0

I have uploaded my SSL certificates to IAM purchased from Comodo and evrything looks fine in chrome and opera. But mozilla is giving an error: "Connection Partially encrypted". I am not able gauge why this is happening. Link : https://www.advisorcircuit.com/ Please tell me what is the possible culprit for this? and also i want to know , how can i redirect my users to HTTPS ebven if they type http as even if i type http the website loads and opens. I am using AWS t2.medium instance. So is there any configuration i need to do in my console??

Uday Khatry
  • 449
  • 1
  • 8
  • 23
  • 2
    You are including your Google Fonts using `http` instead of `https`. Change that in your code and you won't get the "Connection Partially encrypted" message. – dgil May 15 '15 at 09:04

2 Answers2

0

Redirection: You have a few options:

  • Block HTTP traffic, only allow HTTPS on the Security Group level ( Not the nicest solution.
  • Use an Elastic Load balancer, Listening only on HTTPS port. ( Same as above)
  • The webserver ( most of them like Tomcat, IIS, etc) supports a redirection, so it sends back "HTTP/1.1 301 Moved Permanently", then the client browser does the call again on HTTPS.
  • If you use Elastic Load Balancer with SSL termination ( which is a good practice, less load on your server, easier setup of the SSL Certificate). Then all your traffic inside your VPC goes on port 80. In this case you need to setup your webserver to redirect differently. Instead of the incoming port, the trigger for the redirection should be the based on the "X-Forwarded-Proto" header value, which is the original protocol what the client is using.

For production environment the last setup is an AWS Best practice. ( Of course there are also other solutions)

Adam Ocsvari
  • 8,056
  • 2
  • 17
  • 30
  • How can i set the value of these headers. Is there a way i can do this through AWS console? Do i need to edit the listeners of the ELB ? – Uday Khatry May 15 '15 at 09:48
  • Why do you want to set the header? If you using AWS Elastic Load Balancer, which accepts incoming traffic on both the HTTP and HTTPS protocol and it forwards your traffic to your instance(s) on port 80, then it put's the X-Forwarded-Proto header value to the header of the HTTP call. If you not writing your own load balancer, I don't see any reason to manually change this value. – Adam Ocsvari May 15 '15 at 09:53
  • But i want to put the X-Forwarded-Proto header value to the header of the HTTPS call so that if any user types with HTTP also they are redirected to https .? is there something wrong with my understanding ? – Uday Khatry May 15 '15 at 09:57
  • Please read the link in my answer: "X-Forwarded-Proto specifies the protocol (“http” or “https”) of the original request made to the Elastic Load Balancer." It means that value is the original protocol what the user used. We need this, because your webservers will only get requests on port 80 from the Load balancer. ( So they don't need to deal with SSL Encryption, etc.) But if your server gets requests only on port 80, how will it know, which calls to redirect and which not? One solution is to check the original protocol which is in this header variable. – Adam Ocsvari May 15 '15 at 10:01
  • Redirect like this: http://stackoverflow.com/questions/26620670/apache-httpx-forwarded-proto-in-htaccess-is-causing-redirect-loop-in-dev-envir – Adam Ocsvari May 15 '15 at 10:02
  • Okay. Now i get it . So X-Forwarded-Proto header is the value of the protocol which user used to hit the request? But isnt there any way i can redirect them to HTTPS Protocol. Isnt there any server configuration which redirects them ? I have heard 301 redirect can solve the purpose. but i have no clue how do we do that? – Uday Khatry May 15 '15 at 10:04
  • See the link on my previous comment. But the redirection based on your server, are you using IIS? Tomcat? – Adam Ocsvari May 15 '15 at 10:06
0

Your site is running Apache/2.2.29. You can redirect your virtual host traffic from 80->443 in Apache itself. That way if someone goes to http://www.yourdomain.com then get redirected to https://www.yourdomain.com

ServerFault has an post explaining how to use Apache mod_rewrite to accomplish this https://serverfault.com/a/554183/280448

Also you need to adjust the SSL cipher suites that your site accepts. Your ELB has an option to change cipher suites and you can deselect some there. The two you definitely want deselected are RC4 and SSL3.

Here's the full report if you want to make more changes
https://www.ssllabs.com/ssltest/analyze.html?d=www.advisorcircuit.com&s=52.7.154.196&latest

Community
  • 1
  • 1
greg_diesel
  • 2,955
  • 1
  • 15
  • 24