httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Listen 443 https (SSLEngine Optional - dual host)
Date Sun, 17 Sep 2017 00:24:13 GMT

that's even more worse - phpMyAdmin 4.4.15.10 seems to handle something 
wrong because $_SERVER['SERVER_PORT'] is wrong - and i had myself some 
bad code using that var instead of $_SERVER['HTTPS'] which again leaded 
in a endless loop

in case of phpMyAdmin it redirects to https://hostname:80/path/ after 
enter username/password - the workaround below in the config file seems 
to solve that for now, but all in all that leaves a very bad taste

if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
{
  $cfg['ForceSSL'] = false;
}
else
{
  $cfg['ForceSSL'] = true;
}


Am 14.09.2017 um 18:16 schrieb Reindl Harald:
> Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
>> Ok, as I read the code a bit more, there is a tangle of things that 
>> can influence port/scheme selection. But what I can see, the version 
>> in *trunk* should do the right thing *iff*
>>
>> a) you use "SSLEngine *:443" instead of "Optional"
>> b) you use "ServerName xxx.yyy" *without* a port name
>>
>> the a
>> <VirtualHost *:80 *:443>
>>    ServerName xxx.yyy
>>    SSLEngine *:443
>>     ...
>> </VirtualHost>
>>
>> should do the right thing here. Internal methods used to generator 
>> Redirect Location headers, namely
>> ap_construct_url()
>> ap_get_server_port()
>> ap_http_scheme()
>> should give back the correct values for each connection and als fill 
>> the Env Variables with the correct values.
> 
> what means "trunk" here?
> a future 2.5/2.6/3.0 or a 2.4.x in the near future?
> 
> within 2 weeks you need TLS on each and every host since Chrome starts 
> to warn about every page with a form tag and no TLS
> 
> [root@srv-rhsoft:~]$ apachectl -t
> AH00526: Syntax error on line 29 of 
> /etc/httpd/conf/sites_enabled/contentlounge.conf:
> Argument must be On, Off, or Optional
>>> Am 14.09.2017 um 15:46 schrieb Reindl Harald <h.reindl@thelounge.net>:
>>>
>>>
>>>
>>> Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
>>>> Harald,
>>>> could you check if a configuration like:
>>>>    UseCanonicalPhysicalPort on
>>>> in the server or vhost mitigates the problem?
>>>
>>> it makes it even more terrible and the resulting http:// protocol 
>>> instead https// on port 443 here even tiggers mod_security
>>>
>>> even if it would mitigate that issue - having ports in redirect urls 
>>> easily leads to a lot of other problems when proxy-servers are part 
>>> of the game
>>>
>>> [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head --insecure 
>>> https://contentlounge/cms
>>> HTTP/1.1 301 Moved Permanently
>>> Date: Thu, 14 Sep 2017 13:43:06 GMT
>>> X-DNS-Prefetch-Control: off
>>> X-Content-Type-Options: nosniff
>>> X-Response-Time: D=1561 us
>>> Location: http://contentlounge:443/cms/
>>> Cache-Control: max-age=0
>>> Expires: Thu, 14 Sep 2017 13:43:06 GMT
>>> Content-Type: text/html; charset=iso-8859-1
>>>
>>>>> Am 14.09.2017 um 12:00 schrieb Reindl Harald <h.reindl@thelounge.net>:
>>>>>
>>>>>
>>>>>
>>>>> Am 10.08.2017 um 18:22 schrieb Reindl Harald:
>>>>>>> If you want to experiment...
>>>>>>> <VirtualHost IP:80 IP:443>
>>>>>>> is already recognized
>>>>>> but with "SSLEngine On" and "SSLCertificateFile" configured 
>>>>>> non-https no longer would work
>>>>>
>>>>> OK, figured it out
>>>>>
>>>>> * you need the *first* vhost with "SSLEngine On"
>>>>> * others can have "SSLEngine optional" and listen to 80 and 443
>>>>>
>>>>> but there is a bug: 
>>>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61519
>>>>>
>>>>> if the trailing slash is missing in the url the automatic redirect 
>>>>> to the full qualified folder-path points to http:// instead 
>>>>> https:// and that does not happen within a vhost dedicated to :443 
>>>>> and "SSLEngine On"
>>>>>
>>>>> i was trapped in a endless loop because the php script making a 
>>>>> redirect to https:// had a bug and missed the traling / too
>>>>>
>>>>> <VirtualHost *:80 *:443>
>>>>> DocumentRoot "/www/contentlounge"
>>>>> ServerName contentlounge.rhsoft.net
>>>>> SSLEngine optional
>>>>> SSLCertificateFile "conf/ssl/rhsoft.net.pem"
>>>>> </VirtualHost>
>>>>>
>>>>> [harry@srv-rhsoft:~]$ curl --head --insecure https://contentlounge/cms
>>>>> HTTP/1.1 301 Moved Permanently
>>>>> Date: Thu, 14 Sep 2017 09:40:27 GMT
>>>>> X-DNS-Prefetch-Control: off
>>>>> X-Content-Type-Options: nosniff
>>>>> X-Response-Time: D=1311 us
>>>>> Location: http://contentlounge/cms/
>>>>> Cache-Control: max-age=0
>>>>> Expires: Thu, 14 Sep 2017 09:40:27 GMT
>>>>> Content-Type: text/html; charset=iso-8859-1

Mime
View raw message