httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Listen 443 https (SSLEngine Optional - dual host)
Date Sun, 17 Sep 2017 00:39:38 GMT
assumption confirmed - and my connection is for sure https:// because of 
the mod_rewrite and finally HSTS

https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 updated too

phpinfo():
SERVER_PORT 	80

<VirtualHost *:80 *:443>
  ServerName www.rhsoft.net
  SSLEngine Optional
  SSLUseStapling On
  SSLCertificateFile "certs/rhsoft-www.conf_rsa.pem"
  SSLCertificateFile "certs/rhsoft-www.conf_ecdsa.pem"
  <IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
  </IfModule>
  <IfModule mod_headers.c>
   Header always set "Strict-Transport-Security" "max-age=31536000"
  </IfModule>
</VirtualHost>

Am 17.09.2017 um 02:24 schrieb Reindl Harald:
> 
> that's even more worse - phpMyAdmin 4.4.15.10 seems to handle something 
> wrong because $_SERVER['SERVER_PORT'] is wrong - and i had myself some 
> bad code using that var instead of $_SERVER['HTTPS'] which again leaded 
> in a endless loop
> 
> in case of phpMyAdmin it redirects to https://hostname:80/path/ after 
> enter username/password - the workaround below in the config file seems 
> to solve that for now, but all in all that leaves a very bad taste
> 
> if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
> {
>   $cfg['ForceSSL'] = false;
> }
> else
> {
>   $cfg['ForceSSL'] = true;
> }
> 
> 
> Am 14.09.2017 um 18:16 schrieb Reindl Harald:
>> Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
>>> Ok, as I read the code a bit more, there is a tangle of things that 
>>> can influence port/scheme selection. But what I can see, the version 
>>> in *trunk* should do the right thing *iff*
>>>
>>> a) you use "SSLEngine *:443" instead of "Optional"
>>> b) you use "ServerName xxx.yyy" *without* a port name
>>>
>>> the a
>>> <VirtualHost *:80 *:443>
>>>    ServerName xxx.yyy
>>>    SSLEngine *:443
>>>     ...
>>> </VirtualHost>
>>>
>>> should do the right thing here. Internal methods used to generator 
>>> Redirect Location headers, namely
>>> ap_construct_url()
>>> ap_get_server_port()
>>> ap_http_scheme()
>>> should give back the correct values for each connection and als fill 
>>> the Env Variables with the correct values.
>>
>> what means "trunk" here?
>> a future 2.5/2.6/3.0 or a 2.4.x in the near future?
>>
>> within 2 weeks you need TLS on each and every host since Chrome starts 
>> to warn about every page with a form tag and no TLS
>>
>> [root@srv-rhsoft:~]$ apachectl -t
>> AH00526: Syntax error on line 29 of 
>> /etc/httpd/conf/sites_enabled/contentlounge.conf:
>> Argument must be On, Off, or Optional
>>>> Am 14.09.2017 um 15:46 schrieb Reindl Harald <h.reindl@thelounge.net>:
>>>>
>>>>
>>>>
>>>> Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
>>>>> Harald,
>>>>> could you check if a configuration like:
>>>>>    UseCanonicalPhysicalPort on
>>>>> in the server or vhost mitigates the problem?
>>>>
>>>> it makes it even more terrible and the resulting http:// protocol 
>>>> instead https// on port 443 here even tiggers mod_security
>>>>
>>>> even if it would mitigate that issue - having ports in redirect urls 
>>>> easily leads to a lot of other problems when proxy-servers are part 
>>>> of the game
>>>>
>>>> [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head --insecure 
>>>> https://contentlounge/cms
>>>> HTTP/1.1 301 Moved Permanently
>>>> Date: Thu, 14 Sep 2017 13:43:06 GMT
>>>> X-DNS-Prefetch-Control: off
>>>> X-Content-Type-Options: nosniff
>>>> X-Response-Time: D=1561 us
>>>> Location: http://contentlounge:443/cms/
>>>> Cache-Control: max-age=0
>>>> Expires: Thu, 14 Sep 2017 13:43:06 GMT
>>>> Content-Type: text/html; charset=iso-8859-1
>>>>
>>>>>> Am 14.09.2017 um 12:00 schrieb Reindl Harald 
>>>>>> <h.reindl@thelounge.net>:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Am 10.08.2017 um 18:22 schrieb Reindl Harald:
>>>>>>>> If you want to experiment...
>>>>>>>> <VirtualHost IP:80 IP:443>
>>>>>>>> is already recognized
>>>>>>> but with "SSLEngine On" and "SSLCertificateFile" configured 
>>>>>>> non-https no longer would work
>>>>>>
>>>>>> OK, figured it out
>>>>>>
>>>>>> * you need the *first* vhost with "SSLEngine On"
>>>>>> * others can have "SSLEngine optional" and listen to 80 and 443
>>>>>>
>>>>>> but there is a bug: 
>>>>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61519
>>>>>>
>>>>>> if the trailing slash is missing in the url the automatic redirect

>>>>>> to the full qualified folder-path points to http:// instead 
>>>>>> https:// and that does not happen within a vhost dedicated to :443

>>>>>> and "SSLEngine On"
>>>>>>
>>>>>> i was trapped in a endless loop because the php script making a 
>>>>>> redirect to https:// had a bug and missed the traling / too
>>>>>>
>>>>>> <VirtualHost *:80 *:443>
>>>>>> DocumentRoot "/www/contentlounge"
>>>>>> ServerName contentlounge.rhsoft.net
>>>>>> SSLEngine optional
>>>>>> SSLCertificateFile "conf/ssl/rhsoft.net.pem"
>>>>>> </VirtualHost>
>>>>>>
>>>>>> [harry@srv-rhsoft:~]$ curl --head --insecure 
>>>>>> https://contentlounge/cms
>>>>>> HTTP/1.1 301 Moved Permanently
>>>>>> Date: Thu, 14 Sep 2017 09:40:27 GMT
>>>>>> X-DNS-Prefetch-Control: off
>>>>>> X-Content-Type-Options: nosniff
>>>>>> X-Response-Time: D=1311 us
>>>>>> Location: http://contentlounge/cms/
>>>>>> Cache-Control: max-age=0
>>>>>> Expires: Thu, 14 Sep 2017 09:40:27 GMT
>>>>>> Content-Type: text/html; charset=iso-8859-1

Mime
View raw message