Access files using both HTTP and HTTPS
-
- Microbot
- Posts: 116
- Joined: Mon Apr 13, 2020 3:07 pm
Access files using both HTTP and HTTPS
Hello, simple question: would it be possible to exempt ZXDB entries from the forced HTTPS redirect?
I know it is a standard practice to accept HTTP requests and redirect them to their HTTPS counterparts globally, for the entire site. But it prevents clients which can't use HTTPS for one reason or another from accessing the files. So another common practice is actually force the redirect only for the pages themselves, but allow dual access for chosen directories. The pages themselves still refer to the files using HTTPS, so the privacy of normal users is never compromised, however users which need it may choose to access the files using HTTP instead of HTTPS.
I am asking on behalf of ZXDS users which are stuck with the older 1.x version for Nintendo DS/DSi. The newer 2.x version for 3DS/2DS now supports HTTPS connections and can download entries from the ZXDB database. Of course, upgrading to the 3DS would be the best option, but I understand that not everyone can shell out for 3DS/2DS, so it seems plenty of users out there feel left behind.
If you allowed the dual access to ZXDB entries, I could adjust the relevant ZXDB config accordingly and those people could enjoy the latest ZXDB entries.
Thanks for considering this.
Patrik
I know it is a standard practice to accept HTTP requests and redirect them to their HTTPS counterparts globally, for the entire site. But it prevents clients which can't use HTTPS for one reason or another from accessing the files. So another common practice is actually force the redirect only for the pages themselves, but allow dual access for chosen directories. The pages themselves still refer to the files using HTTPS, so the privacy of normal users is never compromised, however users which need it may choose to access the files using HTTP instead of HTTPS.
I am asking on behalf of ZXDS users which are stuck with the older 1.x version for Nintendo DS/DSi. The newer 2.x version for 3DS/2DS now supports HTTPS connections and can download entries from the ZXDB database. Of course, upgrading to the 3DS would be the best option, but I understand that not everyone can shell out for 3DS/2DS, so it seems plenty of users out there feel left behind.
If you allowed the dual access to ZXDB entries, I could adjust the relevant ZXDB config accordingly and those people could enjoy the latest ZXDB entries.
Thanks for considering this.
Patrik
Re: Access files using both HTTP and HTTPS
Hi,
If you speak to [mention]chernandezba[/mention] he has done something with his ZEsarUX emulator in regard to http / https issues. He was having similar issues to you
For security I want to keep with https only across the site. Sorry.
Please also note that some titles are only hosted here with agreement with the developers for access via SC. For example Zenobi. I can provide a list of these small number of cases.
If you speak to [mention]chernandezba[/mention] he has done something with his ZEsarUX emulator in regard to http / https issues. He was having similar issues to you
For security I want to keep with https only across the site. Sorry.
Please also note that some titles are only hosted here with agreement with the developers for access via SC. For example Zenobi. I can provide a list of these small number of cases.
-
- Microbot
- Posts: 116
- Joined: Mon Apr 13, 2020 3:07 pm
Re: Access files using both HTTP and HTTPS
Thanks for the answer. Your site, your rules, I respect that. Although I am not sure which security exactly does allowing optional HTTP access forfeit as far as the server is concerned.
Best,
Patrik
Best,
Patrik
Re: Access files using both HTTP and HTTPS
Hi,
If anyone here has a deep understanding of LetsEncrypt and can offer to help, I'm happy to reconsider.
I just remember LetsEncrypt took me a long time to get right, so am nervous about changing and opening up to any vulnerability.
I remember we had issues where certain elements of the page were not https so it broke the certificate.
I'm not an expert in this area and ended up following a few tutorials.
I do want to help you.
If anyone here has a deep understanding of LetsEncrypt and can offer to help, I'm happy to reconsider.
I just remember LetsEncrypt took me a long time to get right, so am nervous about changing and opening up to any vulnerability.
I remember we had issues where certain elements of the page were not https so it broke the certificate.
I'm not an expert in this area and ended up following a few tutorials.
I do want to help you.
-
- Microbot
- Posts: 116
- Joined: Mon Apr 13, 2020 3:07 pm
Re: Access files using both HTTP and HTTPS
Indeed, using http:// elements on a https:// page is really a big no-no. But that's not what is needed here. There is no need to set up fully dual-access site, so you do not need to worry about this getting broken. In fact, there is no need to touch any webpages themselves or anything like that at all.
Well, I have been setting up web servers since the late 90's, among other things, so let me help. I can understand your reluctance to change anything which runs just fine. That's perfectly right. However, since you already have the SSL certificate up and running, which is the hardest part, adding an exception for some subdirectories is not that hard. Let me explain.
As you can verify yourself, if you go to http://spectrumcomputing.co.uk, you get automatically redirected to the https:// counterpart. This means that you are in fact already accepting connections for HTTP, but they are just redirected. Seeing you are using Apache, it means that you have a global redirect of some sort like this somewhere in your config or in the root `.htaccess` file:
Code: Select all
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
So, to disable this redirect for some part of the site, like the /zxdb/sinclair subdirectory, all that is needed is to disable the rewrite engine for that directory. The easiest way is to add the `.htaccess` file directly in that directory. So, if you create file `.htaccess` in there and put in
Code: Select all
RewriteEngine Off
BTW, if you don't feel confident enough to test it on the entire zxdb/sinclair right away, you can test it on some random entry number subdirectory instead which only you know. The risk of messing up something by that is really low.
Hope this helps.
And thank you very much for being so forthcoming, I really appreciate it.
Patrik
Re: Access files using both HTTP and HTTPS
Hi [mention]Patrik Rak[/mention]
I will give a folder a go later in the week.
Best wishes
Peter
I will give a folder a go later in the week.
Best wishes
Peter
-
- Microbot
- Posts: 116
- Joined: Mon Apr 13, 2020 3:07 pm
Re: Access files using both HTTP and HTTPS
Works great - the files as well as the directory can be accessed by both HTTP and HTTPS, and yet the redirects to HTTPS are still in effect for the rest of the site. Good job!PeterJ wrote: ↑Mon Apr 20, 2020 6:52 pm OK, try 0035380
http://spectrumcomputing.co.uk/zxdb/sin ... s/0035380/
Now it should be just a matter of moving it few dirs up so it applies to all entries and pokes.
Thanks again!
Patrik
Re: Access files using both HTTP and HTTPS
OK, great. Will do that tonight.
Could I ask that you link back to our site in some way so we get some 'free advertising'?
We are still relatively small so any mention is much appreciated.
Could I ask that you link back to our site in some way so we get some 'free advertising'?
We are still relatively small so any mention is much appreciated.
-
- Microbot
- Posts: 116
- Joined: Mon Apr 13, 2020 3:07 pm
Re: Access files using both HTTP and HTTPS
Sure, will do!
Re: Access files using both HTTP and HTTPS
OK. Give it a go now [mention]Patrik Rak[/mention]
-
- Microbot
- Posts: 116
- Joined: Mon Apr 13, 2020 3:07 pm
Re: Access files using both HTTP and HTTPS
Works great! I will update the config and announce it right away.
Thanks a bunch, I am sure people will appreciate it!
Patrik
Thanks a bunch, I am sure people will appreciate it!
Patrik
-
- Microbot
- Posts: 168
- Joined: Tue Nov 28, 2017 7:39 am
Re: Access files using both HTTP and HTTPS
It's not exactly the same as my case. I use always zxinfo.dk as the api query (spectrum computing uses this API), then, when I download some file that the api returns, I do the following:PeterJ wrote: ↑Mon Apr 20, 2020 7:49 am Hi,
If you speak to @chernandezba he has done something with his ZEsarUX emulator in regard to http / https issues. He was having similar issues to you
For security I want to keep with https only across the site. Sorry.
Please also note that some titles are only hosted here with agreement with the developers for access via SC. For example Zenobi. I can provide a list of these small number of cases.
-If there's https support compiled on ZEsarUX, the game is downloaded from Spectrum computing
-If there's not https support compiled, the game is downloaded from WOS. In this case, most of the downloads after 2013 will probably fail
Cheers
-
- Microbot
- Posts: 116
- Joined: Mon Apr 13, 2020 3:07 pm
Re: Access files using both HTTP and HTTPS
BTW, it seems that the enforced redirects are now back in effect. Tried to use ZXDB from ZXDS today, the WoS entries I was after were missing and the SC entries were denied because of unsupported certificate.
Re: Access files using both HTTP and HTTPS
Hi,Patrik Rak wrote: ↑Thu Jan 14, 2021 9:36 am BTW, it seems that the enforced redirects are now back in effect. Tried to use ZXDB from ZXDS today, the WoS entries I was after were missing and the SC entries were denied.
I imagine that is an impact of Clouldflare (and a number of other security measures). Once the server issues calm down again I will look at bringing it back.
Please see here:
viewtopic.php?p=55394#p55394
-
- Microbot
- Posts: 116
- Joined: Mon Apr 13, 2020 3:07 pm
Re: Access files using both HTTP and HTTPS
Ah, the eternal fight with the bots. I had my share of it back in the day. They eat whatever resources you offer, you can never win this way. The best way to deal with them is to throw them all to a separate throttled queue, so they are happy they can scan something, but do not steal resources from normal users.
Well, good luck and looking forward to the forced redirects being disabled again (BTW, if that makes you more comfortable, you can always set it so only ZXDS User Agent is exempted).
Well, good luck and looking forward to the forced redirects being disabled again (BTW, if that makes you more comfortable, you can always set it so only ZXDS User Agent is exempted).