redirect http to https
my subject is a bit misleading but the explanation is too lengthy. I'll attempt to be brief but accurate.
We have an app that still only supports 40 bit encryption and the upgrades are not available for installation yet. I have an Apache Reverse Proxy running and it's fine all pages are working with the exception of the log off script. If you mouseover the Logoff link it points to https://myservername.com/Msswc/Logout however, when you click the link you wind up at http://myservername.com:443/. And Firefox tells you this wont work as follows: Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. IE just has a white page. Now if I take the reverseproxy out of the equation, IE will take you back to the login screen, FF wont even load it w/o some about:config mods to allow low encryption but thats not important. My question is can I redirect http://myservername.com:443/ to https://myservername..com:443/ w/ a Redirect statement in the vhost file? I've tried the following: Redirect /Msswc/Logout https://myservername.com But it doensnt work. Willing to try ReWrite if someone can help w/ that, everything Ive tried thusfar w/ ReWrite has also failed. Help would be greatly appreciated! |
well i'd suggest working on the acutal problem you have... if a link says https:// but you end up on http:// then something is seriously screwed. take that original url and run (for example) "wget -vk https://thaturlhere.com" and see what that actually retruns. for you to end up on aan http connection from that you'd need to be getting something like an http 302 redirection message from it, there's no other point in the process which has the right to change the address.
|
Quote:
|
That would certainly be the first fix, but it's not as cut and dry as it may seem.
The app runs on an AS400, and I have no rights on that box. The app is very old and in need of desperate upgrading and Apache Reverse proxy was the band aid until the app was upgraded. It runs 40 Bit encryption and FF 2.x and IE7 (on vista) choke at that bit level. IE 7 on XP and below never even cough at the low levels of encryption. The Logout script is running but it's being redirected somewhere on the backend. The results of wget -vK https://myservername/com/Msswc/Logout HTTP request sent, awaiting response... 503 Service Unavailable 14:09:41 ERROR 503: Service Unavailable. So, back to the redirect, rewrite option..... Ideas? |
Quote:
|
Which log might that be?
In the interim, I've copied snippets from the vhost file and supplied info about the server environment Running Ubuntu 6.06-1 LTS Server version: Apache/2.0.55 Server built: Aug 16 2007 22:20:04 mod-proxy-html libapahce-mod-ssl ports.conf listens on 80 and 443 Mods enabled are: cache.load cgid.conf cgid.load disk_cache.load proxy.conf proxy_html.load proxy.load ssl.conf ssl.load userdir.conf userdir.load Some of the mods are default.... VHOST FILE NamevirtualHost *:443 <VirtualHost *:443> DocumentRoot /var/www/ ServerName myservername.com:443 SSLEngine On SSLCertificateFile /etc/apache2/ssl//exported-public-key-der-07.crt SSLCertificateKeyFile /etc/apache2/ssl//exported-private-key-07-pkcs8.key SSLCACertificateFile /etc/apache2/ssl//other/intermediateCA.cer ProxyPass / https://myservername.com/ ProxyPassReverse / https://myservername.com/ CustomLog /var/log/apache2/https-access.log combined ErrorLog /var/log/apache2/https-error.log SSLProxyEngine On SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL ProxyHTMLLogVerbose On LogLevel Debug CacheEnable disk / CacheRoot "/var/cache/myservername.com" Redirect /Msswc/Logout https://myservername.com </VirtualHost> NamevirtualHost *:80 <VirtualHost *:80> DocumentRoot /var/www/ ServerName myservername.com:80 ProxyPass / http://myservername.com/ ProxyPassReverse / http//myservername.com/ CustomLog /var/log/apache2/http-access.log combined ErrorLog /var/log/apache2/http-error.log </VirtualHost> |
Quote:
If you are not looking at your Apache logs to debug this problem, you are ignoring a valuable debugging tool. |
tail of the access and error logs
tail -f mmohttps-error.log [Thu Dec 20 14:09:31 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_io.c(1675): +-------------------------------------------------------------------------+ [Thu Dec 20 14:09:31 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/proxy/proxy_http.c(1574): proxy: end body send [Thu Dec 20 14:09:41 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_io.c(1708): OpenSSL: I/O error, 5 bytes expected to read on BIO#81ca8d0 [mem: 81d20e0] [Thu Dec 20 14:09:41 2007] [info] (70007)The timeout specified has expired: SSL input filter read failed. [Thu Dec 20 14:09:41 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_kernel.c(1756): OpenSSL: Write: SSL negotiation finished successfully [Thu Dec 20 14:09:41 2007] [info] Connection to child 0 closed with standard shutdown(server myservername.com:443, client 172.23.41.92) [Thu Dec 20 14:09:46 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_io.c(1708): OpenSSL: I/O error, 5 bytes expected to read on BIO#81ca8d0 [mem: 81d20e0] [Thu Dec 20 14:09:46 2007] [info] (70007)The timeout specified has expired: SSL input filter read failed. [Thu Dec 20 14:09:46 2007] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_kernel.c(1756): OpenSSL: Write: SSL negotiation finished successfully [Thu Dec 20 14:09:46 2007] [info] Connection to child 64 closed with standard shutdown(server myservername.com:443, client 172.23.41.92) tail -f mmohttps-access.log 172.23.41.92 - - [20/Dec/2007:12:52:15 -0500] "POST /Msswc/Signon HTTP/1.1" 302 - "https://myservername.com/Msswc/Welcome" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" 172.23.41.92 - - [20/Dec/2007:12:52:17 -0500] "GET /Msswc/WelcomeFrame HTTP/1.1" 200 519 "https://myservername.com/Msswc/Welcome" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" 172.23.41.92 - - [20/Dec/2007:12:52:17 -0500] "GET /Msswc/Welcome HTTP/1.1" 200 5262 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" 172.23.41.92 - - [20/Dec/2007:12:52:19 -0500] "GET /Msswc/Logout HTTP/1.1" 302 - "https://myservername.com/Msswc/TopNav" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" 172.23.41.92 - - [20/Dec/2007:12:52:19 -0500] "GET /" 400 486 "-" "-" 172.23.41.92 - - [20/Dec/2007:12:52:17 -0500] "GET /Msswc/WelcomeTop HTTP/1.1" 200 1617 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" 172.23.41.92 - - [20/Dec/2007:14:09:25 -0500] "GET /Msswc/WelcomeFrame HTTP/1.1" 200 519 "https://myservername.com/home.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" 172.23.41.92 - - [20/Dec/2007:14:09:25 -0500] "GET /Msswc/TopNav HTTP/1.1" 200 7211 "https://myservername.com/home.htm" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" 172.23.41.92 - - [20/Dec/2007:14:09:26 -0500] "GET /Msswc/Welcome HTTP/1.1" 200 7381 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" 172.23.41.92 - - [20/Dec/2007:14:09:26 -0500] "GET /Msswc/WelcomeTop HTTP/1.1" 200 1617 "https://myservername.com/Msswc/WelcomeFrame" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" |
I should increase verbosity and post again. I'll let that run for a bit and repost my logs.
|
Quote:
|
This has been quite since I've been out of the office for a while. I've turned on Debug for the HTTPS site and get the following error when logging out.
[Fri Jan 04 16:28:51 2008] [debug] /build/buildd/apache2-2.0.55/build-tree/apache2/modules/ssl/ssl_engine_kernel.c(1775): OpenSSL: Exit: error in SSLv2/v3 read client hello A [Fri Jan 04 16:28:51 2008] [info] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page [Fri Jan 04 16:28:51 2008] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!? I realize this is bad coding as I originally mentioned but I have no rights to change the code and don't know if I can get approval to do so. Back to my original question, I'd like to run the rewrite module and have the link rewritten/rerouted via apache modules. Can this be done? |
You'll have to create two separate vhosts, one for host:80 and another for host:443. Then you'll need to create the certificate for host:443 and add the directives in the host.443.conf file. Then you can add the Redirect / host:443 in the host.80.conf file. Each new ssl host:443 vhost has to have a separate certificate and each of their corresponding host:80 can redirect to the ssl vhost.
|
ramram29, thanks for your prompt reply.
In my previous post I only listed the conf file for the 443 host, not the 80 host. I've copied it below: NamevirtualHost *:80 <VirtualHost *:80> DocumentRoot /var/www/ ServerName myservername.com:80 ProxyPass / http://myservername.com/ ProxyPassReverse / http//myservername.com/ CustomLog /var/log/apache2/myservername-access.log combined ErrorLog /var/log/apache2/myservername-error.log </VirtualHost> If I understand you correctly the rewrite syntax should go in the *:80 site rather than the *:443 site. Is that correct? |
I've kept plugging along w/ this problem and have to add this post to see if perhaps it sheds some light.
When logging out, as I stated earlier, you get the 400 error. The access log has this error. clientip - - [10/Jan/2008:08:10:40 -0500] "GET /" 400 486 "-" "-" If I understand it, the request was to get "root" or the base dir. The error was 400 but what is the 486 and the trailing dashes? |
[SOLVED] - redirect http to https
Well I can mark this one solved. It was a combination of a few things, primarily to the fact that apache 2.0.5 didnt work well as a reverse proxy but apache 2.2.3 worked like a champ.
the solution to my problems, in addition to the many helpful comments everyone offered, is located here http://thereneaus.com/index.php/category/technology |
All times are GMT -5. The time now is 08:07 PM. |