Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 7F062200CF9 for ; Sun, 17 Sep 2017 11:29:17 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 7D8E41609D8; Sun, 17 Sep 2017 09:29:17 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9BEB21609BF for ; Sun, 17 Sep 2017 11:29:16 +0200 (CEST) Received: (qmail 76826 invoked by uid 500); 17 Sep 2017 09:29:10 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 76816 invoked by uid 99); 17 Sep 2017 09:29:10 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 17 Sep 2017 09:29:10 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 32C831A0CE5 for ; Sun, 17 Sep 2017 09:29:10 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.379 X-Spam-Level: X-Spam-Status: No, score=0.379 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id I3OzHaDxzn8a for ; Sun, 17 Sep 2017 09:29:08 +0000 (UTC) Received: from mail-qk0-f169.google.com (mail-qk0-f169.google.com [209.85.220.169]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 6D35E5F6C8 for ; Sun, 17 Sep 2017 09:29:08 +0000 (UTC) Received: by mail-qk0-f169.google.com with SMTP id o77so5124657qke.9 for ; Sun, 17 Sep 2017 02:29:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ndwuodSrXFs+5CdF3z6qR7yJzeEXbnP3KYmMT5OwE4o=; b=BzYvytaMJAEYX98QG227uhaZvxnyBR7/dMElnf7arkoCTluY3m9LIM5/Q50oBqPFTS FpS5rChXTfI9ffprpIn2aHOg+F98gckM484Ut8OK6KKigFzvuR8jOYQAu2qyfN30z8NO /34687ruZ3CqkS0CngjWHghe/WWa5B/7RIfzj66YGnW9hFkS2IBRRP34IWnJEnLKUQpz Nk6wH0vxa3+YeBejut9qRwieMabLt+ydVFolTodfIVryaavFeGKGzlvgQd/LfT9M96EH 1OsNdT2JUfi8aVf1TEU1KYXkfvVkFjplsYVTCJaG7ydMq/ANHnrF+9vxiRAzE+6hryAm 5m6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=ndwuodSrXFs+5CdF3z6qR7yJzeEXbnP3KYmMT5OwE4o=; b=CDKLsPcggRK6uTTTEC1jV9X9gwraTPbDS6MnHCxOa9MswRPm0u3oLEvrEupqcpqdBr OJmgJdvkLC8wXx8BqPchrRMJQe8ZM9vfzzbUSioU9XT/V9glpi517bWcsrDX44epdcxA jWedIt1JUve4eWffw/KtK6eV5q9NG837EOejmafo0bl7YuIIaDDHDMRYrdaPzbiYp1zS c6erRfnIK5fTnWVp4gesg/AFsEZtSAvEo3EenKK1BtxmdiFQoKWLL5prJhF0ejguC1yG l7dpjXn5myaNaLDYjsAB7cH6p980QFk/w0WmYR7E9OG8m12itqfzrtVGWz7sHP1/ZfXS 7ykw== X-Gm-Message-State: AHPjjUhzysAXBuInfPiwWbBj2CPA+uZsTGrhXR6IDM2GtOUfAdt24oDr 7IsulWRCD6oDJUEpDPDK9r0Jb8QCzz1Bjnl/+SBwuw== X-Google-Smtp-Source: AOwi7QBOtv7phUSOOWqI0BIcE4mT4FhAeRXM8br3MqacsU5kbZwC75NqIQN0imO3+EyZ8c0v9B8KlVR0np8MZ3pFLFg= X-Received: by 10.55.155.6 with SMTP id d6mr16015356qke.55.1505640541559; Sun, 17 Sep 2017 02:29:01 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.195.157 with HTTP; Sun, 17 Sep 2017 02:29:00 -0700 (PDT) In-Reply-To: <84ccbc63-537b-3a97-2284-464de4b95098@thelounge.net> References: <678BA83E-09F8-4216-9F8A-675176BEDCCB@greenbytes.de> <6e56dd9f-ad70-2a7c-871a-cfa257b951c4@thelounge.net> <899554e7-2665-6ad5-9f4a-377982aa9d7e@thelounge.net> <394E5AFD-478F-4D59-B17F-0640D38C54F5@greenbytes.de> <87b75377-37c9-ffd7-6e2f-2428af1635d3@thelounge.net> <8852AE9B-5D4E-461B-9BA7-B7CFB80669E2@greenbytes.de> <84ccbc63-537b-3a97-2284-464de4b95098@thelounge.net> From: Yann Ylavic Date: Sun, 17 Sep 2017 11:29:00 +0200 Message-ID: Subject: Re: Listen 443 https (SSLEngine Optional - dual host) To: httpd-dev Content-Type: text/plain; charset="UTF-8" archived-at: Sun, 17 Sep 2017 09:29:17 -0000 Come on, let's keep technical once again. Personal grudges ended! On Sun, Sep 17, 2017 at 3:20 AM, Reindl Harald wrote: > > > Am 17.09.2017 um 03:07 schrieb Nick Edwards: >> >> phpmyadmin 4.4.15 is YEARS old > > > and how does that change the fact that > https://bz.apache.org/bugzilla/show_bug.cgi?id=61519#c1 "SERVER_PORT 80" in > case of a https-connection is plain wrong? > >> we using 4.7 for nearly a year, 4.7.2 is current > > > nice for you when you don't have to support older PHP (sync the package to a > RHEL 7 host with PHP 5.4 - my whole own software is PHP 7.1 only with > strict-types but that's not related to the topic at all) > >> this from a troll who verbally abuses the hell out of people on other >> lists for posting similar comments using very outdated softwares HAH, this >> ones in google for life. > > > the only troll in this thread is you and nobody asked you, just because i > have never seen anything useful on any list since you only post if you face > something from me and otherwise you are a silent lurker everywhere! > >> On Sun, Sep 17, 2017 at 10:24 AM, Reindl Harald > > wrote: >> >> >> that's even more worse - phpMyAdmin 4.4.15.10 seems to handle >> something wrong because $_SERVER['SERVER_PORT'] is wrong - and i had >> myself some bad code using that var instead of $_SERVER['HTTPS'] >> which again leaded in a endless loop >> >> in case of phpMyAdmin it redirects to https://hostname:80/path/ >> after enter username/password - the workaround below in the config >> file seems to solve that for now, but all in all that leaves a very >> bad taste >> >> if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off') >> { >> $cfg['ForceSSL'] = false; >> } >> else >> { >> $cfg['ForceSSL'] = true; >> } >> >> >> Am 14.09.2017 um 18:16 schrieb Reindl Harald: >> >> Am 14.09.2017 um 16:08 schrieb Stefan Eissing: >> >> Ok, as I read the code a bit more, there is a tangle of >> things that can influence port/scheme selection. But what I >> can see, the version in *trunk* should do the right thing >> *iff* >> >> a) you use "SSLEngine *:443" instead of "Optional" >> b) you use "ServerName xxx.yyy" *without* a port name >> >> the a >> >> ServerName xxx.yyy >> SSLEngine *:443 >> ... >> >> >> should do the right thing here. Internal methods used to >> generator Redirect Location headers, namely >> ap_construct_url() >> ap_get_server_port() >> ap_http_scheme() >> should give back the correct values for each connection and >> als fill the Env Variables with the correct values. >> >> >> what means "trunk" here? >> a future 2.5/2.6/3.0 or a 2.4.x in the near future? >> >> within 2 weeks you need TLS on each and every host since Chrome >> starts to warn about every page with a form tag and no TLS >> >> [root@srv-rhsoft:~]$ apachectl -t >> AH00526: Syntax error on line 29 of >> /etc/httpd/conf/sites_enabled/contentlounge.conf: >> Argument must be On, Off, or Optional >> >> Am 14.09.2017 um 15:46 schrieb Reindl Harald >> >: >> >> >> >> Am 14.09.2017 um 15:40 schrieb Stefan Eissing: >> >> Harald, >> could you check if a configuration like: >> UseCanonicalPhysicalPort on >> in the server or vhost mitigates the problem? >> >> >> it makes it even more terrible and the resulting http:// >> protocol instead https// on port 443 here even tiggers >> mod_security >> >> even if it would mitigate that issue - having ports in >> redirect urls easily leads to a lot of other problems >> when proxy-servers are part of the game >> >> [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head >> --insecure https://contentlounge/cms >> HTTP/1.1 301 Moved Permanently >> Date: Thu, 14 Sep 2017 13:43:06 GMT >> X-DNS-Prefetch-Control: off >> X-Content-Type-Options: nosniff >> X-Response-Time: D=1561 us >> Location: http://contentlounge:443/cms/ >> Cache-Control: max-age=0 >> Expires: Thu, 14 Sep 2017 13:43:06 GMT >> Content-Type: text/html; charset=iso-8859-1 >> >> Am 14.09.2017 um 12:00 schrieb Reindl Harald >> > >: >> >> >> >> >> Am 10.08.2017 um 18:22 schrieb Reindl Harald: >> >> If you want to experiment... >> >> is already recognized >> >> but with "SSLEngine On" and >> "SSLCertificateFile" configured non-https no >> longer would work >> >> >> OK, figured it out >> >> * you need the *first* vhost with "SSLEngine On" >> * others can have "SSLEngine optional" and >> listen to 80 and 443 >> >> but there is a bug: >> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 >> >> >> >> if the trailing slash is missing in the url the >> automatic redirect to the full qualified >> folder-path points to http:// instead https:// >> and that does not happen within a vhost >> dedicated to :443 and "SSLEngine On" >> >> i was trapped in a endless loop because the php >> script making a redirect to https:// had a bug >> and missed the traling / too >> >> >> DocumentRoot "/www/contentlounge" >> ServerName contentlounge.rhsoft.net >> >> SSLEngine optional >> SSLCertificateFile "conf/ssl/rhsoft.net.pem" >> >> >> [harry@srv-rhsoft:~]$ curl --head --insecure >> https://contentlounge/cms >> HTTP/1.1 301 Moved Permanently >> Date: Thu, 14 Sep 2017 09:40:27 GMT >> X-DNS-Prefetch-Control: off >> X-Content-Type-Options: nosniff >> X-Response-Time: D=1311 us >> Location: http://contentlounge/cms/ >> Cache-Control: max-age=0 >> Expires: Thu, 14 Sep 2017 09:40:27 GMT >> Content-Type: text/html; charset=iso-8859-1 > >