httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Listen 443 https (SSLEngine Optional - dual host)
Date Sun, 17 Sep 2017 09:29:00 GMT
Come on, let's keep technical once again. Personal grudges ended!

On Sun, Sep 17, 2017 at 3:20 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
>
>
> Am 17.09.2017 um 03:07 schrieb Nick Edwards:
>>
>> phpmyadmin 4.4.15  is YEARS old
>
>
> and how does that change the fact that
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61519#c1 "SERVER_PORT 80" in
> case of a https-connection is plain wrong?
>
>> we using 4.7 for nearly a year, 4.7.2 is current
>
>
> nice for you when you don't have to support older PHP (sync the package to a
> RHEL 7 host with PHP 5.4 - my whole own software is PHP 7.1 only with
> strict-types but that's not related to the topic at all)
>
>> this from a troll who verbally abuses the hell out of people on other
>> lists for posting similar comments using very outdated softwares   HAH, this
>> ones in google for life.
>
>
> the only troll in this thread is you and nobody asked you, just because i
> have never seen anything useful on any list since you only post if you face
> something from me and otherwise you are a silent lurker everywhere!
>
>> On Sun, Sep 17, 2017 at 10:24 AM, Reindl Harald <h.reindl@thelounge.net
>> <mailto:h.reindl@thelounge.net>> wrote:
>>
>>
>>     that's even more worse - phpMyAdmin 4.4.15.10 seems to handle
>>     something wrong because $_SERVER['SERVER_PORT'] is wrong - and i had
>>     myself some bad code using that var instead of $_SERVER['HTTPS']
>>     which again leaded in a endless loop
>>
>>     in case of phpMyAdmin it redirects to https://hostname:80/path/
>>     after enter username/password - the workaround below in the config
>>     file seems to solve that for now, but all in all that leaves a very
>>     bad taste
>>
>>     if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
>>     {
>>       $cfg['ForceSSL'] = false;
>>     }
>>     else
>>     {
>>       $cfg['ForceSSL'] = true;
>>     }
>>
>>
>>     Am 14.09.2017 um 18:16 schrieb Reindl Harald:
>>
>>         Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
>>
>>             Ok, as I read the code a bit more, there is a tangle of
>>             things that can influence port/scheme selection. But what I
>>             can see, the version in *trunk* should do the right thing
>> *iff*
>>
>>             a) you use "SSLEngine *:443" instead of "Optional"
>>             b) you use "ServerName xxx.yyy" *without* a port name
>>
>>             the a
>>             <VirtualHost *:80 *:443>
>>                 ServerName xxx.yyy
>>                 SSLEngine *:443
>>                  ...
>>             </VirtualHost>
>>
>>             should do the right thing here. Internal methods used to
>>             generator Redirect Location headers, namely
>>             ap_construct_url()
>>             ap_get_server_port()
>>             ap_http_scheme()
>>             should give back the correct values for each connection and
>>             als fill the Env Variables with the correct values.
>>
>>
>>         what means "trunk" here?
>>         a future 2.5/2.6/3.0 or a 2.4.x in the near future?
>>
>>         within 2 weeks you need TLS on each and every host since Chrome
>>         starts to warn about every page with a form tag and no TLS
>>
>>         [root@srv-rhsoft:~]$ apachectl -t
>>         AH00526: Syntax error on line 29 of
>>         /etc/httpd/conf/sites_enabled/contentlounge.conf:
>>         Argument must be On, Off, or Optional
>>
>>                 Am 14.09.2017 um 15:46 schrieb Reindl Harald
>>                 <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>:
>>
>>
>>
>>                 Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
>>
>>                     Harald,
>>                     could you check if a configuration like:
>>                         UseCanonicalPhysicalPort on
>>                     in the server or vhost mitigates the problem?
>>
>>
>>                 it makes it even more terrible and the resulting http://
>>                 protocol instead https// on port 443 here even tiggers
>>                 mod_security
>>
>>                 even if it would mitigate that issue - having ports in
>>                 redirect urls easily leads to a lot of other problems
>>                 when proxy-servers are part of the game
>>
>>                 [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head
>>                 --insecure https://contentlounge/cms
>>                 HTTP/1.1 301 Moved Permanently
>>                 Date: Thu, 14 Sep 2017 13:43:06 GMT
>>                 X-DNS-Prefetch-Control: off
>>                 X-Content-Type-Options: nosniff
>>                 X-Response-Time: D=1561 us
>>                 Location: http://contentlounge:443/cms/
>>                 Cache-Control: max-age=0
>>                 Expires: Thu, 14 Sep 2017 13:43:06 GMT
>>                 Content-Type: text/html; charset=iso-8859-1
>>
>>                         Am 14.09.2017 um 12:00 schrieb Reindl Harald
>>                         <h.reindl@thelounge.net
>>                         <mailto:h.reindl@thelounge.net>>:
>>
>>
>>
>>
>>                         Am 10.08.2017 um 18:22 schrieb Reindl Harald:
>>
>>                                 If you want to experiment...
>>                                 <VirtualHost IP:80 IP:443>
>>                                 is already recognized
>>
>>                             but with "SSLEngine On" and
>>                             "SSLCertificateFile" configured non-https no
>>                             longer would work
>>
>>
>>                         OK, figured it out
>>
>>                         * you need the *first* vhost with "SSLEngine On"
>>                         * others can have "SSLEngine optional" and
>>                         listen to 80 and 443
>>
>>                         but there is a bug:
>>
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61519
>>
>> <https://bz.apache.org/bugzilla/show_bug.cgi?id=61519>
>>
>>                         if the trailing slash is missing in the url the
>>                         automatic redirect to the full qualified
>>                         folder-path points to http:// instead https://
>>                         and that does not happen within a vhost
>>                         dedicated to :443 and "SSLEngine On"
>>
>>                         i was trapped in a endless loop because the php
>>                         script making a redirect to https:// had a bug
>>                         and missed the traling / too
>>
>>                         <VirtualHost *:80 *:443>
>>                         DocumentRoot "/www/contentlounge"
>>                         ServerName contentlounge.rhsoft.net
>>                         <http://contentlounge.rhsoft.net>
>>                         SSLEngine optional
>>                         SSLCertificateFile "conf/ssl/rhsoft.net.pem"
>>                         </VirtualHost>
>>
>>                         [harry@srv-rhsoft:~]$ curl --head --insecure
>>                         https://contentlounge/cms
>>                         HTTP/1.1 301 Moved Permanently
>>                         Date: Thu, 14 Sep 2017 09:40:27 GMT
>>                         X-DNS-Prefetch-Control: off
>>                         X-Content-Type-Options: nosniff
>>                         X-Response-Time: D=1311 us
>>                         Location: http://contentlounge/cms/
>>                         Cache-Control: max-age=0
>>                         Expires: Thu, 14 Sep 2017 09:40:27 GMT
>>                         Content-Type: text/html; charset=iso-8859-1
>
>

Mime
View raw message