Apache 2 Redirect

kmeyers · 02-25-2009, 02:48 PM

Ok, for the life of me I cant figure out how to do this and need some help. I believe I finally have a very secure config for apache2 that will only use SSL or port443. Problem is how do I redirect all my users who dont type in https:// to the proper SSL port 443?

Do I have to create Virtual Servers? If so how?

Or is there a Redirect command?

Thanks again for all your help before hand.....

Code:

# =================================================
# Basic settings
# =================================================
User apache
Group apache
ServerAdmin Me@Me.org
ServerName WebServer
UseCanonicalName Off
ServerSignature Off
HostnameLookups Off
ServerTokens Prod
ServerRoot "/usr/local/apache2"
DocumentRoot "/www"
PidFile /usr/local/apache2/logs/httpd.pid
ScoreBoardFile /usr/local/apache2/logs/httpd.scoreboard
<IfModule mod_dir.c>
    DirectoryIndex index.html
</IfModule>

# =================================================
# HTTP and performance settings
# =================================================
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 30
<IfModule prefork.c>
    MinSpareServers 5
    MaxSpareServers 10
    StartServers 5
    MaxClients 150
    MaxRequestsPerChild 0
</IfModule>

# =================================================
# Access control
# =================================================
<Directory />
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>
<Directory "/www">
    Order allow,deny
    Allow from all
</Directory>

# =================================================
# MIME encoding
# =================================================
<IfModule mod_mime.c>
    TypesConfig /usr/local/apache2/conf/mime.types
</IfModule>
DefaultType text/plain
<IfModule mod_mime.c>
    AddEncoding x-compress              .Z
    AddEncoding x-gzip                  .gz .tgz
    AddType application/x-compress      .Z
    AddType application/x-gzip          .gz .tgz
    AddType application/x-tar           .tgz
    AddType application/x-x509-ca-cert  .crt
    AddType application/x-pkcs7-crl     .crl
</IfModule>

# =================================================
# Logs
# =================================================
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ErrorLog /usr/local/apache2/logs/error_log
CustomLog /usr/local/apache2/logs/access_log combined
CustomLog logs/ssl_request_log "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\" %b"

# =================================================
# SSL/TLS settings
# =================================================
Listen 0.0.0.0:443

SSLEngine on
SSLOptions +StrictRequire

<Directory />
    SSLRequireSSL
</Directory>

SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

SSLMutex file:/usr/local/apache2/logs/ssl_mutex

SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024

SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600

SSLPassPhraseDialog builtin
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/Server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/Server.key
SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/intermediate.crt

SSLVerifyClient none
SSLProxyEngine off

<IfModule mime.c>
    AddType application/x-x509-ca-cert      .crt
    AddType application/x-pkcs7-crl         .crl
</IfModule>

kmeyers · 02-25-2009, 08:24 PM

Ok it took me 2 days.. I finally solved my own problem. For the index.html file at the root of the http server I have the following:

Code:

<META http-equiv="refresh" content="0; URL=https://Server">

Here is what my Virtual hosts look like.

Code:

# =================================================
# Virtual hosts
# =================================================
<VirtualHost *:80>
    DocumentRoot "/www/test"
</VirtualHost>

<VirtualHost *:443>
        DocumentRoot "/www"
        SSLEngine on
        SSLOptions +StrictRequire

        <Directory />
           SSLRequireSSL
        </Directory>

        SSLProtocol -all +TLSv1 +SSLv3
        SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
        SSLCertificateFile /usr/local/apache2/conf/ssl.crt/Server.crt
        SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/Server.key
        SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/intermediate.crt
</VirtualHost>

bathory · 02-26-2009, 01:56 AM

Quote:

Ok it took me 2 days.. I finally solved my own problem. For the index.html file at the root of the http server I have the following:

This will work only for index.html. What if someone visits directly another page? You have to do this for all the webpages you have, that is a pain...
You can use mod_rewrite to rewrite http requests to https:

Code:

 RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Regards

kmeyers · 02-26-2009, 06:58 AM

Ok stupid question, I already have compiled and install apache, but mod_rewrite wasn't one of the modules, how do I install mod_rewrite?

Also will the Rewrite command go under my Virutalhost for port 80 like this... or should it go somewhere else?

Code:

<VirtualHost *:80>
    DocumentRoot "/www/test"
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

bathory · 02-26-2009, 07:13 AM

Quote:

I already have compiled and install apache, but mod_rewrite wasn't one of the modules, how do I install mod_rewrite?

Recompile apache using adding the "--enable-rewrite" option in the ./configure script you've used.
Don't forget to run "make clean" in the source tree before running ./configure
If you have compiled apache with DSO support you can just compile the module. It will automatically be installed and add the needed "LoadModule" directive in httpd.conf:

Code:

/usr/local/apache2/bin/apxs -iac /path/to/apache-source/modules/mappers/mod_rewrite.c

Quote:

Also will the Rewrite command go under my Virutalhost for port 80 like this... or should it go somewhere else?

You can put the rewrite commands wherever you want them to apply: under <DocumentRoot> for the whole server, inside a <VirtualHost> definition to apply for the specific vhost or inside a <Directory> definition to apply for that directory