Skip to content

Enable HSTS and make sure everything is HTTPS

Solved Configure
  • Hi sir, as you know i am facing redirect issues for a couple of months i want to pick this topic again here sudonix.

    can i just enable HSTS right away from CF panel?

    after enabling HSTS i want to disable the page rules which I’ve writer earlier for HTTP to HTTPS redirection

    i am trying to do by follow this video (enabling all cf settings, max header age is 6months)

  • @hari HSTS will have no bearing on redirects, but it of course will require https to work correctly. You can go ahead and enable that.

  • @hari i have successfully enabled the HSTS, turned of the HTTP to https page rule at CF and tested all 4 URLs and they are working 100% fine with all subfolders and root domain

    every request is going to https and www.

    http://domain.com/
    http://www.domain.com/
    https://domain.com/
    https://www.domain.com/

    now i am facing the issue with flarum (ask) folder. it is not properly redirecting to www.

    http://domain.com/ask
    https://domain.com/ask

    Ask (sub folder) ht access is

    <IfModule mod_rewrite.c>
      RewriteEngine on
    
      # Ensure the Authorization HTTP header is available to PHP
      RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    
      # Uncomment the following lines if you are not using a `public` directory
      # to prevent sensitive resources from being exposed.
       RewriteRule /\.git / [F,L]
       RewriteRule ^composer\.(lock|json)$ / [F,L]
       RewriteRule ^config.php$ / [F,L]
       RewriteRule ^flarum$ / [F,L]
       RewriteRule ^storage/(.*)?$ / [F,L]
       RewriteRule ^vendor/(.*)?$ / [F,L]
    
      # Pass requests that don't refer directly to files in the filesystem to index.php
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule ^ index.php [QSA,L]
    </IfModule>
    
    # Disable directory listings
    Options -Indexes
    
    # MultiViews can mess up our rewriting scheme
    Options -MultiViews
    
    # The following directives are based on best practices from H5BP Apache Server Configs
    # https://github.com/h5bp/server-configs-apache
    
    # Expire rules for static content
    <IfModule mod_expires.c>
      ExpiresActive on
      ExpiresDefault                                      "access plus 1 month"
      ExpiresByType text/css                              "access plus 1 year"
      ExpiresByType application/atom+xml                  "access plus 1 hour"
      ExpiresByType application/rdf+xml                   "access plus 1 hour"
      ExpiresByType application/rss+xml                   "access plus 1 hour"
      ExpiresByType application/json                      "access plus 0 seconds"
      ExpiresByType application/ld+json                   "access plus 0 seconds"
      ExpiresByType application/schema+json               "access plus 0 seconds"
      ExpiresByType application/vnd.geo+json              "access plus 0 seconds"
      ExpiresByType application/vnd.api+json              "access plus 0 seconds"
      ExpiresByType application/xml                       "access plus 0 seconds"
      ExpiresByType text/calendar                         "access plus 0 seconds"
      ExpiresByType text/xml                              "access plus 0 seconds"
      ExpiresByType image/vnd.microsoft.icon              "access plus 1 week"
      ExpiresByType image/x-icon                          "access plus 1 week"
      ExpiresByType text/html                             "access plus 0 seconds"
      ExpiresByType application/javascript                "access plus 1 year"
      ExpiresByType application/x-javascript              "access plus 1 year"
      ExpiresByType text/javascript                       "access plus 1 year"
      ExpiresByType application/manifest+json             "access plus 1 week"
      ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
      ExpiresByType text/cache-manifest                   "access plus 0 seconds"
      ExpiresByType text/markdown                         "access plus 0 seconds"
      ExpiresByType audio/ogg                             "access plus 1 month"
      ExpiresByType image/bmp                             "access plus 1 month"
      ExpiresByType image/gif                             "access plus 1 month"
      ExpiresByType image/jpeg                            "access plus 1 month"
      ExpiresByType image/png                             "access plus 1 month"
      ExpiresByType image/svg+xml                         "access plus 1 month"
      ExpiresByType image/webp                            "access plus 1 month"
      ExpiresByType video/mp4                             "access plus 1 month"
      ExpiresByType video/ogg                             "access plus 1 month"
      ExpiresByType video/webm                            "access plus 1 month"
      ExpiresByType application/wasm                      "access plus 1 year"
      ExpiresByType font/collection                       "access plus 1 month"
      ExpiresByType application/vnd.ms-fontobject         "access plus 1 month"
      ExpiresByType font/eot                              "access plus 1 month"
      ExpiresByType font/opentype                         "access plus 1 month"
      ExpiresByType font/otf                              "access plus 1 month"
      ExpiresByType application/x-font-ttf                "access plus 1 month"
      ExpiresByType font/ttf                              "access plus 1 month"
      ExpiresByType application/font-woff                 "access plus 1 month"
      ExpiresByType application/x-font-woff               "access plus 1 month"
      ExpiresByType font/woff                             "access plus 1 month"
      ExpiresByType application/font-woff2                "access plus 1 month"
      ExpiresByType font/woff2                            "access plus 1 month"
      ExpiresByType text/x-cross-domain-policy            "access plus 1 week"
    </IfModule>
    
    # Gzip compression
    <IfModule mod_deflate.c>
      <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE "application/atom+xml" \
                                      "application/javascript" \
                                      "application/json" \
                                      "application/ld+json" \
                                      "application/manifest+json" \
                                      "application/rdf+xml" \
                                      "application/rss+xml" \
                                      "application/schema+json" \
                                      "application/vnd.geo+json" \
                                      "application/vnd.ms-fontobject" \
                                      "application/wasm" \
                                      "application/x-font-ttf" \
                                      "application/x-javascript" \
                                      "application/x-web-app-manifest+json" \
                                      "application/xhtml+xml" \
                                      "application/xml" \
                                      "font/collection" \
                                      "font/eot" \
                                      "font/opentype" \
                                      "font/otf" \
                                      "font/ttf" \
                                      "image/bmp" \
                                      "image/svg+xml" \
                                      "image/vnd.microsoft.icon" \
                                      "image/x-icon" \
                                      "text/cache-manifest" \
                                      "text/calendar" \
                                      "text/css" \
                                      "text/html" \
                                      "text/javascript" \
                                      "text/plain" \
                                      "text/markdown" \
                                      "text/vcard" \
                                      "text/vnd.rim.location.xloc" \
                                      "text/vtt" \
                                      "text/x-component" \
                                      "text/x-cross-domain-policy" \
                                      "text/xml"
        </IfModule>
    </IfModule>
    
    # Fix for https://httpoxy.org vulnerability
    <IfModule mod_headers.c>
      RequestHeader unset Proxy
    </IfModule>
    

    main domain ht access is

    #Expires headers configuration added by Speed of Light plugin
    <IfModule mod_expires.c>
       ExpiresActive On
       ExpiresDefault A2592000
       ExpiresByType application/javascript "access plus 30 days"
       ExpiresByType text/javascript "access plus 30 days"
       ExpiresByType text/css "access plus 30 days"
       ExpiresByType image/jpeg "access plus 30 days"
       ExpiresByType image/png "access plus 30 days"
       ExpiresByType image/gif "access plus 30 days"
       ExpiresByType image/ico "access plus 30 days"
       ExpiresByType image/x-icon "access plus 30 days"
       ExpiresByType image/svg+xml "access plus 30 days"
       ExpiresByType image/bmp "access plus 30 days"
    </IfModule>
    #End of expires headers configuration
    
    # BEGIN WordPress
    # The directives (lines) between "BEGIN WordPress" and "END WordPress" are
    # dynamically generated, and should only be modified via WordPress filters.
    # Any changes to the directives between these markers will be overwritten.
    <IfModule mod_rewrite.c>
    
       RewriteEngine On
    
       RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
       RewriteBase /
       RewriteRule ^index\.php$ - [L]
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteCond %{REQUEST_FILENAME} !-d
       RewriteRule . /index.php [L]
    
    </IfModule>
    
    # END WordPress
    # BEGIN Enable Gzip Compression
    # The directives (lines) between `BEGIN Enable Gzip Compression` and `END Enable Gzip Compression` are
    # dynamically generated, and should only be modified via WordPress filters.
    # Any changes to the directives between these markers will be overwritten.
    <IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript
    </IfModule>
    # END Enable Gzip Compression
    
    # MalCare WAF
    <Files ".user.ini">
    <IfModule mod_authz_core.c>
      Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
      Order deny,allow
      Deny from all
    </IfModule>
    </Files>
    
    # END MalCare WAF
    

    now where should i add redirection lines to target ask www. redirection?

  • @hari another question is it okay to submit our website for https://hstspreload.org/ or it is better to wait for few months?

  • @hari HSTS will have no bearing on redirects, but it of course will require https to work correctly. You can go ahead and enable that.

  • @phenomlab my website is not loading 😢 please help

    is there any way to at least disable it temporarily?

  • @hari looks like i need to download the certificate from Cloudflare and apply it to my root?

  • @hari You can disable it at the CF level. That should be enough ?

  • @phenomlab i’m bit confused site did not work for 5min due to no proper certificate.

    to prevent it from happening shall i apply CF SSL certificate to my server?

    70e190d2-17fb-4709-85d8-cc6992115021-image.png

    ok, if something happens i will try disabling SSL at CF level

    now reading this https://support.cloudways.com/en/articles/5130554-how-to-configure-cloudflare-origin-certificate

  • This post is deleted!
  • @hari i’m configuring the origin server certificate hope that will not cause conflicts?

    ok, we will look it tomorrow. good night 🙂

  • @hari enabling HSTS should not be this complex. I’m not sure I understand the need for the origin certificate from CF as this should still work even with a trusted and verified cert on the destination and the communication mode for SSL set to strict.

    You can actually enable HSTS and SSL stapling at server level rather than CF.

  • @phenomlab Right now i am not facing any issues and everything is working perfectly

    i want to summarise all my settings

    CF settings
    SSL is set to full strict
    HSTS is enabled
    Automatic HTTPS Rewrites CF setting is ON

    disabled page rules for https redirect (earlier i used to use)


    Server-side let’s encrypt is enabled
    HTTP to HTTPS prediction is off


    i want to keep the settings like this since everything is working at the DNS level.

    if you suggest using HSTS and SSL from the server-side i will switch to it.

    the only problem with flarum www redirection

    https://domain.com/ask

    shall i define something at subdirectory ht. access for this? or something needs to be done at domain ht access?

  • @hari said in Enable HSTS and make sure everything is HTTPS:

    shall i define something at subdirectory ht. access for this? or something needs to be done at domain ht access?

    This makes the most sense to me as the redirect can be handled at the subdirectory level. HSTS should also work at the CF level without issue. What error do you get if you enable it ?

  • @phenomlab No error, it just stuck without www. It should supposed to get redirected to www.domain/ask

    This only happening with flarum all other wordpress subdirectories are getting redirected without any issue.

  • @hari Does it work if you set a redirect using rules at CF ?

  • @phenomlab Yes, if I set a page rule it used to work.

    Now shall I set a page rule for www at cloud flare (I don’t want to do it)

    I am guessing a www. Redirection at ask folder ht acess would resolve the issue.

  • @hari said in Enable HSTS and make sure everything is HTTPS:

    I am guessing a www. Redirection at ask folder ht acess would resolve the issue.

    It should, yes. Did you create one previously, and it was ignored ?

  • @phenomlab No, erlier I used to manage it using CF page rule (all in one rule https and www.) . Now as we switch to HSTS and there is a setting at CF as make sure every page is https it is taking care of http to https redirection so turned of page rules.

    Could you suggest me the ht access rule for ask folder only

    I have posted my ask folder ht access in my first post of this discussion

  • @hari So to confirm, you want all requests to this URL to be converted to https://www.domain.com ?

  • @phenomlab all WordPress installations for domain or subdirectory is properly getting redirected to www. so i don’t want to add any rules in main ht access

    i want all requests to “ask” folder to be converted to www. https://www.domain.com/ask

    only flarum is not doing www. redirection

    if writing a global rule is the right approach i will try that


Did this solution help you?
Did you find the suggested solution useful? Why not buy me a coffee? It's a nice gesture, and a great way to show your appreciation💗

  • 1 Votes
    3 Posts
    158 Views

    You might want to also review this post

    https://sudonix.org/topic/389/mongodb-backup-script

  • Getting Eror When Started NodeBB

    Solved Configure
    7
    2 Votes
    7 Posts
    249 Views

    @phenomlab yes i did.

    i deleted one of plugin then it started to work normally.

  • 2 Votes
    11 Posts
    313 Views

    @veronikya said in mongodb replica set:

    The host’s local dns resolution is not configured. The problem of the host’s hosts being unable to be resolved in docker has been solved. Surprisingly
    Solution:
    Edit the /etc/resovel.conf file
    Add 127.0.0.53

    One immediate issue I can think of here is that editing resolv.conf directly is no longer supported and not recommended (because the changes do not survive a reboot) - unless you install the resolvconf package?

  • Upgrade issues

    Solved Configure
    2
    2 Votes
    2 Posts
    130 Views

    Use this code

    git fetch # Grab the latest code from the NodeBB repository git checkout v3.x git reset --hard origin/v3.x

    And you will have the latest version without specifying it

    https://docs.nodebb.org/configuring/upgrade/

  • 2 Votes
    9 Posts
    231 Views

    @Panda I see why - if you check the browser console, there’s an error logged there. This is from one of my VM’s

    image.png

    There is a decision tree that pulls the value of the editor theme from the saved browser settings on each load, but that fails if the theme has never been changed, and the user has the default (in your case, you are using light mode, so it serves “flatly” by default, but the editor itself is never set and returns null

    This below code changes that

    /* If savedTheme is undefined it will return null - based on this, we assume that the user has the default theme selected and never changed it, so we'll need to force that here */ if(!savedTheme) { var savedTheme = "flatly"; }

    If you reload your browser and test again, it should work properly.

  • 2 Votes
    18 Posts
    444 Views

    @Panda You’ll need to do that with js. With some quick CSS changes, it looks like this

    d619844f-fbfe-4cf1-a283-6b7364f6bf18-image.png

    The colour choice is still really hard on the eye, but at least you can now read the text

  • 18 Votes
    53 Posts
    3k Views

    @JAC said in KeepSolid VPN Unlimited DEAL:

    although all are going to have their own flaws one way or another,

    Exactly that - none of them are going to suit every individual purpose. You have to read the reviews, decide what functionality you need, and then make a judgement call for yourself (and your own unique needs).

    There is no “wrong or right”, although I would steer clear of those that do not have a no-logs policy for privacy reasons alone.

  • 49 Votes
    213 Posts
    14k Views

    @crazycells briefly, yes. I think what concerns be the most with home brew VPN convective like this is a lack of security updates, and potentially leaving yourself open.

    I’ve yet to actually try it, but I know there are a variety of ways to achieve the same goal.