LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 10-18-2007, 05:09 PM   #1
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Rep: Reputation: 50
forcing https redirect results in forbidden?


i'm installing a webmail interface and want it to be hosted securely. i visit the page at http://mydomain.com/webmail and it looks great. i visit securely thru HTTPS://mydomain.com/webmail and it still looks great.

HOWEVER, when I create a .htaccess file with this in it, it's FORBIDDEN in both cases:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

what's the deal? i fail to see how the htaccess file suddenly makes the file forbidden. How can I force visitors to use https only?
 
Old 10-19-2007, 02:20 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Change the rewrite rules to this:
Code:
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
 
Old 10-19-2007, 02:25 AM   #3
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
I put your code directly into an .htaccess file in the directory i want to host https and visited the page and got Forbidden - You don't have permission to access /webmail/ on this server.

I remove the htaccess file and can see the page just fine. wtf?
 
Old 10-19-2007, 03:42 AM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Take a look at apache error_log to see what the problem is.
 
Old 10-19-2007, 04:08 AM   #5
InDubio
LQ Newbie
 
Registered: Feb 2007
Posts: 10

Rep: Reputation: 0
Most likely are two possible errors:

- The User the server is running with has no rights to read the .htaccess file
- There is a syntax error in your .htaccess file

both would result in the server bailing out an 401 error

The servers error log would give you the answer, if you have no access to it, try uploading an empty .htaccess, if you still get an 401 its almost definitely the access rights
 
Old 10-19-2007, 05:28 AM   #6
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
The htaccess file is 644. i even tried adding apache as group:
Code:
-rw-r--r--  1 root apache    94 Oct 19 06:22 .htaccess
The problem is not lack of permission to read the file.

As for syntax errors - you see the code right here in this thread. I have tried both verbatim and they don't work.

I checked the error log, i believe this is what is being reported:
Code:
[Fri Oct 19 06:23:31 2007] [error] [client 11.11.11.11] Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden: /var/www/webmail/
What the heck does that mean?
 
Old 10-19-2007, 05:44 AM   #7
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Add
Code:
Options +FollowSymLinks
in .htaccess to see if it works
 
Old 10-19-2007, 07:18 AM   #8
InDubio
LQ Newbie
 
Registered: Feb 2007
Posts: 10

Rep: Reputation: 0
Quote:
Originally Posted by bathory View Post
Add
Code:
Options +FollowSymLinks
in .htaccess to see if it works
And if that does not work, you have to change httpd.conf file. There should be a <Directory "/path/to/your/http_root"> Tag somewhere, and within it an "AllowOverride" rule, which you will need to change from "None" to "All".

But two things to be aware of:

- this will allow the .htaccess files to override any configuration given in the apache conf files regarding the directory they are put in. This should not be a problem if you are the only one with access to the webservers filesystem

- On high load servers using .htaccess files will come with some performance penalties as the server has to check and iterate through every single htaccess file recursively every time a client connects.
(Though you should consider putting the redirect rule directly into the <directory> tag within the servers conf file)

Hope that helped a bit

Last edited by InDubio; 10-19-2007 at 07:21 AM.
 
Old 10-19-2007, 02:21 PM   #9
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Most definitely! Thanks!
 
Old 10-19-2007, 10:35 PM   #10
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
OK dang I'm having another problem now. I've got one particular folder which must be both HTTPS and also needs password protection (it's *very* sensitive!). The problem I'm having is that the user is prompted for a password from the http version of the page and then PROMPTED AGAIN the user is redirected to the https version of the page.

So the entire folder of mydomain.com/foo must be https! To that end I have created the file /etc/httpd/conf.d/foo.conf which contains the following:
Code:
alias /foo /var/www/foo
<Directory /var/www/foo>
  Options FollowSymLinks
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

  AllowOverride All
  DirectoryIndex index.php
  Order allow,deny
  allow from all
</Directory>
This code works great (thanks for all the help) except that there is a subfolder of foo that is for ADMINS ONLY and is found at mydomain.com/foo/admin . The actual folder containing the admin files has an .htaccess file containing this:
Code:
AuthUserFile /var/www/.htpasswd
AuthGroupFile /dev/null
AuthName "ADMINS ONLY"
AuthType Basic

<limit GET POST>
require valid-user
</limit>
In short, a visit to http://mydomain.com/foo/admin will prompt you for a password. Once you enter a password it redirects to https://mydomain.com/foo/admin where you get prompted for the password again.

Can anyone help me figure *this one* out?
 
Old 10-22-2007, 02:50 AM   #11
InDubio
LQ Newbie
 
Registered: Feb 2007
Posts: 10

Rep: Reputation: 0
Its no wonder the Webserver asks you twice for the correct login, because here is what happens:
1.) You try a GET via http..
2.) ...which will make your Webserver promt for a username/pwd (because access is restricted)
3.) after correctly authenticating all the GET (which you are now allowed to do) is telling you to go look at https
4.) now your Browser tries a GET at HTTPS but guess what the webserver is telling him?
5.) correct! You need to authenticate before you can do that
6.) and after doing that you finally get the document


So you want you whole site only be able to be visited via https and no http at all, and when someone comes with http he should be directed to the https am I correct? Or does only the foo directory need https?

Either way I would create two http roots, one for http, which only serves the purpose of redirecting the user to the correct https document, and one for https that actually serves the pages (would be much cleaner that way I guess because you wouldn't have to worry about your configuration messing with the redirect rules)

Oh, by the way, which Distro do you happen to use?
 
Old 10-22-2007, 03:11 AM   #12
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
i thought it might be fair to assume that there's some order in which statements are evaluated. like maybe the rewrite engine would be evaluated before the server actually bothers to go check the .htaccess file you know what i mean?

sadly, most of the site is just plain old http. there are 3 or 4 admin type interfaces which i need to be hosted https to avoid clear-text transmission of sensitive passwords. in one particular subdirectory, the one i'm working with now (call it http://mydomain.com/foo/admin), the pages need to be password protected but the underlying PHP pages have no means of authenticating themselves so i must rely on apache authentication to protect that folder with a password requirement. i DO NOT want the parent folder (http://mydomain.com/foo) to require any password auth at all.

i'm not really sure what you are suggesting. the need for https is scattered rather arbitrarily throughout my site. There's a shopping cart type thing, a webmail interface, webstats, a phpmyadmin, etc. In some cases I can force https or password auth through php...in this one case I cannot.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
redirect http request to https with "post method" FMH Linux - General 0 10-01-2007 02:16 AM
Forcing a resolution... Unr3a164 Linux - Newbie 3 07-06-2007 04:33 AM
redirect SquirrelMail from http to https using Apache2 cccc Linux - Server 3 09-23-2006 10:02 AM
Apache & Squirrelmail:Redirect to https? mac_phil Linux - Software 1 05-24-2004 03:52 AM
page forbidden when checking https://localhost/ .....please help! poncenby_smythe Linux - Security 1 08-27-2003 01:47 PM


All times are GMT -5. The time now is 11:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration