Facing problem on cloudflare URL redirect - url

I have created a page rule :
URL: *example1.org/*
Setting: Forwarding URL
Status: 302
Destination URL: https://example2.com
Above rule is working fine with http and https but not working with www. Thank you in advance for your kind help.
NOTE: There is an A entry for domain and CNAME entry for www in cloudflare DNS, both proxy enabled.

Related

Unable to add credentials in Jenkins when accessed via reverse proxy ( Netscaler)

Background
We used to access Jenkins via Hostname and port format and never had issues. eg : http://Jenkinsci.company.com:8080.
We had an internal requirement to enable Jenkins access via company Netscaler (https://apps.company.com/).
So new Netscaler context was created and new url :https://apps.company.com/jenkins now points to -> http://Jenkinsci.company.com:8080. I also added JENKINS_ARGS="--prefix=/jenkins" in etc/sysconfig/jenkins.
Issue
Initially we couldnt login. As soon as we clicked on login, we used to get redirected to http page. i.e
https://apps.company.com/jenkins -> http://apps.company.com/jenkins.
. So since login was not working, http to https redirection was setup at Netscaler level. Then login worked.
Now we observed we couldn't add credentials in Jenkins.
Now after adding the credentials, the drop down doesn't show the newly added credentials.
I debugged in Browser and could see the below error message.
Mixed Content: The page at 'https://prod.company.com/jenkins/job/test1/job/test/configure' was loaded over HTTPS, but requested an insecure form action 'http://prod.company.com/jenkins/descriptor/com.cloudbees.plugins.credentials.CredentialsSelectHelper/resolver/com.cloudbees.plugins.credentials.CredentialsSelectHelper$ItemContextResolver/provider/com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider/context/test1/addCredentials'. This request has been blocked; the content must be served over HTTPS.
I also compared the network messages of adding credentials via Netscaler and directly via host and they look same except in success scenario there are couple of more steps executed.
Success
Request URL: http://Jenkinsci.company.com:8080/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test
Request URL: http://Jenkinsci.company.com:8080/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=asdad&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test
Request URL: http://Jenkinsci.company.com:8080/jenkins/descriptor/com.cloudbees.plugins.credentials.CredentialsSelectHelper/resolver/com.cloudbees.plugins.credentials.CredentialsSelectHelper$ItemContextResolver/provider/com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider/context/test/addCredentials
Request Method: POST
Request URL: http://Jenkinsci.company.com:8080/jenkins/job/test/job/tess/descriptorByName/hudson.plugins.git.UserRemoteConfig/fillCredentialsIdItems
Failure
Request URL: https://prod.company.com/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test1
Request URL: https://prod.company.com/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=sdfsr&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test1
Any idea what may be the issue and way to resolve without putting a SSL certificate to jenkins instance?
Thanks in advance.
I spoke with Netscaler team and initially we added http to https redirection, but it didn't work.
Then I shared below link with them.
Jenkins Reverse Proxy setup
In our setup, Netscaler was accessed via https ,but Jenkins was accessed via HTTP. So we needed to set "X-Forwarded-Proto" header in Netscaler for the request rewrites.
Initially we set X-Forwarded-Proto" header in Netscaler for the response rewrites and it was not working. Be aware that there are very minimal logs and debugging will be difficult.
Hopefully this helps someone.

is it possible to restrict access by using ipaddress?

I have recently installed ssl certificate to a site.
I tried accessing the site using ip address
133.255.214.180
it redirects to
https://133.255.214.180/
it then shows that "your connection is not private" ssl certificate error. I had bought ssl certificate for domain name and not ip address.
when i access using the domain name for example
www.example.com
then it redirects to
https://www.example.com
without ssl certificate error.
I used redirection in nginx as
server {
listen 80;
server_name 133.255.214.180;
return 301 https://www.example.com;
}
I want to make it so that when the user types in the ip address at the url bar of the browser then it redirects to the domain name i.e https://www.example.com so that it doesnt show ssl certificate error. Is this possible to achieve?
I appreciate any help. Thanks!
HTTPS handshake is done before sending the actual request, so if you type https://something_without_valid_cert you will always receive that error.
With sending the request I mean even "opening" the HTTP communication, including sending back the redirect.
The reason is very simple, if the certificate is not valid you cannot trust the server, it could respond with anything, including a malicious redirect.
Your nginx configuration should work if you type http://the_ip_address. Because you send back a 301 (Moved Permanently) the browser next time will perform the redirect automatically without calling the server.

Scheme relative URL

There are a lot of questions on SO regarding scheme relative URL, but I don't understand what will happen in these scenarios:
1) I am on HTTPS clicking on href="//example.com/" (example.com doesn't have SSL (it's HTTP), so browser will try to open HTTPS://example.com/ (because it wants to match the current scheme) and if there won't be HTTPS scheme it will open HTTP://example.com/?
2) Vice-versa going from HTTP to HTTPS, when the target //example.com/ is only HTTPS. Will browser open HTTPS if the destination target does not have HTTP?
The browser will try to open the URL using the same scheme it's currently on; if it's currently on HTTPS, it will request the URL with HTTPS and vice versa for HTTP. If the target server does not support that scheme, it will simply fail. In case of a server which only supports HTTPS, that usually means that it enforces HTTPS; if you make an HTTP query to that server it often simply redirects to the HTTPS version of the same page. That's entirely up to the server to do though.
If a server only supports HTTP, that usually means that it doesn't have HTTPS at all. In that case an HTTPS request would simply fail and the browser will display an error message along the lines of "couldn't establish a secure connection/couldn't connect to server".
I have found the way how to do this with some inspiration from the answer on how to link to different port as I needed to do both. The way is:
<a href="/vnc.html" onclick='javascript:event.target.port=6080;event.target.protocol="https:"'>VNC connection</a><br />

Redirect mysite.com to www.mysite.com with SSL wildcard before security warning

I have an SSL wildcard for my rails site through DNSimple, and have deployed to Heroku.
I have smoothly functioning full-site SSL for all subdomains of my site, except for when I enter my site name without a subdomain into a browser for the first time.
Although my Heroku settings redirects http://mysite.com to https://www.mysite.com, the browser pops up a security warning first, because the SSL certificate for *mysite.com requires a subdomain.
Is there a way to redirect from no subdomain to with subdomain before checking for the security certificate?
This is a substantial issue, as it's unreasonable to require/expect first time visitors to type in www before the site name.
you can use subdomain redirection: https://devcenter.heroku.com/articles/avoiding-naked-domains-dns-arecords#subdomain-redirection
but I think only with the www form, as it warns:
Requests made directly to naked domains via SSL (i.e.
https://mydomain.com) will encounter a warning when using subdomain
redirection. This is expected and can be avoided by only circulating
and publicizing the subdomain format of your secure URL.

How to redirect a url like https://mydomain.com to https://www.mydomain.com from within Rails

I am using a SSL cert for www.mydomain.com from GoDaddy on Heroku. How can I redirect from the root url, https: //mydomain.com to https: //www.mydomain.com from within rails so my cert will work? I have been able to redirect all other combination with custom middleware, so that SSL is always serverd, but can't figure out how to do this without the browser detecting the lack of a cert for https://mydomain.com/. Is there something like a rack env[HOST] that I can rewrite? Thanks in advance....
The browser compares the cert to the domain name way before Rails even gets a chance to touch it - in fact, it's the very first part of the negotiation with the server, so you can't even use Apache Rewrite to change it.
What you should do is add mydomain.com to your cert. They're called "unified communications" certificate, although GoDaddy just calls them a Multiple Domain cert. http://help.godaddy.com/article/3908

Resources