httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Pasher <just...@newmediagateway.com>
Subject Re: [users@httpd] Question about SSL and Apache and a certificate error
Date Mon, 29 Sep 2008 22:43:50 GMT
Mike Soultanian wrote:
>
>
> Justin Pasher wrote:
>>
>> Actually, ignore everything I just said. All this time I thought that 
>> was what apache was doing, but it's actually occurring after the 
>> mismatched server name warning is presented. The rewrite rule will 
>> still catch the request and redirect them to https://www.csulb.edu, 
>> but not until after the warning has already been issued.
>>
> Heh, no worries ;)
>
> However, I think you might be able to help me solve a few of the 
> problem cases.  Here's what's going on.  I have a message forum 
> running at http://www.csulb.edu/itforums.  When you hit the site there 
> is an .htaccess directive that automatically redirects you to to the 
> SSL version of the site:
>
> RewriteEngine on
> RewriteCond %{HTTPS} off
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
>
> This works great, except when someone types csulb.edu/itforums in 
> their browser.  They then get redirected to https://csulb.edu/itforums 
> and receive a certificate error.  I can't really fix the case of 
> someone typing https://csulb.edu/itforums (which will probably be 
> rare), I can still take care of the other cases: having both 
> http://www.csulb.edu/itforums and http://csulb.edu/itforums forward to 
> https://www.csulb.edu/itforums.  I tried to do this but my rewrite 
> statements don't seem to work right:
>
> RewriteEngine on
> RewriteCond %{HTTPS} off
> RewriteCond %{HTTP_HOST} !www
> RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI}
>
> RewriteCond %{HTTPS} off
> RewriteCond %{HTTP_HOST} www
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
>
> Here are some test pages where I've applied the above directives:
>
> http://csulb.edu/projects/itforums/dev/ -> 
> https://www.csulb.edu/projects/itforums/dev/
> The above correctly updated the URL and is running SSL
>
> http://www.csulb.edu/projects/itforums/dev/ -> 
> http://www.csulb.edu/projects/itforums/dev/
> The above doesn't work correctly as it doesn't go SSL
>
> Notice the second case doesn't forward to https.  Any idea why?
>
> Thanks!
> Mike

Ahhh... Now it should actually be possible. If possible, I would 
(personally) try to push all traffic to www.csulb.edu whenever they try 
to pull csulb.edu. Whether or not this is possible in your situation, I 
do not know. Something like this in the VirtualHost config would do it.

RewriteCond %{HTTP_HOST} !^www\.csulb\.edu$ [NC]
RewriteRule ^/(.*)$ http://www.csulb.edu/$1 [R=permanent]

This would make sure that requests for any pages are always going 
through www.csulb.edu (as opposed to csulb.edu or any other ServerAlias 
setting).

Now, back to your specific situation (if it must remain the same 
format). For one, you'll want to anchor the check for HTTP_HOST to the 
beginning of the string (just to avoid matching something unexpected if 
other subdomain ever point to the site. I have also never tried a 
rewrite rule that changes from http to https without forcing an actual 
redirect (as opposed to an internal rewrite). I would think apache is 
forced to perform a redirect when switching protocols, otherwise the 
browser would probably get confused (and I'm not sure you could even 
make SSL work like that). Adding the [R] flag will force the redirect, 
but it might not be necessary.

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [R=permanent]

RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^www\.
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent]

FWIW, I tried visiting the test pages you mentioned above, and both of 
them actually pushed me to https. Have you cleared your cache to make 
sure the browser isn't trying to do something weird by caching the 
previous response it received?


-- 
Justin Pasher

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message