Category: Apache

Automatically redirect to HTTPS with .htaccess

I caught the flu last week that’s why I haven’t been posting regularly.  =0(

Anyway, I wrote previously on how to password-protect a website/page, but in this post I’ll show you how to redirect a user automagically to HTTPS.

All you need to do is add the following in the .htaccess file (I’ll be using the Squirrelmail website as an example):

1.  I use Apache 2, so I do:

vi /etc/httpd/conf.d/squirrelmail.conf

Initially, it will look like:

# SquirrelMail is a webmail package written in PHP.
Alias /webmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

2.  Add the following, like so:

# SquirrelMail is a webmail package written in PHP.
Alias /webmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

3.  Save and exit by typing :wq!.

4.  Restart Apache like so: service httpd restart.

That’s it!  When someone visits, http://www.website.com/webmail, Apache will automatically redirect the user to https://www.website.com/webmail.

Hope this helps.  Take care!

Creating a self-signed cert

If you need to support or serve your website using SSL, but only for personal purposes, such as a webmail, you’ve probably come across the problem of creating your own server certificate.

Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.

If so, run the following to create a self-signed cert:

1.   Via a terminal window, run these commands in sequence:

openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl rsa -in server.key -out signingkey.key
openssl x509 -in server.csr -out selfsigned_digicert.crt -req -signkey signingkey.key -days 3650
chmod 600 server.key
chmod 600 selfsigned_digicert.crt
mkdir -p /etc/pki/tls/private
mkdir -p /etc/pki/tls/certs
cp server.key /etc/pki/tls/private/localhost.key
cp selfsigned_digicert.crt /etc/pki/tls/certs/localhost.crt

1.   Restart HTTP (I run FC6), like so:

server httpd restart

That’s it!  You can now serve your website via SSL…Don’t forget to open up your firewall to accept them (TCP port 443).

Password-Protecting your pages with .htaccess

If you develop websites or adminster them, you’ve probably been asked or required to password-protect parts of a website. 

So, to help you out, here’s a quick how-to in Apache using .htaccess:

  1. Open a terminal window and navigate to the folder or page(s) you’d like to add a password requirement.
  2. Once there, type the following: htpasswd -c .htpasswd username.  BTW, you can name .htpasswd to another name (something that is hard to guess is preferable).
  3. Enter the password you’d like to associate with the username (from above).  This will create the user and an encrypted password.
  4. Next, create the .htaccess file by typing: vi .htaccess, and add the following in the .htaccess file:

To protect a folder

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName “Your Secret Folder”
Require valid-user

To protect a page

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName “Your Secret Page”
<Files “yourpage.html”>
  Require valid-user
</Files>

Note: You can use a different name for .htpasswd so it’s harder for a hacker to figure it out.

5.   Type :wq! to save and exit. 

6.   For better security, perform a chmod on .htaccess, like so: chmod 644 .htaccess.

As you can see, the steps above are pretty straight-forward.  Also as an FYI, Apache blocks any requests for anything that start with “.ht”.

That’s basically it, I hope this post helps you out.  =0)

SideStep.com: What technology used?

My sister’s been shopping around for airline tickets to go to Asia without any luck.  So, the geekness in me felt the need to help her out. 

Scanning through some blogs I read regularly, I came across SideStep.com.  It is one of the “newer” travel websites that search a lot of other websites’ flight information, which got me curious as to what technology they use. 

Watching what other people/companies are doing and using helps me stay up-to-date with all these technologies.

I initally wasn’t able to figure out what technologies drive their website until I:

  1. Used Steve Gibson’s excellent ID Serve tool to find out what web server they were using
  2. Looked for file extensions and came across the .do extension on one of their links. 
  3. Checked out the HTML code and scanned for methods that buttons and other input controls were calling.

So, for the web server, it’s none other than Apache (yeah!):

HTTP/1.1 301 Moved Permanently
Date: Fri, 13 Apr 2007 21:32:05 GMT
Server: Apache
Location: http://www.sidestep.com/
Content-Length: 294
Connection: close
Content-Type: text/html; charset=iso-8859-1

For the back-end, it’s Java, most likely an Apache Struts implementation:

And of course, a ton of JavaScript code for client-side functionality.

From this brief investigation, I also learned that SideStep.com, though, a new comer is giving Orbitz and Expedia a run for their money.  Cool!  Better for us consumers.

To summarize: Try to regularly observe what other people and companies are doing, so as to keep yourself up-to-date.  And along with that, try the techniques I mentioned above for your investigation, as you might learn a thing or two.  =0)

Disclaimer: There are a lot of other techniques and tools that you can use, but the steps above, though, may be incomplete served the purpose of this post.