WHM/CPanel. 
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 31649
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: DNS records or htaccess help please
« Reply #39 on: April 28, 2018, 04:43:02 PM »

you may want to try this rewrite in htaccess, which completes both http to https and non www url rewrite

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !=forum.kitz.co.uk [NC]
RewriteRule ^(.*) https://forum.kitz.co.uk/$1 [NS,L,R=301]

or

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !=forum.kitz.co.uk [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}/$1 [NS,L,R=301]

Thanks John :)

I think I'm a bit confused here.    What is the mention of the forum doing and would I need that for the wiki subdomain too?
I have no idea about re-write rules so sorry for being a bit thick on this topic :(
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

d2d4j

  • Reg Member
  • ***
  • Posts: 724
Re: DNS records or htaccess help please
« Reply #40 on: April 28, 2018, 04:59:05 PM »

Hi kitz

Many thanks

Iím soo sorry I think as chrysalis posted, I may have given to much at once

For the moment, your in a B rate for SSL. Not a bad thing but could do with A rate

The last rewrite should work I think in htaccess and should do both changes for http://www to https://

If I have it wrong and you wanted it to go to www, just add www. before domain and % and it will make http:// rewrite to https://www

I hope that makes sense sorry and you must hash out or delete the code currently used for http to https

You do not need to add a CAA record and probably not needed for a year. However the CAís are going to start using them very soon. Most do now

You would need to do the htaccess rewrites for all domains you want to go to https automatically as each domain is separate (it could be centrally completed but you would need to edit hosting conf files, but this becomes involved if your not sure). So each htaccess only works in each domain

I hope that makes more sense

I would have a rest though, as itís working now and then test using your least domain first, so you can see if it works as expected

I hope that helps a little and have a lovely weekend

Many thanks

John

Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 5441
Re: DNS records or htaccess help please
« Reply #41 on: April 29, 2018, 12:50:46 AM »

Thanks for the info kitz.

From what you explained the fee is for cert installation and management of those certs.

The DH configuration has no ties with certificates, that's specifically a server configuration issue.

Discussion here https://forums.cpanel.net/threads/change-dh-group-key-size.603983/  confirms its a cli problem, in addition it also needs a newer enough build of openssl which again comes under server management aka security and not related to certificate installation.  That would be your argument with the server management company.  But I can fix this for you as I told you in PM with what access is needed to do it.

The rewrite is here. (keep existing rewrite in place as well, put this below it after an empty line).  Test first without the bold bit to make sure it is what you want, and then add the bold bit (if you consider the 301 important, remember 301 is "permanent")..

RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule (.*) https://kitz.co.uk/ [R=301,L]
« Last Edit: April 29, 2018, 12:55:52 AM by Chrysalis »
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

jelv

  • Helpful
  • Kitizen
  • *
  • Posts: 1154
Re: DNS records or htaccess help please
« Reply #42 on: April 29, 2018, 10:43:55 AM »

I've seen something odd. On my Android phone using the Chrome browser http://forum.kitz.co.uk was still going to https://kitz.co.uk/forum (but then was using the correct address when I clicked any forum links). I cleared out all the browsing history and now it is working correctly.

Will at some point https://kitz.co.uk/forum stop working? If so would it be worth adding a rule to rewrite that to the correct location?
Logged
Line rental: Pulse8, Broadband: AAISP Home::1 FTTC 80/20, Mobile: id Mobile

d2d4j

  • Reg Member
  • ***
  • Posts: 724
Re: DNS records or htaccess help please
« Reply #43 on: April 29, 2018, 10:54:36 AM »

Hi

@chrysalis the DH from what I have read in your post requires Centos 7.4, which I do not know if Kitz is on centos 7.4 and is not needed to stop DH <1024.

All that is needed is to stop the cipher using DH <1024, which the cipher I posted would do or you could you could just add :!3DES:!DHE to the current cipher in use.  You would have to restart hosting service (not the server just the hosting service)

@jelv, it should be fine I think, but I do not know the configuration/setup.  However, given the time elapsed I would expect any failures to have surfaced by now. 

Sorry if I am wrong.

Many thanks

John
« Last Edit: April 29, 2018, 10:57:57 AM by d2d4j »
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6366
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: DNS records or htaccess help please
« Reply #44 on: April 29, 2018, 10:55:56 AM »

It has been a long time since I did a lot of fiddling around with .htaccess so my memory has become shaky. The '.' means a literal '.' in the type of regex used there? I'm used to '.*' meaning zero or more characters or non-newline characters.
Logged
Pages: 1 2 [3] 4
 

anything