mercredi 26 décembre 2018

Are certbot certificates safe on laravel 5 app?

I installed certbot certificates on my laravel 5.7 app, with having:

 certbot certificates
 # certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.votes.nilov-sergey-demo-apps.tk
    Domains: www.votes.nilov-sergey-demo-apps.tk
    Expiry Date: 2019-03-23 12:31:35+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/www.votes.nilov-sergey-demo-apps.tk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.votes.nilov-sergey-demo-apps.tk/privkey.pem
  Certificate Name: votes.nilov-sergey-demo-apps.tk
    Domains: votes.nilov-sergey-demo-apps.tk www.votes.nilov-sergey-demo-apps.tk
    Expiry Date: 2019-03-23 12:26:54+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/votes.nilov-sergey-demo-apps.tk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/votes.nilov-sergey-demo-apps.tk/privkey.pem

I used command

sudo certbot --apache -d votes.nilov-sergey-demo-apps.tk -d www.votes.nilov-sergey-demo-apps.tk

for this

In my .env file I modified row :

APP_URL=https://www.votes.nilov-sergey-demo-apps.tk

and in file public/.htaccess I added lines for https support , I hoped that with this changes any not https request would be redirected to https://www.url

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    RewriteCond %{HTTPS} !=on             # I ADDED THESE 2 LINES !
    RewriteRule ^.*$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

I make some checks and seems it does not work alway as I expected, Opening backend page, say

https://www.votes.nilov-sergey-demo-apps.tk/admin/vote/edit/19

if manually to remove https://www. from url that page is redirected https://www.votes.nilov-sergey-demo-apps.tk/admin/vote/edit/19

But if manually to remove www. from url, I error: got error:

Your connection is not private
Attackers might be trying to steal your information from votes.nilov-sergey-demo-apps.tk (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

I am not sure is it safe and which steps have I to make to be sure that my site is alwasys in safe https url?

Thanks!



via Chebli Mohamed

Aucun commentaire:

Enregistrer un commentaire