guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <nick.e.couch...@gmail.com>
Subject Re: Apache Force Re-Direct to HTTPS
Date Tue, 17 Oct 2017 02:35:17 GMT
On Mon, Oct 16, 2017 at 10:25 PM, Carter Sema <CSema@acschools.org> wrote:

> I checked my Apache folders and my only site-enabled is my tomcat one, and
> just to be safe, I deleted the default ones in sites-available, rebooted
> apache2 and reloaded, still no luck. I can actually access HTTP content
> such as Guac(not static default tomcat sites) and it works. Any other
> tricks or ideas?
>
Nothing off the top of my head - clearly something else there is still
servicing the traffic on port 80, but I'm not able to spot what it is in
the configs you've posted.


> Do I need to enable Rewrite? The only reason I ask, is because on my other
> ubuntu-apache2-tomcat8 box, I don't have Rewrite enabled, and it works.
>
I think you should be able to do it without rewrite and with alias, using
the Redirect permanent line you have.  According to docs, the Redirect
directive is part of mod_alias, so you should only need to enable mod_alias
and then put that Redirect permanent / https://<host>/ line in there.


> I ended up doing what you suggested and blocking my traffic to port 80. As
> a fix for right now, eventually I will go back and investigate more. As you
> said, it's not pretty, but it restricts unwanted access on unsecured ports.
> I'm pretty new to linux in general but quickly learning, is blocking the
> port 80/8080 just as secure as forcing a redirect to https?
>
It's certainly no less secure that forcing a redirect - it might be
slightly more secure than allowing port 80 through and forcing the
redirect, since it's truly blocking all non-SSL/TLS traffic, so there's not
anything unencrypted that will get by.  Based on your setup, proxying
through Apache httpd, I would *definitely* block port 8080 and 8009 from
the outside world - my usual practice is to reconfigure Tomcat to only
listen on 127.0.0.1 so that the 8080/8009 traffic remains internal to the
host, and httpd (or nginx when I use that) is handling all of the requests
coming in from the network.

-Nick

Mime
View raw message