I have just installed OpenCart 2.2 on my website today, running on an Apache server, running PHP Version 7.0.8.
The website already has an SSL certificate installed, and I can visit the shopping catalogue via:
https://example.com/printshop/index.php
I want the whole setup to run on SSL, so I have edited the relevant config files as follows:
https://example.com/printshop/config.php
// HTTP
define('HTTP_SERVER', 'https://example.com/printshop/');
// HTTPS
define('HTTPS_SERVER', 'https://example.com/printshop/');
https://example.com/printshop/admin/config.php
// HTTP
define('HTTP_SERVER', 'https://example.com/printshop/admin/');
define('HTTP_CATALOG', 'https://example.com/printshop/');
// HTTPS
define('HTTPS_SERVER', 'https://example.com/printshop/admin/');
define('HTTPS_CATALOG', 'https://example.com/printshop/');
The problem I am having is that the pages are not 100% secure because the form action is pointing to a non secure URL - e.g.
<form action="http://example.com/printshop/index.php?route=common/currency/currency" method="post" enctype="multipart/form-data" id="form-currency">
The same applies to the login form (i.e. it's action is pointing to http not https):
https://example.com/printshop/admin/index.php?route=common/login
And from any page, the print shop logo (held in <div id="logo">) returns the user to a non HTTPS page.
Apart from changing the URLs in the config files as I have already done, is there no global setting anywhere which allows me to sets the URL of the installation?
Updated to include solution
Thanks to advice from #Vipul Jethva, I got a solution for this.
Edit /system/library/url.php
Change code from:
public function link($route, $args = '', $secure = false) {
if ($this->ssl && $secure) {
$url = 'https://' . $_SERVER['HTTP_HOST'] . rtrim(dirname($_SERVER['SCRIPT_NAME']), '/.\\') . '/index.php?route=' . $route;
} else {
$url = 'http://' . $_SERVER['HTTP_HOST'] . rtrim(dirname($_SERVER['SCRIPT_NAME']), '/.\\') . '/index.php?route=' . $route;
}
...
}
To:
public function link($route, $args = '', $secure = true) {
if ($this->ssl && $secure) {
$url = 'https://' . $_SERVER['HTTP_HOST'] . rtrim(dirname($_SERVER['SCRIPT_NAME']), '/.\\') . '/index.php?route=' . $route;
} else {
$url = 'https://' . $_SERVER['HTTP_HOST'] . rtrim(dirname($_SERVER['SCRIPT_NAME']), '/.\\') . '/index.php?route=' . $route;
}
...
}
Plus make sure to update config.php in the root of your installation, and admin/config.php to also point to https.
s ,
There is following code on controller file.
$this->url->link('common/home');
You need to pass last two parameter like,
$this->url->link('common/home','',true);
Last two parameter is using for SSL.
If you need to check code for it. Then got System -> Library -> Url.php file.
Default $secure parameter is false.
Either you will make default $secure parameter = true or make last parameter on the controller file.
Hope this will help you.
Related
I want to load some scripts only when traffic from a particular hostname.
For example:
I will load a script when blog traffic from www.mywebsite2.com. How can I do that? I tried a lot but still couldn't find anything related to that.
Here are some codes that I have tried.
<b:if cond='"referrer" == "www.mywebsite2.com"'>
<script>...</script>
<b:else/>
<script>...</script>
</b:if>
How can i use the referrer in that.
You can detect if a link was opened from certain site if the link on that site does not have rel="noopener" value.
For example, your site domain is http://0.example.com and your referrer site domain is http://1.example.com.
In referrer site, a user was clicking a link:
link
From your site, you could detect the incoming traffic this way:
if (window.opener && window.opener.location.hostname === '1.example.com') {
// Run the script for `http://1.example.com`
}
To load external script under that conditional block, you could try AJAX or generic DOM insertion:
Method 1:
// Run the script for `http://1.example.com`
fetch('http://0.example.com/script.js').then(response => response.text()).then(text => {
let script = document.createElement('script');
script.textContent = text;
document.head.appendChild(script);
// Other script goes here ...
});
Method 2:
// Run the script for `http://1.example.com`
let script = document.createElement('script');
script.src = 'http://0.example.co./script.js';
document.head.appendChild(script);
script.addEventListener('load', e => {
// Other script goes here ...
});
I'm trying to load http://google.com in iframe with "file://" domained page. Ofcourse i got "Google.com did not allow" error.
I already tried reverse proxy but i think reverse proxy does it not make sense.
After then, i'm researched over a few hours about disable or bypass the "Cross origin policy" in webkit gtk.
I tried some solutions in this manual page, https://webkitgtk.org/reference/webkit2gtk/stable/WebKitSettings.html
so, i tried to add this block in WebKitSettings
WebKitSettings *settings =
webkit_web_view_get_settings(WEBKIT_WEB_VIEW(webview));
webkit_settings_set_allow_file_access_from_file_urls(settings, true);
webkit_settings_set_allow_file_access_from_file_urls(settings,true);
but it does not work. I still can't connect to google.com (or any cors protected website) in iframe.
According to my last research, Webkit GTK manual there is a few little trick about this.
It is mentioned as property
(allow-file-access-from-file-urls)
but i can't figure it out how to implement my code.
Editing:
i add this line in my code
webkit_settings_set_allow_universal_access_from_file_urls(settings,true);
now i also got "Connection refused in a frame because it set X-Frame-Options to SAMEORIGIN" error.
How can i set it in webkitgtk for cross origin ?
As already pointed out in the comments, CORS policy can't be bypassed.
You won't be able to load in an iframe any site that is properly configured to prevent that.
The only way to get around this would be to make a server-side request from a website you own to the website you'd like to display, have your site configured with the correct X-Frame-Options and make it return what it fetched from the site that should be displayed.
A sort of proxy, that still is hugely error-prone.
I made a quick proof of concept in PHP.
At https://lucasreta.com/test/google.com we have the following script, which retrieves the contents of google.com, parses and displays them:
<?php
$url = "https://www.google.com";
$request = curl_init();
curl_setopt_array($request, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTPHEADER => [
"Content-Type: text/html; charset=UTF-8"
]
]);
$return = curl_exec($request);
curl_close($request);
header('Content-Type: text/html; charset=UTF-8');
# after setting headers, we echo the response
# obtained from the site to display and tweak it
# a bit in order to fix local urls
echo str_replace("=\"/", "=\"$url", $return);
And at https://lucasreta.com/test/google.com/iframe we include what is returned above in our iframe:
<style>
* {font-family: sans-serif}
iframe {width: 90%; height: 85vh;}
</style>
<h1>Google in an iframe</h1>
<iframe src="../"></iframe>
I'm really out of my element here when it comes to networking.
I have an EC2 server running linux, which has an active flask API running.
I have a PHP function on a shared hostgator server:
function sendAPI($threadid, $teamid) {
$url = "http://ec2-...amazonaws.com:9999/api2?id1=" . $teamid . "&thread=" . $threadid;
$ch = curl_init();
$optArray = array(
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true
);
curl_setopt_array($ch, $optArray);
$result = curl_exec($ch);
curl_close($ch);
return $result;
}
Similar function works without issue with the telegram API server:
function sendMessage($chatID, $messaggio, $token) {
$url = "https://api.telegram.org/bot" . $token . "/sendMessage?chat_id=" . $chatID;
$url = $url . "&text=" . urlencode($messaggio);
$ch = curl_init();
$optArray = array(
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true
);
curl_setopt_array($ch, $optArray);
$result = curl_exec($ch);
curl_close($ch);
return $result;
}
When navigating to http://ec2-...amazonaws.com:9999/api2?id1=1&thread=1 from my own web browser, the API picks up the request successfully.
Inbound rules on EC2 instance:
Note, website IP, also the same IP is listed in CPanel:
Domain Name: novociv.org Top Level Domain: ORG (Organization) DNS
Lookup IP Address: 108.167.142.88
From my limited knowledge of networking, this should all work correctly. However, when the PHP function is called it returns a null result and the EC2 server does not react. I don't know how to troubleshoot from here because I don't know where to find any error messages. I would guess that the EC2 is simply blocking traffic from the external server, but I don't know what's wrong (if anything) with my inbound rules since the EC2 successfully picks up requests from my laptop.
It turns out that hostgator does not have port 9999 open by default. The problem can be solved by either requesting hostgator open port 9999 on this server, or else by moving the flask application to a different port which is already open.
When a user comes into my app via an apprequest, Facebook appends a request_id to the URL.
I am trying to access this object before the user authorizes my application. When I try to make the api call:
FB.api('/'+requestId, function(response){ console.log(response); });
it returns the following:
error: Object
message: "An access token is required to request this resource."
But I should have access since it was my app that sent the request in the first place!
I did some digging, and I noticed that on the PHP side, it will use the user_access_token if available, and the app_access_token otherwise.
Is this a security limitation (i.e: cannot expose the app_access_token on the client side) or am I doing something wrong?
Any insight would be helpful. Thanks!
when you make a request to /{user_id}/apprequests you have to have authorized the user already...
Since the request was created by your application - only your application can manage -ie delete or read requests that were sent. Essentially, before the user authorizes you app he/she is anonymous to your application - therefore it would not be possible to read that users requests because you "dont know" who they are...
Hope this helps...
The following blog posts describes how to interact with requests and should hopefully answer your questions.
http://developers.facebook.com/blog/post/464
<?php
$app_id = 'YOUR_APP_ID';
$app_secret = 'YOUR_APP_SECRET';
$token_url = "https://graph.facebook.com/oauth/access_token?" .
"client_id=" . $app_id .
"&client_secret=" . $app_secret .
"&grant_type=client_credentials";
$access_token = file_get_contents($token_url);
$signed_request = $_REQUEST["signed_request"];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
$user_id = $data["user_id"];
//Get all app requests for user
$request_url ="https://graph.facebook.com/" .
$user_id . "/apprequests?" .
$access_token;
$requests = file_get_contents($request_url);
//Print all outstanding app requests
echo '<pre>';
print_r($requests);
echo '</pre>';
//Process and delete app requests
$data = json_decode($requests);
foreach($data->data as $item) {
$id = $item->id;
$delete_url = "https://graph.facebook.com/" .
$id . "?" . $access_token . "&method=delete";
$result = file_get_contents($delete_url);
echo("Requests deleted? " . $result);
}
?>
You have access to the app generated requests as the user follows the request via your app token but you need the user token to access the rest of the users requests.
I'm running a django installation on lighttpd +FCGI.
Everything works fine except the admin.
It seems that the redirects after I post something (i.e. I modify sor create an instance of a model) go wrong.
The admin keeps redirecting me to www.xyz.com/django.fcgi/admin/... while django.fcgi should be used only by the lighttp rewrite rule to invoke FCGI.
Here's the redirection in the conf file
url.rewrite-once = (
"^(/media.*)$" => "$1",
"^/favicon\.ico$" => "/media/favicon.ico",
"^(/.*)$" => "/django.fcgi$1",
)
how can I fix this?
The admin site is trying to work out the URL to use based on the SCRIPT_NAME variable passed by lighttpd, but that's the rewritten URL, not the original one. You can force Django to use the original path by adding the following to your settings.py file.
FORCE_SCRIPT_NAME = ""
See the FORCE_SCRIPT_NAME documentation and the Django FastCGI docs for more information.