[pmwiki-users] Https and ShortUrl

Petko Yotov 5ko at 5ko.fr
Sat Feb 25 23:18:31 CST 2017


On 2017-02-23 01:08, kirpi at kirpi.it wrote:
> As far as I can tell, there is actually a strong flow all around us,
> heading to draw *all* connections under the https protocol. That is,
> not only (in our case) the Pmwiki "folder" but as much as possible of
> any website.
> 
> All the major browsers now show with growing vehemence, with both text
> and symbols, when a page is not safe, and in some instances the
> wording I saw were really threatening for any casual user. And again,
> this happens even if a single (no matter how secondary, let's say an
> ancillary script, or an image) component of any page is not served
> securely with https. It's really a stressing business to "debug", and
> more of it for people not too skilled in the matter. So, I believe it
> would be better and easier to try and serve a whole website on https
> by default.
> 
> I feel really puzzled, Petko: your script idea is interesting but why
> strenghtening the door if I then leave the windows spread open? If I
> understand right, anybody will circumvent the https shield just by
> disabling javascript. Or am I wrong?
> I am thinking about the matter (having little knowledge) since a
> couple of days and I am not sure how to move.
> 
> One way or the other, I am afraid that me should face the need to
> (sooner or later, better sooner) let our websites be accessible on
> https by default.

I wrote that it depends on your audience.

When your client has thousands of users who do NOT have a recent browser 
at work and MUST be able reach the wiki from an office computer, the 
only ways are to either do it with an old-style, expensive, manually 
validated SSL certificate (you own your IP address, send your ID, the 
Certificate Authority calls you personally on the phone), OR to leave it 
in the clear (HTTP). My solution attempts to do the least bad thing I 
imagined so far: redirect the capable browsers to the secure connection.

A visitor on an older system like Windows XP and probably Vista CANNOT 
open an automatic DV certificate, either the free one Let's Encrypt, or 
another cheap one (~60€/year).

If your website visitors have all more recent operating systems and 
recent browsers, or if you don't care about any others, certainly use 
the .htaccess redirection. Again, it depends on your audience.

On 2017-02-23 01:24, kirpi at kirpi.it wrote:
> As an example, I keep all my images in a /f/ folder (outside the Pmwiki 
> one)
> So, how can I have this image (forcely) served though https?
>     http://www.example.com/f/Group/Page/image.jpg
> Where should I place your suggested php lines?
>      if($UrlScheme == 'http')
>      Redirect($pagename,
>      "https://www.yourwiki.net".$_SERVER['REQUEST_URI']);

This config.php line does not automatically redirect static files to the 
secure connection. If your links to these from your website are 
hardcoded HTTP links, this is indeed annoying. It would have been less 
annoying to update some InterMap prefix or even to use the relative 
Path: prefix that should always work.

In that case, do use the .htaccess method that you posted and that works 
for you. Another one that may work could be this:

   RewriteCond %{SERVER_PORT} 80
   RewriteRule ^(.*)$ https://example.net/$1 [R,L]

This is right after the line "RewriteEngine On".

About your installation, the RedirectMatch line always redirected the 
browser to /S/abc for a split second, then Bloge-ShortUrl redirected the 
browser to the real page URL. You just never noticed it.

The error code you see appears either (1) when there is no page 
containing the short urls, [[Site.ShortUrl]] by default, or (2) when the 
visitor doesn't have read permissions for it.

(1) can happen if the page was deleted, or the wiki was moved from 
another hosting and that page somehow didn't make it, or you recently 
played with $WikiDir or if you added or changed the PageStore class, and 
something was left mis-configured.

(2) can happen if you read-protect the Site group, and many other things 
will go wrong like disappearing parts of the interface (PageActions, 
PageNotFound...).

I'd start from there.

Petko

---
Change log     :  http://www.pmwiki.org/wiki/PmWiki/ChangeLog
Release notes  :  http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
If you upgrade :  http://www.pmwiki.org/wiki/PmWiki/Upgrades





More information about the pmwiki-users mailing list