LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 12-20-2007, 12:58 PM   #1
awreneau
LQ Newbie
 
Registered: Aug 2003
Location: GA
Distribution: Ubuntu
Posts: 29

Rep: Reputation: 15
redirect http to https


my subject is a bit misleading but the explanation is too lengthy. I'll attempt to be brief but accurate.

We have an app that still only supports 40 bit encryption and the upgrades are not available for installation yet.

I have an Apache Reverse Proxy running and it's fine all pages are working with the exception of the log off script.

If you mouseover the Logoff link it points to https://myservername.com/Msswc/Logout however, when you click the link you wind up at http://myservername.com:443/. And Firefox tells you this wont work as follows:

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.


IE just has a white page.


Now if I take the reverseproxy out of the equation, IE will take you back to the login screen, FF wont even load it w/o some about:config mods to allow low encryption but thats not important.

My question is can I redirect http://myservername.com:443/ to https://myservername..com:443/ w/ a Redirect statement in the vhost file?

I've tried the following:
Redirect /Msswc/Logout https://myservername.com

But it doensnt work.

Willing to try ReWrite if someone can help w/ that, everything Ive tried thusfar w/ ReWrite has also failed.

Help would be greatly appreciated!
 
Old 12-20-2007, 01:18 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
well i'd suggest working on the acutal problem you have... if a link says https:// but you end up on http:// then something is seriously screwed. take that original url and run (for example) "wget -vk https://thaturlhere.com" and see what that actually retruns. for you to end up on aan http connection from that you'd need to be getting something like an http 302 redirection message from it, there's no other point in the process which has the right to change the address.
 
Old 12-20-2007, 02:13 PM   #3
David1357
Senior Member
 
Registered: Aug 2007
Location: South Carolina, U.S.A.
Distribution: Ubuntu, Fedora Core, Red Hat, SUSE, Gentoo, DSL, coLinux, uClinux
Posts: 1,302
Blog Entries: 1

Rep: Reputation: 107Reputation: 107
Quote:
Originally Posted by awreneau View Post
If you mouseover the Logoff link it points to https://myservername.com/Msswc/Logout however, when you click the link you wind up at http://myservername.com:443/.
Look at the files in "/var/log/apache2". The "ssl_engine.log" file should have good debugging information about what is happening. The other logs will also be informative.
 
Old 12-20-2007, 02:13 PM   #4
awreneau
LQ Newbie
 
Registered: Aug 2003
Location: GA
Distribution: Ubuntu
Posts: 29

Original Poster
Rep: Reputation: 15
That would certainly be the first fix, but it's not as cut and dry as it may seem.

The app runs on an AS400, and I have no rights on that box. The app is very old and in need of desperate upgrading and Apache Reverse proxy was the band aid until the app was upgraded. It runs 40 Bit encryption and FF 2.x and IE7 (on vista) choke at that bit level.

IE 7 on XP and below never even cough at the low levels of encryption.

The Logout script is running but it's being redirected somewhere on the backend.

The results of wget -vK https://myservername/com/Msswc/Logout

HTTP request sent, awaiting response... 503 Service Unavailable
14:09:41 ERROR 503: Service Unavailable.



So, back to the redirect, rewrite option.....

Ideas?
 
Old 12-20-2007, 02:20 PM   #5
David1357
Senior Member
 
Registered: Aug 2007
Location: South Carolina, U.S.A.
Distribution: Ubuntu, Fedora Core, Red Hat, SUSE, Gentoo, DSL, coLinux, uClinux
Posts: 1,302
Blog Entries: 1

Rep: Reputation: 107Reputation: 107
Quote:
Originally Posted by awreneau View Post
So, back to the redirect, rewrite option.....
I would really like to see the logs before we punt and start hacking.
 
Old 12-20-2007, 02:42 PM   #6
awreneau
LQ Newbie
 
Registered: Aug 2003
Location: GA
Distribution: Ubuntu
Posts: 29

Original Poster
Rep: Reputation: 15
Which log might that be?

In the interim, I've copied snippets from the vhost file and supplied info about the server environment

Running Ubuntu 6.06-1 LTS
Server version: Apache/2.0.55
Server built: Aug 16 2007 22:20:04
mod-proxy-html
libapahce-mod-ssl
ports.conf listens on 80 and 443

Mods enabled are:
cache.load
cgid.conf
cgid.load
disk_cache.load
proxy.conf
proxy_html.load
proxy.load
ssl.conf
ssl.load
userdir.conf
userdir.load

Some of the mods are default....


VHOST FILE

NamevirtualHost *:443

<VirtualHost *:443>

DocumentRoot /var/www/

ServerName myservername.com:443

SSLEngine On
SSLCertificateFile /etc/apache2/ssl//exported-public-key-der-07.crt
SSLCertificateKeyFile /etc/apache2/ssl//exported-private-key-07-pkcs8.key
SSLCACertificateFile /etc/apache2/ssl//other/intermediateCA.cer



ProxyPass / https://myservername.com/
ProxyPassReverse / https://myservername.com/

CustomLog /var/log/apache2/https-access.log combined
ErrorLog /var/log/apache2/https-error.log


SSLProxyEngine On
SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

ProxyHTMLLogVerbose On
LogLevel Debug

CacheEnable disk /
CacheRoot "/var/cache/myservername.com"

Redirect /Msswc/Logout https://myservername.com


</VirtualHost>

NamevirtualHost *:80
<VirtualHost *:80>

DocumentRoot /var/www/

ServerName myservername.com:80

ProxyPass / http://myservername.com/
ProxyPassReverse / http//myservername.com/



CustomLog /var/log/apache2/http-access.log combined
ErrorLog /var/log/apache2/http-error.log

</VirtualHost>
 
Old 12-20-2007, 03:05 PM   #7
David1357
Senior Member
 
Registered: Aug 2007
Location: South Carolina, U.S.A.
Distribution: Ubuntu, Fedora Core, Red Hat, SUSE, Gentoo, DSL, coLinux, uClinux
Posts: 1,302
Blog Entries: 1

Rep: Reputation: 107Reputation: 107
Quote:
Originally Posted by awreneau View Post
Which log might that be?
Your httpd.conf (or apache.conf) will show you where to look for your logs. Mine are in "/var/log/apache". If you cannot find your logs by reading your configuration file, use the "find" command starting in "/".

If you are not looking at your Apache logs to debug this problem, you are ignoring a valuable debugging tool.
 
Old 12-20-2007, 03:19 PM   #8
awreneau
LQ Newbie
 
Registered: Aug 2003
Location: GA
Distribution: Ubuntu
Posts: 29

Original Poster
Rep: Reputation: 15
tail of the access and error logs


tail -f mmohttps-error.log
[Thu Dec 20 14:09:31 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_io.c(1675): +-------------------------------------------------------------------------+
[Thu Dec 20 14:09:31 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/proxy/proxy_http.c(1574): proxy: end body send
[Thu Dec 20 14:09:41 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_io.c(1708): OpenSSL: I/O error, 5 bytes expected to read on BIO#81ca8d0 [mem: 81d20e0]
[Thu Dec 20 14:09:41 2007] [info] (70007)The timeout specified has expired: SSL input filter read failed.
[Thu Dec 20 14:09:41 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_kernel.c(1756): OpenSSL: Write: SSL negotiation finished successfully
[Thu Dec 20 14:09:41 2007] [info] Connection to child 0 closed with standard shutdown(server myservername.com:443, client 172.23.41.92)
[Thu Dec 20 14:09:46 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_io.c(1708): OpenSSL: I/O error, 5 bytes expected to read on BIO#81ca8d0 [mem: 81d20e0]
[Thu Dec 20 14:09:46 2007] [info] (70007)The timeout specified has expired: SSL input filter read failed.
[Thu Dec 20 14:09:46 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_kernel.c(1756): OpenSSL: Write: SSL negotiation finished successfully
[Thu Dec 20 14:09:46 2007] [info] Connection to child 64 closed with standard shutdown(server myservername.com:443, client 172.23.41.92)


tail -f mmohttps-access.log
172.23.41.92 - - [20/Dec/2007:12:52:15 -0500] "POST /Msswc/Signon HTTP/1.1" 302 - "https://myservername.com/Msswc/Welcome" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:12:52:17 -0500] "GET /Msswc/WelcomeFrame HTTP/1.1" 200 519 "https://myservername.com/Msswc/Welcome" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:12:52:17 -0500] "GET /Msswc/Welcome HTTP/1.1" 200 5262 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:12:52:19 -0500] "GET /Msswc/Logout HTTP/1.1" 302 - "https://myservername.com/Msswc/TopNav" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:12:52:19 -0500] "GET /" 400 486 "-" "-"
172.23.41.92 - - [20/Dec/2007:12:52:17 -0500] "GET /Msswc/WelcomeTop HTTP/1.1" 200 1617 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:14:09:25 -0500] "GET /Msswc/WelcomeFrame HTTP/1.1" 200 519 "https://myservername.com/home.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:14:09:25 -0500] "GET /Msswc/TopNav HTTP/1.1" 200 7211 "https://myservername.com/home.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:14:09:26 -0500] "GET /Msswc/Welcome HTTP/1.1" 200 7381 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:14:09:26 -0500] "GET /Msswc/WelcomeTop HTTP/1.1" 200 1617 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
 
Old 12-20-2007, 03:20 PM   #9
awreneau
LQ Newbie
 
Registered: Aug 2003
Location: GA
Distribution: Ubuntu
Posts: 29

Original Poster
Rep: Reputation: 15
I should increase verbosity and post again. I'll let that run for a bit and repost my logs.
 
Old 12-20-2007, 06:28 PM   #10
David1357
Senior Member
 
Registered: Aug 2007
Location: South Carolina, U.S.A.
Distribution: Ubuntu, Fedora Core, Red Hat, SUSE, Gentoo, DSL, coLinux, uClinux
Posts: 1,302
Blog Entries: 1

Rep: Reputation: 107Reputation: 107
Quote:
Originally Posted by awreneau View Post
[Thu Dec 20 14:09:46 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_io.c(1708): OpenSSL: I/O error, 5 bytes expected to read on BIO#81ca8d0 [mem: 81d20e0]
[Thu Dec 20 14:09:46 2007] [info] (70007)The timeout specified has expired: SSL input filter read failed.
This does not look good.
 
Old 01-04-2008, 04:36 PM   #11
awreneau
LQ Newbie
 
Registered: Aug 2003
Location: GA
Distribution: Ubuntu
Posts: 29

Original Poster
Rep: Reputation: 15
This has been quite since I've been out of the office for a while. I've turned on Debug for the HTTPS site and get the following error when logging out.

[Fri Jan 04 16:28:51 2008] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_kernel.c(1775): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Fri Jan 04 16:28:51 2008] [info] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
[Fri Jan 04 16:28:51 2008] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?


I realize this is bad coding as I originally mentioned but I have no rights to change the code and don't know if I can get approval to do so.

Back to my original question, I'd like to run the rewrite module and have the link rewritten/rerouted via apache modules.


Can this be done?
 
Old 01-04-2008, 05:00 PM   #12
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
You'll have to create two separate vhosts, one for host:80 and another for host:443. Then you'll need to create the certificate for host:443 and add the directives in the host.443.conf file. Then you can add the Redirect / host:443 in the host.80.conf file. Each new ssl host:443 vhost has to have a separate certificate and each of their corresponding host:80 can redirect to the ssl vhost.
 
Old 01-04-2008, 05:08 PM   #13
awreneau
LQ Newbie
 
Registered: Aug 2003
Location: GA
Distribution: Ubuntu
Posts: 29

Original Poster
Rep: Reputation: 15
ramram29, thanks for your prompt reply.

In my previous post I only listed the conf file for the 443 host, not the 80 host. I've copied it below:

NamevirtualHost *:80
<VirtualHost *:80>

DocumentRoot /var/www/

ServerName myservername.com:80

ProxyPass / http://myservername.com/
ProxyPassReverse / http//myservername.com/



CustomLog /var/log/apache2/myservername-access.log combined
ErrorLog /var/log/apache2/myservername-error.log
</VirtualHost>

If I understand you correctly the rewrite syntax should go in the *:80 site rather than the *:443 site. Is that correct?
 
Old 01-10-2008, 08:17 AM   #14
awreneau
LQ Newbie
 
Registered: Aug 2003
Location: GA
Distribution: Ubuntu
Posts: 29

Original Poster
Rep: Reputation: 15
I've kept plugging along w/ this problem and have to add this post to see if perhaps it sheds some light.

When logging out, as I stated earlier, you get the 400 error. The access log has this error.

clientip - - [10/Jan/2008:08:10:40 -0500] "GET /" 400 486 "-" "-"


If I understand it, the request was to get "root" or the base dir. The error was 400 but what is the 486 and the trailing dashes?
 
Old 02-08-2008, 04:15 PM   #15
awreneau
LQ Newbie
 
Registered: Aug 2003
Location: GA
Distribution: Ubuntu
Posts: 29

Original Poster
Rep: Reputation: 15
[SOLVED] - redirect http to https

Well I can mark this one solved. It was a combination of a few things, primarily to the fact that apache 2.0.5 didnt work well as a reverse proxy but apache 2.2.3 worked like a champ.

the solution to my problems, in addition to the many helpful comments everyone offered, is located here http://thereneaus.com/index.php/category/technology
 
  


Reply

Tags
apache2, proxy, reverse


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
forcing https redirect results in forbidden? sneakyimp Linux - Software 11 10-22-2007 04:11 AM
redirect http request to https with "post method" FMH Linux - General 0 10-01-2007 03:16 AM
redirect SquirrelMail from http to https using Apache2 cccc Linux - Server 3 09-23-2006 11:02 AM
Apache & Squirrelmail:Redirect to https? mac_phil Linux - Software 1 05-24-2004 04:52 AM
HTTP to HTTPS shegde Linux - Software 8 01-31-2003 05:29 AM


All times are GMT -5. The time now is 04:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration