New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protocol Problem PR and HTTPS Plugin #2449

Open
PopVeKind opened this Issue Oct 21, 2018 · 16 comments

Comments

Projects
None yet
4 participants
@PopVeKind
Contributor

PopVeKind commented Oct 21, 2018

I Request to be Assigned to all HTTPS Issues.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is.
Many issues have been raised about HTTPS Protocol Problems.

Describe the solution you'd like
A clear and concise description of what you want to happen.
Rewrite the core to not use constants to define a protocol.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
I Request to be Assigned to all HTTPS Issues.

Additional context
Add any other context or screenshots about the feature request here.

Introduction

I currently have under test an alpha-prototype Protocol Problem PR and HTTPS Plugin. I am refining these to be released before December. I am asking people to share, on this issue, any ongoing problem they have with anything to do with HTTPS or the involved core constants.

Protocol Problem PR

Removed Constants

This PR will remove the following core constants from the YOURLS core code.

  • YOURLS_SITE
  • YOURLS_ADMIN_SSL

Added Database Entries

For Existing Sites.

The above consrants in config.php will first be parsed and the results will be stored in database entries.

For Newly Installed Sites.

The following defaults will be stored in the database protocol entries:

  • For Short URL Links: http://
  • For Admin URL Links: http://

HTTPS Plugin

The HTTPS Plugin is for advanced users who wish to use HTTPS on all or part or their YOURLS links. It will have one pulldown menu with the following three choices that will change the database protocol entries.

Only HTTP (Default)

  • For Short URL Links: http://
  • For Admin URL Links: http://

Admin HTTPS

  • For Short URL Links: http://
  • For Admin URL Links: https://

Full HTTPS

  • For Short URL Links: https://
  • For Admin URL Links: https://

Flex HTTPS

The HTTPS Plugin simply determines how links are built. Using the Server Block (Nginx) or .htaccess (Apache) you could receive and handle Short URL request for any (or all) of the following on the same server, without additional redirection

  • http://sho.rt/abc
  • https://sho.rt/abc
  • http://www.sho.rt/abc
  • https://www.sho.rt/abc
  • While REQUIRING HTTPS for the Admin Area. (This would redirect http:// request to the Admin Area to use https://)

Benefits

This PR and Plugin will:

  • Make setting up HTTPS much easier.
  • Eliminate the YOURLS_SITE Trailing Slash Problem.
  • Reduce the Core Constants.
  • Reduce Newbie Confusion.
  • Move us closer to a true YOURLS MultiSite
  • Move us closer to a fast and easy Full-Fledged Broswer Based Installer.

Requests

I am asking people to share, on this issue, any ongoing problem they have with anything to do with YOURLS HTTPS or the involved core constants. I will use these for testing scenarios.

@ymage

This comment has been minimized.

ymage commented Oct 21, 2018

I welcome the proposal.

My only requirement is to have an other way to configure yourls without the Full-Fledged Browser Based Installer

@ozh

This comment has been minimized.

Member

ozh commented Oct 21, 2018

Once again a post that's 2 screen long :(

"I Request to be Assigned to all HTTPS Issues" -> sure, go ahead, that's very welcome. One "small" requirement: submit tiny PR fixing one problem at a time and not a gigantic stuff fixing everything but that's impossible to grasp and review

@PopVeKind

This comment has been minimized.

Contributor

PopVeKind commented Oct 22, 2018

@ymage - Yes, I agree! The Full-Fledged Installer will NOT replace the config.php install. It will augment it by asking browser-based questions and then build a config.php file and load database entries. Simple, fast and easy. Most of all very Newbie friendly.

@PopVeKind

This comment has been minimized.

Contributor

PopVeKind commented Oct 22, 2018

"tiny PR fixing one problem at a time"

Yes Ozh, I have finally grasped how the YOURLS community works. Future PRs from me will focus on a single issue/problem and be as small as possible to deal with that issue.

@PopVeKind

This comment has been minimized.

Contributor

PopVeKind commented Oct 23, 2018

"a post that's 2 screen long"

@ozh - I would like your advice?

I get it in relation to posts within a discussion. My problem is while introducing a new PR Project. I would like others to comment/suggest. So I wrote the two screen overview. Would it be better to break the major headings into different posts which would send a number of emails for the overview?

@ozh

This comment has been minimized.

Member

ozh commented Oct 23, 2018

@PopVeKind just write less. Seriously. Less words, less verbosity, less context, less "I'm currently doing this and that in regard to this and that", less headers / subheaders / subsubheaders. The sole fact that you use so many headers and sub headers indicate there are 12 ideas in your posts. Honestly and as harsh it will sound, I didn't read your post past the very first line "I Request to be Assigned to all HTTPS Issues".

@PopVeKind

This comment has been minimized.

Contributor

PopVeKind commented Oct 23, 2018

@ozh - Got it! Thanks for the harsh, but honest advice, I will adapt.

@ALLONEPLANET

This comment has been minimized.

ALLONEPLANET commented Oct 27, 2018

"I am asking people to share, on this issue, any ongoing problem they have with anything to do with YOURLS HTTPS"

SSL certificate is on.
www.a1p.uk redirects to a1p.uk (via Dreamhost setup)
httpaccess has RewriteCond %{HTTPS} =on

typing (or full link with) https://a1p.uk/med1 works
typing (or link with) a1p.uk/med1 does NOT work and gets a 404 error

There may be a workaround for the above situation that I haven't spotted yet?
I may have it configured incorrectly?
Or it may be useful for you to know so you can correct the issue? :-)

Well done on an awesome piece of software. loving it :-)

@PopVeKind

This comment has been minimized.

Contributor

PopVeKind commented Oct 30, 2018

@ALLONEPLANET

What works:
https://a1p.uk/med1
https://www.a1p.uk/med1

What does NOT work:
http://a1p.uk/med1
http://www.a1p.uk/med1

This is caused by an error in your .htaccess file.

.htaccess

Please note that this filename begins with a dot and also note the spelling.
If you put it in a file called httpaccess as your post stated, this will prevent it from working.

Likewise, RewriteCond %{HTTPS} =on MUST ALWAYS be followed by a RewriteRule

If your .htaccess file is short, say 30 lines, or less, would you consider posting it here?

Or, copy/paste any lines you think would relate to this domain or problem.

Something to check:

The RewriteRule in .htaccess basicly has two parts and looks something like this:

RewriteRule {first part} {second part} [flags]

If you have any rule that the second part begins with http:// you need to change that to https:// to force Apache to redirect to the httpS version.

There is a way to allow YOURLS to service both http and https requests (no dubble redirect) however I would need to know more about your .htaccess to suggest a change.

If your yourls install is new, better just stick to https://.
If your yourls is old with thousands of links to http:// it might be worth servicing those links in http://

@ALLONEPLANET

This comment has been minimized.

ALLONEPLANET commented Nov 3, 2018

Thank you PopVeKind for your reply - much appreciated!
The ,htaccess file has the correct spelling (& dot) in the server. Sorry for the confusion.
Here is the complete text within the ,htaccess file:

# BEGIN YOURLS
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
    RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /yourls-loader.php [L]
</IfModule>
# END YOURLS

Thanks :-)

@PopVeKind

This comment has been minimized.

Contributor

PopVeKind commented Nov 4, 2018

@ALLONEPLANET

Your website appears to be doing exactly what your .htaccess tells it to do! That didn't help much!

Short/Easy .htaccess Lesson

RewriteCond is shorthand for "Rewrite Condition". In other words, if this condition is true, do the next RewriteRule You can have more than one condition. Your .htaccess has three conditions to run yourls.

  1. RewriteCond %{HTTPS} =on ---The request must be https:// (http is NOT allowed!)
  2. RewriteCond %{REQUEST_FILENAME} !-f ---The request is not a physical file.
  3. RewriteCond %{REQUEST_FILENAME} !-d ---The request is not a physical directory.

The problem line is, RewriteCond %{HTTPS} =on It MUST be https:// or it fails! 404 File Not Found! If it is http - it fails...

Many well meaning people on the internet think RewriteCond %{HTTPS} =on turns on https, but it doesn't! That advice is mistaken.

Some assumptions

Before I tell you some ways to fix your .htaccess problem, let's verify some assumptions I have made.

  1. I assume you want everything to run under httpS with ssl encryption. That is the most secure.
  2. I assume your config.php contains httpS:
    define( 'YOURLS_SITE', 'https://a1p.uk' );
  3. I assume your config.php does NOT contain any:
    define( 'YOURLS_ADMIN_SSL' ...

Very Easy

Just delete RewriteCond %{HTTPS} =on from .htaccess
Pros:

  • Very Easy!

Cons:

  • Allows Admin Area to run as http.
  • Not secure.
  • Not recommended.

Best Practice

Tomorrow I will post the .htaccess file I use on my https sites and I consider Best Practice!

@ALLONEPLANET

This comment has been minimized.

ALLONEPLANET commented Nov 4, 2018

@PopVeKind

This comment has been minimized.

Contributor

PopVeKind commented Nov 5, 2018

BEST PRACTICE

Just copy/paste this into your .htaccess file in your Apache DocumentRoot.

Best For:

  1. YOURLS Site
  2. WordPress Site
  3. YOURLS plus WordPress Site (Together in DocumentRoot).

# BEGIN YOURLS and/or WordPress
RewriteEngine On
RewriteBase /

# Use HTTPS on this site.
# Comment the next two lines if you use HTTP.
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

# Run index.php in the DocumentRoot
RewriteRule ^index\.php$ - [L]

# Add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

# Run any Physical File or Directory
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# Run YOURLS
RewriteRule ^([0-9a-zA-Z-]+)\+?$  yourls-loader.php [L]

# Run WordPress (or index.php)
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
# END YOURLS and/or WordPress

Pros:

  • VERY EASY (copy/paste)
  • Works with all Standard YOURLS Setups.
  • Works with Allow Hyphens in Short URLs plugin
  • Works with WordPress! Single Site, MultiSite SubDomains, MultiSite Networks!

Cons:

  • The Slash(/) is reserved for WordPress. You should NOT use a Slash(/) in a YOURLS keyword anyway.
  • WordPress MultiSite SubDirectory is NOT compatible with YOURLS nor this .htaccess file.

Notes:

  • Give WordPress its Own Directory? It works! Follow WordPress instructions.
  • I do not use <IfModule mod_rewrite.c></IfModule> It's redundant!
@PopVeKind

This comment has been minimized.

Contributor

PopVeKind commented Nov 5, 2018

KISS

Keep It Simple Sweetheart!

I love simple things. If something is simple enough I rarely make a mistake.

The above .htaccess is so simple I use it for HTTP, HTTPS, YOURLS, WorfPress, and even YOURLS plus WorfPress!

I hope it helps others too.

Regards,

Pop

@PopVeKind

This comment has been minimized.

Contributor

PopVeKind commented Nov 5, 2018

FOR ADVANCED ADMINS ONLY

Add extra characters to YOURLS Charset.

  1. Do NOT use a slash(/) in YOURLS! The slash(/) is reserved for WordPress.
  2. Add the YOURLS Plugin of your choice and add your extra characters.
  3. Add characters to the .htaccess # run YOURLS between the Z and the dash(-).

Example:

  • Add a tilde(~) and an underscore(_) via your plugin.
  • Change [0-9a-zA-Z-] to [0-9a-zA-Z~_-] add between the Z and the dash(-). Like this:
  • RewriteRule ^([0-9a-zA-Z-]+)\+?$ yourls-loader.php [L]
  • RewriteRule ^([0-9a-zA-Z~_-]+)\+?$ yourls-loader.php [L]
@ALLONEPLANET

This comment has been minimized.

ALLONEPLANET commented Nov 5, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment