my subject is a bit misleading but the explanation is too lengthy. I'll attempt to be brief but accurate.

We have an app that still only supports 40 bit encryption and the upgrades are not available for installation yet.

I have an Apache Reverse Proxy running and it's fine all pages are working with the exception of the log off script.

If you mouseover the Logoff link it points to https://myservername.com/Msswc/Logout however, when you click the link you wind up at http://myservername.com:443/. And Firefox tells you this wont work as follows:

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

IE just has a white page.


Now if I take the reverseproxy out of the equation, IE will take you back to the login screen, FF wont even load it w/o some about:config mods to allow low encryption but thats not important.

My question is can I redirect http://myservername.com:443/ to https://myservername..com:443/ w/ a Redirect statement in the vhost file?

I've tried the following:
Redirect /Msswc/Logout https://myservername.com

But it doensnt work.

Willing to try ReWrite if someone can help w/ that, everything Ive tried thusfar w/ ReWrite has also failed.

Help would be greatly appreciated!

well i'd suggest working on the acutal problem you have... if a link says https:// but you end up on http:// then something is seriously screwed. take that original url and run (for example) "wget -vk https://thaturlhere.com" and see what that actually retruns. for you to end up on aan http connection from that you'd need to be getting something like an http 302 redirection message from it, there's no other point in the process which has the right to change the address.

Look at the files in "/var/log/apache2". The "ssl_engine.log" file should have good debugging information about what is happening. The other logs will also be informative.

That would certainly be the first fix, but it's not as cut and dry as it may seem.

The app runs on an AS400, and I have no rights on that box. The app is very old and in need of desperate upgrading and Apache Reverse proxy was the band aid until the app was upgraded. It runs 40 Bit encryption and FF 2.x and IE7 (on vista) choke at that bit level.

IE 7 on XP and below never even cough at the low levels of encryption.

The Logout script is running but it's being redirected somewhere on the backend.

The results of wget -vK https://myservername/com/Msswc/Logout

HTTP request sent, awaiting response... 503 Service Unavailable
14:09:41 ERROR 503: Service Unavailable.



So, back to the redirect, rewrite option.....

Ideas?

I would really like to see the logs before we punt and start hacking.

Which log might that be?

In the interim, I've copied snippets from the vhost file and supplied info about the server environment

Running Ubuntu 6.06-1 LTS
Server version: Apache/2.0.55
Server built: Aug 16 2007 22:20:04
mod-proxy-html
libapahce-mod-ssl
ports.conf listens on 80 and 443

Mods enabled are:
cache.load
cgid.conf
cgid.load
disk_cache.load
proxy.conf
proxy_html.load
proxy.load
ssl.conf
ssl.load
userdir.conf
userdir.load

Some of the mods are default....


VHOST FILE

NamevirtualHost *:443

<VirtualHost *:443>

DocumentRoot /var/www/

ServerName myservername.com:443

SSLEngine On
SSLCertificateFile /etc/apache2/ssl//exported-public-key-der-07.crt
SSLCertificateKeyFile /etc/apache2/ssl//exported-private-key-07-pkcs8.key
SSLCACertificateFile /etc/apache2/ssl//other/intermediateCA.cer



ProxyPass / https://myservername.com/
ProxyPassReverse / https://myservername.com/

CustomLog /var/log/apache2/https-access.log combined
ErrorLog /var/log/apache2/https-error.log


SSLProxyEngine On
SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

ProxyHTMLLogVerbose On
LogLevel Debug

CacheEnable disk /
CacheRoot "/var/cache/myservername.com"

Redirect /Msswc/Logout https://myservername.com


</VirtualHost>

NamevirtualHost *:80
<VirtualHost *:80>

DocumentRoot /var/www/

ServerName myservername.com:80

ProxyPass / http://myservername.com/
ProxyPassReverse / http//myservername.com/



CustomLog /var/log/apache2/http-access.log combined
ErrorLog /var/log/apache2/http-error.log

</VirtualHost>

Your httpd.conf (or apache.conf) will show you where to look for your logs. Mine are in "/var/log/apache". If you cannot find your logs by reading your configuration file, use the "find" command starting in "/".

If you are not looking at your Apache logs to debug this problem, you are ignoring a valuable debugging tool.

tail of the access and error logs


tail -f mmohttps-error.log
[Thu Dec 20 14:09:31 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_io.c(1675): +-------------------------------------------------------------------------+
[Thu Dec 20 14:09:31 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/proxy/proxy_http.c(1574): proxy: end body send
[Thu Dec 20 14:09:41 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_io.c(1708): OpenSSL: I/O error, 5 bytes expected to read on BIO#81ca8d0 [mem: 81d20e0]
[Thu Dec 20 14:09:41 2007] [info] (70007)The timeout specified has expired: SSL input filter read failed.
[Thu Dec 20 14:09:41 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_kernel.c(1756): OpenSSL: Write: SSL negotiation finished successfully
[Thu Dec 20 14:09:41 2007] [info] Connection to child 0 closed with standard shutdown(server myservername.com:443, client 172.23.41.92)
[Thu Dec 20 14:09:46 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_io.c(1708): OpenSSL: I/O error, 5 bytes expected to read on BIO#81ca8d0 [mem: 81d20e0]
[Thu Dec 20 14:09:46 2007] [info] (70007)The timeout specified has expired: SSL input filter read failed.
[Thu Dec 20 14:09:46 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_kernel.c(1756): OpenSSL: Write: SSL negotiation finished successfully
[Thu Dec 20 14:09:46 2007] [info] Connection to child 64 closed with standard shutdown(server myservername.com:443, client 172.23.41.92)


tail -f mmohttps-access.log
172.23.41.92 - - [20/Dec/2007:12:52:15 -0500] "POST /Msswc/Signon HTTP/1.1" 302 - "https://myservername.com/Msswc/Welcome" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:12:52:17 -0500] "GET /Msswc/WelcomeFrame HTTP/1.1" 200 519 "https://myservername.com/Msswc/Welcome" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:12:52:17 -0500] "GET /Msswc/Welcome HTTP/1.1" 200 5262 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:12:52:19 -0500] "GET /Msswc/Logout HTTP/1.1" 302 - "https://myservername.com/Msswc/TopNav" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:12:52:19 -0500] "GET /" 400 486 "-" "-"
172.23.41.92 - - [20/Dec/2007:12:52:17 -0500] "GET /Msswc/WelcomeTop HTTP/1.1" 200 1617 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:14:09:25 -0500] "GET /Msswc/WelcomeFrame HTTP/1.1" 200 519 "https://myservername.com/home.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:14:09:25 -0500] "GET /Msswc/TopNav HTTP/1.1" 200 7211 "https://myservername.com/home.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:14:09:26 -0500] "GET /Msswc/Welcome HTTP/1.1" 200 7381 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
172.23.41.92 - - [20/Dec/2007:14:09:26 -0500] "GET /Msswc/WelcomeTop HTTP/1.1" 200 1617 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"

I should increase verbosity and post again. I'll let that run for a bit and repost my logs.

This does not look good.

This has been quite since I've been out of the office for a while. I've turned on Debug for the HTTPS site and get the following error when logging out.

[Fri Jan 04 16:28:51 2008] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_kernel.c(1775): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Fri Jan 04 16:28:51 2008] [info] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
[Fri Jan 04 16:28:51 2008] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?


I realize this is bad coding as I originally mentioned but I have no rights to change the code and don't know if I can get approval to do so.

Back to my original question, I'd like to run the rewrite module and have the link rewritten/rerouted via apache modules.


Can this be done?

You'll have to create two separate vhosts, one for host:80 and another for host:443. Then you'll need to create the certificate for host:443 and add the directives in the host.443.conf file. Then you can add the Redirect / host:443 in the host.80.conf file. Each new ssl host:443 vhost has to have a separate certificate and each of their corresponding host:80 can redirect to the ssl vhost.

ramram29, thanks for your prompt reply.

In my previous post I only listed the conf file for the 443 host, not the 80 host. I've copied it below:

NamevirtualHost *:80
<VirtualHost *:80>

DocumentRoot /var/www/

ServerName myservername.com:80

ProxyPass / http://myservername.com/
ProxyPassReverse / http//myservername.com/



CustomLog /var/log/apache2/myservername-access.log combined
ErrorLog /var/log/apache2/myservername-error.log
</VirtualHost>

If I understand you correctly the rewrite syntax should go in the *:80 site rather than the *:443 site. Is that correct?

I've kept plugging along w/ this problem and have to add this post to see if perhaps it sheds some light.

When logging out, as I stated earlier, you get the 400 error. The access log has this error.

clientip - - [10/Jan/2008:08:10:40 -0500] "GET /" 400 486 "-" "-"


If I understand it, the request was to get "root" or the base dir. The error was 400 but what is the 486 and the trailing dashes?

Well I can mark this one solved. It was a combination of a few things, primarily to the fact that apache 2.0.5 didnt work well as a reverse proxy but apache 2.2.3 worked like a champ.

the solution to my problems, in addition to the many helpful comments everyone offered, is located here http://thereneaus.com/index.php/category/technology