Access files using both HTTP and HTTPS

[Patrik Rak]

Hello, simple question: would it be possible to exempt ZXDB entries from the forced HTTPS redirect?

I know it is a standard practice to accept HTTP requests and redirect them to their HTTPS counterparts globally, for the entire site. But it prevents clients which can't use HTTPS for one reason or another from accessing the files. So another common practice is actually force the redirect only for the pages themselves, but allow dual access for chosen directories. The pages themselves still refer to the files using HTTPS, so the privacy of normal users is never compromised, however users which need it may choose to access the files using HTTP instead of HTTPS.

I am asking on behalf of ZXDS users which are stuck with the older 1.x version for Nintendo DS/DSi. The newer 2.x version for 3DS/2DS now supports HTTPS connections and can download entries from the ZXDB database. Of course, upgrading to the 3DS would be the best option, but I understand that not everyone can shell out for 3DS/2DS, so it seems plenty of users out there feel left behind.

If you allowed the dual access to ZXDB entries, I could adjust the relevant ZXDB config accordingly and those people could enjoy the latest ZXDB entries.

Thanks for considering this.

Patrik

[PeterJ]

Hi,

If you speak to [mention]chernandezba[/mention] he has done something with his ZEsarUX emulator in regard to http / https issues. He was having similar issues to you

For security I want to keep with https only across the site. Sorry.

Please also note that some titles are only hosted here with agreement with the developers for access via SC. For example Zenobi. I can provide a list of these small number of cases.

[Patrik Rak]

Thanks for the answer. Your site, your rules, I respect that. Although I am not sure which security exactly does allowing optional HTTP access forfeit as far as the server is concerned.

Best,

Patrik

[PeterJ]

Hi,

If anyone here has a deep understanding of LetsEncrypt and can offer to help, I'm happy to reconsider.

I just remember LetsEncrypt took me a long time to get right, so am nervous about changing and opening up to any vulnerability.

I remember we had issues where certain elements of the page were not https so it broke the certificate.

I'm not an expert in this area and ended up following a few tutorials.

I do want to help you.

[Patrik Rak]

I remember we had issues where certain elements of the page were not https so it broke the certificate.

Indeed, using http:// elements on a https:// page is really a big no-no. But that's not what is needed here. There is no need to set up fully dual-access site, so you do not need to worry about this getting broken. In fact, there is no need to touch any webpages themselves or anything like that at all.

I just remember LetsEncrypt took me a long time to get right, so am nervous about changing and opening up to any vulnerability.

Well, I have been setting up web servers since the late 90's, among other things, so let me help. I can understand your reluctance to change anything which runs just fine. That's perfectly right. However, since you already have the SSL certificate up and running, which is the hardest part, adding an exception for some subdirectories is not that hard. Let me explain.

As you can verify yourself, if you go to http://spectrumcomputing.co.uk, you get automatically redirected to the https:// counterpart. This means that you are in fact already accepting connections for HTTP, but they are just redirected. Seeing you are using Apache, it means that you have a global redirect of some sort like this somewhere in your config or in the root `.htaccess` file:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

The rewrite engine is the most common way of manipulating URLs and achieving this type of things. The snippet above basically says "if https is off, do the rewrite below", and the rewrite below essentially says "use the same URL, but now using the HTTPS scheme".

So, to disable this redirect for some part of the site, like the /zxdb/sinclair subdirectory, all that is needed is to disable the rewrite engine for that directory. The easiest way is to add the `.htaccess` file directly in that directory. So, if you create file `.htaccess` in there and put in

Code: Select all

RewriteEngine Off

chances are it is all that is needed. I am saying "chances are", because chances also are that you may have `.htaccess` files disabled for some or all subdirectories, which would prevent this from being applied. But you can try this first and see if it works, and we can move from there. By working I mean you can access some of the files in there using http:// and you get it downloaded without getting redirected to the https:// first.

BTW, if you don't feel confident enough to test it on the entire zxdb/sinclair right away, you can test it on some random entry number subdirectory instead which only you know. The risk of messing up something by that is really low.

Hope this helps.

And thank you very much for being so forthcoming, I really appreciate it.

Patrik

[PeterJ]

Hi [mention]Patrik Rak[/mention]

I will give a folder a go later in the week.

Best wishes

Peter

[PeterJ]

OK, try 0035380

http://spectrumcomputing.co.uk/zxdb/sin ... s/0035380/

[Patrik Rak]

OK, try 0035380

http://spectrumcomputing.co.uk/zxdb/sin ... s/0035380/

Works great - the files as well as the directory can be accessed by both HTTP and HTTPS, and yet the redirects to HTTPS are still in effect for the rest of the site. Good job!

Now it should be just a matter of moving it few dirs up so it applies to all entries and pokes.

Thanks again!

Patrik

[PeterJ]

OK, great. Will do that tonight.

Could I ask that you link back to our site in some way so we get some 'free advertising'?

We are still relatively small so any mention is much appreciated.

[Patrik Rak]

Sure, will do!

[PeterJ]

OK. Give it a go now [mention]Patrik Rak[/mention]

[Patrik Rak]

Works great! I will update the config and announce it right away.

Thanks a bunch, I am sure people will appreciate it!

Patrik

[chernandezba]

Hi,

If you speak to @chernandezba he has done something with his ZEsarUX emulator in regard to http / https issues. He was having similar issues to you

For security I want to keep with https only across the site. Sorry.

Please also note that some titles are only hosted here with agreement with the developers for access via SC. For example Zenobi. I can provide a list of these small number of cases.

It's not exactly the same as my case. I use always zxinfo.dk as the api query (spectrum computing uses this API), then, when I download some file that the api returns, I do the following:

-If there's https support compiled on ZEsarUX, the game is downloaded from Spectrum computing
-If there's not https support compiled, the game is downloaded from WOS. In this case, most of the downloads after 2013 will probably fail


Cheers

[Patrik Rak]

BTW, it seems that the enforced redirects are now back in effect. Tried to use ZXDB from ZXDS today, the WoS entries I was after were missing and the SC entries were denied because of unsupported certificate.

[PeterJ]

BTW, it seems that the enforced redirects are now back in effect. Tried to use ZXDB from ZXDS today, the WoS entries I was after were missing and the SC entries were denied.

Hi,

I imagine that is an impact of Clouldflare (and a number of other security measures). Once the server issues calm down again I will look at bringing it back.

Please see here:

viewtopic.php?p=55394#p55394

[Patrik Rak]

Ah, the eternal fight with the bots. I had my share of it back in the day. They eat whatever resources you offer, you can never win this way. The best way to deal with them is to throw them all to a separate throttled queue, so they are happy they can scan something, but do not steal resources from normal users.

Well, good luck and looking forward to the forced redirects being disabled again (BTW, if that makes you more comfortable, you can always set it so only ZXDS User Agent is exempted).