Bug #2245
closedDomain mapping issues -- Site warnings
0%
Description
I've received a few comments from member sites that use domain mapping. What seems to be happening is that browsers are putting up red "This is probably not the site you are looking for" messages of the type displayed in the attached image (which is not from our site). I've had the most reports about zeteojournal.com and have seen this in action myself. One of the two images attached to this message is specific to zeteojournal.com
When I asked one reporter to give me his browser/OS details using http://supportdetails.com/, he sent along the following info about his setup:
OS Type,OS Version,Browser Type,IP Address,Javascript Enabled,Cookies Enabled,Color Depth,Screen Resolution,Browser Window Size,Flash Version,User Agent
Microsoft,Windows 7,Chrome,157.150.62.2,Yes,Yes,32,1366 x 768,1366 x 635,11.4.31,"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4"
Is there anything we can do to prevent this?
Files
Updated by Boone Gorges about 12 years ago
- Assignee changed from Boone Gorges to Dominic Giglio
My guess is that the domain mapping plugin is incorrectly configured, though I don't know how.
Dom, would you mind researching this a bit? What criteria is Google etc using to flag sites like this? How does Google know that it's a commons site when all assets should have mapped domains? And do you see any mention in the wordpress.org support forums of domain mapping causing this kind of problem?
André, I've copied you on this ticket in case you have any insight, and on the chance that this is a server-level config issue.
Updated by local admin about 12 years ago
- Status changed from Assigned to Reporter Feedback
It's probably very simple: users are more than likely reaching (for example) zeteojournal.com via HTTPS and the SSL certificate in use by the commons lists on commons.gc.cuny.edu and it's sub-domains. Thus users see a certificate error.
We should confirm that users are reaching the websites in question via HTTPS and if this is indeed the case then "case closed".
Updated by Boone Gorges about 12 years ago
- Status changed from Reporter Feedback to Assigned
Ah. Yeah, if it's an SSL issue, then we should be doing a better job with .htaccess rules that ensure that no one attempts to visit an https version of a page located on a mapped domain. Dom, do you know anything about .htaccess redirects? This would be a good chance to learn :) Logic: if a request url doesn't start with commons.gc.cuny.edu or *.commons.gc.cuny.edu, and it does start with https, redirect to the http correlate.
Updated by Dominic Giglio about 12 years ago
- Target version set to 1.4.11
I've wanted to learn more about .htaccess for a while but haven't had a real need to. This is definitly an SSL cert mismatch error. Those red warnings (which are quite rude and alarming for normal users) are displayed just like Andre explained. When you try to visit https://example.com and some form of rewrite or redirection sends the browser to another page with a different SSL cert - the browser is programmed to think it's being hijacked. I'm pretty sure it's a man-in-the-middle security precaution.
I will investigate and see what I can come up with. htaccess is a pretty big topic, please give me just a little extra time on this one. :-)
Updated by Boone Gorges about 12 years ago
Cool, thanks Dom. Here are the docs you'll need, specifically RewriteMatch: http://httpd.apache.org/docs/current/mod/mod_alias.html The only trick will be to figure out the regex :)
Updated by Dominic Giglio about 12 years ago
Thanks Boone, been needing to brush up on my question marks, periods and asterisks as well!! :-)
Updated by Dominic Giglio about 12 years ago
Been reading up on htaccess and ssl related rewriting and redirecting.
Found a stackoverflow article that discusses a similar redirect issue:
http://stackoverflow.com/questions/3717799/redirecting-https-to-http-via-htaccess?rq=1
The proposed solution is to add this to htaccess:
RewriteCond %{SERVER_PORT} ^443$ RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]
However, I can't test this locally because I have no form of SSL setup. Does cdev use the same SSL as the commons? I tried visiting https://cdev.gc.cuny.edu
but I get the following error in Chrome:
Error 118 (net::ERR_CONNECTION_TIMED_OUT): The operation timed out.
Where can I test SSL changes to our htaccess file?
Updated by Boone Gorges about 12 years ago
Maybe André can set cdev up with a self-signed certificate, so we can test there.
In any case, Dom, that rule won't be enough. That'll prevent users from requesting any https URL. You need to add another RewriteCond along these lines:
RewriteCond %{HTTP_HOST} !(.*?\.)?commons\.gc\.cuny\.edu$
This is totally off the top of my head, and is almost guaranteed not to work :), but it gives you the idea: we need to test whether you're requesting a non-*.commons.gc.cuny.edu.
Updated by Dominic Giglio about 12 years ago
Thanks Boone.
Sorry, I shoulda been a little more clear, that would be the regex that I start testing with. Without testing feedback on what does and does not redirect I couldn't put anything more descriptive into the update. :-)
I think a self signed cert on cdev would work great.
Updated by local admin about 12 years ago
Guys, cdev already has ssl enabled and a legit, valid certificate installed but also a local firewall blocking port 443 : )
Also I had the web server reserving the ssl vhost to the Fedora Commons installation (institutional repository software).
I'll take a look and set this up for you guys tomorrow, ok?
Updated by Dominic Giglio about 12 years ago
Thanks Andre. I'm in class all day today. So I'll either test when I get home tonight or tomorrow afternoon.
Updated by Dominic Giglio about 12 years ago
Boone,
Is cdev available for testing?
Updated by Dominic Giglio about 12 years ago
- Target version changed from 1.4.11 to 1.4.12
Not gonna have time to test this until after the 1.4.11 release tonight.
Will resolve as part of 1.4.12.
Updated by Dominic Giglio almost 12 years ago
- Target version changed from 1.4.12 to 1.4.13
Updated by Boone Gorges almost 12 years ago
- Target version changed from 1.4.13 to 1.4.14
Updated by Boone Gorges almost 12 years ago
- Target version changed from 1.4.14 to 1.4.15
Updated by Matt Gold almost 12 years ago
- Priority name changed from Normal to High
- Severity set to High impact
Hi Guys -- I'm bumping the priority/severity on this because it affects some of our high-profile sites. If we can't get to it before the update on the 11th, that's fine, but I think we should try to resolve this by then if we can.
Updated by Boone Gorges almost 12 years ago
I've disabled FORCE_SSL_LOGIN for domains other than *.commons.gc.cuny.edu
. That should have the effect of removing most cases where the user would end up on an https version of a page.
It doesn't appear to be possible to prevent this particular problem with .htaccess. I'm guessing that, by the time the .htaccess file has been read, the browser has already checked the SSL provenance. André, do you have any insight into this?
Updated by local admin almost 12 years ago
André, do you have any insight into this?
Browser behavior is notoriously hard to predict, but I think your original idea of redirecting with an htaccess rule is reasonable and worth a try.
having said that, perhaps just having disabled FORCE_SSL_LOGIN for domains other than *.commons.gc.cuny.edu
should probably be enough. After all how is anyone going to end up on the https address anyway?
Other than that we could always tell custom domains to BYOSC (bring your own ssl certificate :-)
Updated by Boone Gorges almost 12 years ago
- Status changed from Assigned to Resolved
I think your original idea of redirecting with an htaccess rule is reasonable and worth a try.
I tried it, and couldn't make it work. I think that the browser is checking the SSL authority before the request ever gets to the server, so Apache-level rules don't do any good.
Other than that we could always tell custom domains to BYOSC (bring your own ssl certificate :-)
I think it's reasonable to do this down the road, yeah.
perhaps just having disabled FORCE_SSL_LOGIN for domains other than *.commons.gc.cuny.edu should probably be enough
+1. I think it's about as good as we'll do for now. Let's go with it for now and see if we continue to get reports.
Updated by Matt Gold almost 12 years ago
cool. I'll let the original reporters know and pass on the word when/if the issues arise again.