[pmwiki-users] Https and ShortUrl

kirpi at kirpi.it kirpi at kirpi.it
Tue Feb 14 09:21:08 CST 2017 

It seems that there is an ongoing trend towards having our whole
websites reachable only through the https protocol.[1][2]
Thus, I am now in the (not so straightforward) process of switching
from http to https.

As far as I can understand, the whole process could be split in two parts:
1) Enabling https for the domain. - After this step the whole the
website is reachable through both ports 80 (HTTP) and 443 (HTTPS);
2) Forcing (all) the connections to use https, as opposed to plain http[3]

In my case, I am on a cheap shared hosting, with limited flexibility.
Nonetheless step 1 has been completed and I am now able to reach my
website with both http and https.
The second step seems now the trickiest.
I set these lines towards the top of my root .htaccess file,

    RewriteEngine On
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

which seem[4] to take care of the thing. And indeed, as far as I can
see, all the http connections result now as https.
Nonetheless I have some issues, one of which is related to the
ShortUrl[5] recipe.
I have
    RedirectMatch ^/s(.*)$ /S/$1
just above the "RewriteEngine On" line, as well as
    $ShortUrlPrefix = 'https://example.com/s';
in config.it, but I keep on getting "This site can’t be reached" from
the browser whenever I type a short url in.
Alternatively, I get a message from Pmwiki: ShortUrl error: can't read code map.
And the url appears to change into something like
https://www.example.com/S/x (which did not happen before).

Reading on the web, it seems that many different things might create
issues in the http/https switch, from cookies to more esoteric
subtleties.
Does anybody know where the issue might be in this very case, please?

Thanks!

Luigi

--------
[1] "You should always protect all of your websites with HTTPS, even
if they don’t handle sensitive communications. Aside from providing
critical security and data integrity for both your websites and your
users' personal information, HTTPS is a requirement for many new
browser features..."
https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https
[2] "There’s pretty broad agreement that HTTPS is the way forward for
the web..." https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
[3] I am adopting an .htaccess approach as opposed to suggestions
found at http://www.pmwiki.org/wiki/Cookbook/SwitchToSSLMode as I
would like to switch all the website to https:
[4] http://stackoverflow.com/questions/26620670/apache-httpx-forwarded-proto-in-htaccess-is-causing-redirect-loop-in-dev-envir
[5] http://www.pmwiki.org/wiki/Cookbook/Bloge-ShortUrl running very
well since many years.

More information about the pmwiki-users mailing list