httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Listen 443 https (SSLEngine Optional - dual host)
Date Sun, 17 Sep 2017 01:20:09 GMT


Am 17.09.2017 um 03:07 schrieb Nick Edwards:
> phpmyadmin 4.4.15  is YEARS old

and how does that change the fact that 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519#c1 "SERVER_PORT 80" 
in case of a https-connection is plain wrong?

> we using 4.7 for nearly a year, 4.7.2 is current

nice for you when you don't have to support older PHP (sync the package 
to a RHEL 7 host with PHP 5.4 - my whole own software is PHP 7.1 only 
with strict-types but that's not related to the topic at all)

> this from a troll who verbally abuses the hell out of people on other 
> lists for posting similar comments using very outdated softwares   HAH, 
> this ones in google for life.

the only troll in this thread is you and nobody asked you, just because 
i have never seen anything useful on any list since you only post if you 
face something from me and otherwise you are a silent lurker everywhere!

> On Sun, Sep 17, 2017 at 10:24 AM, Reindl Harald <h.reindl@thelounge.net 
> <mailto:h.reindl@thelounge.net>> wrote:
> 
> 
>     that's even more worse - phpMyAdmin 4.4.15.10 seems to handle
>     something wrong because $_SERVER['SERVER_PORT'] is wrong - and i had
>     myself some bad code using that var instead of $_SERVER['HTTPS']
>     which again leaded in a endless loop
> 
>     in case of phpMyAdmin it redirects to https://hostname:80/path/
>     after enter username/password - the workaround below in the config
>     file seems to solve that for now, but all in all that leaves a very
>     bad taste
> 
>     if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
>     {
>       $cfg['ForceSSL'] = false;
>     }
>     else
>     {
>       $cfg['ForceSSL'] = true;
>     }
> 
> 
>     Am 14.09.2017 um 18:16 schrieb Reindl Harald:
> 
>         Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
> 
>             Ok, as I read the code a bit more, there is a tangle of
>             things that can influence port/scheme selection. But what I
>             can see, the version in *trunk* should do the right thing *iff*
> 
>             a) you use "SSLEngine *:443" instead of "Optional"
>             b) you use "ServerName xxx.yyy" *without* a port name
> 
>             the a
>             <VirtualHost *:80 *:443>
>                 ServerName xxx.yyy
>                 SSLEngine *:443
>                  ...
>             </VirtualHost>
> 
>             should do the right thing here. Internal methods used to
>             generator Redirect Location headers, namely
>             ap_construct_url()
>             ap_get_server_port()
>             ap_http_scheme()
>             should give back the correct values for each connection and
>             als fill the Env Variables with the correct values.
> 
> 
>         what means "trunk" here?
>         a future 2.5/2.6/3.0 or a 2.4.x in the near future?
> 
>         within 2 weeks you need TLS on each and every host since Chrome
>         starts to warn about every page with a form tag and no TLS
> 
>         [root@srv-rhsoft:~]$ apachectl -t
>         AH00526: Syntax error on line 29 of
>         /etc/httpd/conf/sites_enabled/contentlounge.conf:
>         Argument must be On, Off, or Optional
> 
>                 Am 14.09.2017 um 15:46 schrieb Reindl Harald
>                 <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>:
> 
> 
> 
>                 Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
> 
>                     Harald,
>                     could you check if a configuration like:
>                         UseCanonicalPhysicalPort on
>                     in the server or vhost mitigates the problem?
> 
> 
>                 it makes it even more terrible and the resulting http://
>                 protocol instead https// on port 443 here even tiggers
>                 mod_security
> 
>                 even if it would mitigate that issue - having ports in
>                 redirect urls easily leads to a lot of other problems
>                 when proxy-servers are part of the game
> 
>                 [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head
>                 --insecure https://contentlounge/cms
>                 HTTP/1.1 301 Moved Permanently
>                 Date: Thu, 14 Sep 2017 13:43:06 GMT
>                 X-DNS-Prefetch-Control: off
>                 X-Content-Type-Options: nosniff
>                 X-Response-Time: D=1561 us
>                 Location: http://contentlounge:443/cms/
>                 Cache-Control: max-age=0
>                 Expires: Thu, 14 Sep 2017 13:43:06 GMT
>                 Content-Type: text/html; charset=iso-8859-1
> 
>                         Am 14.09.2017 um 12:00 schrieb Reindl Harald
>                         <h.reindl@thelounge.net
>                         <mailto:h.reindl@thelounge.net>>:
> 
> 
> 
>                         Am 10.08.2017 um 18:22 schrieb Reindl Harald:
> 
>                                 If you want to experiment...
>                                 <VirtualHost IP:80 IP:443>
>                                 is already recognized
> 
>                             but with "SSLEngine On" and
>                             "SSLCertificateFile" configured non-https no
>                             longer would work
> 
> 
>                         OK, figured it out
> 
>                         * you need the *first* vhost with "SSLEngine On"
>                         * others can have "SSLEngine optional" and
>                         listen to 80 and 443
> 
>                         but there is a bug:
>                         https://bz.apache.org/bugzilla/show_bug.cgi?id=61519
>                         <https://bz.apache.org/bugzilla/show_bug.cgi?id=61519>
> 
>                         if the trailing slash is missing in the url the
>                         automatic redirect to the full qualified
>                         folder-path points to http:// instead https://
>                         and that does not happen within a vhost
>                         dedicated to :443 and "SSLEngine On"
> 
>                         i was trapped in a endless loop because the php
>                         script making a redirect to https:// had a bug
>                         and missed the traling / too
> 
>                         <VirtualHost *:80 *:443>
>                         DocumentRoot "/www/contentlounge"
>                         ServerName contentlounge.rhsoft.net
>                         <http://contentlounge.rhsoft.net>
>                         SSLEngine optional
>                         SSLCertificateFile "conf/ssl/rhsoft.net.pem"
>                         </VirtualHost>
> 
>                         [harry@srv-rhsoft:~]$ curl --head --insecure
>                         https://contentlounge/cms
>                         HTTP/1.1 301 Moved Permanently
>                         Date: Thu, 14 Sep 2017 09:40:27 GMT
>                         X-DNS-Prefetch-Control: off
>                         X-Content-Type-Options: nosniff
>                         X-Response-Time: D=1311 us
>                         Location: http://contentlounge/cms/
>                         Cache-Control: max-age=0
>                         Expires: Thu, 14 Sep 2017 09:40:27 GMT
>                         Content-Type: text/html; charset=iso-8859-1


Mime
View raw message