httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From YUSUI T <yusui.tomik...@gmail.com>
Subject Re: [users@httpd] Redirection via HTTPS
Date Mon, 09 Feb 2015 14:53:30 GMT
2015-02-09 16:31 GMT+09:00 Daniel <dferradal@gmail.com>:
>
>
> 2015-02-08 21:15 GMT+01:00 Yann Ylavic <ylavic.dev@gmail.com>:
>>
>> On Sun, Feb 8, 2015 at 9:03 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>> > On Sun, Feb 8, 2015 at 7:36 AM, YUSUI T <yusui.tomikawa@gmail.com>
>> > wrote:
>> >>
>> >> root@hostname:~# tail -n 6 /etc/apache2/mods-available/ssl.conf
>> >> <VirtualHost *:443>
>> >>         ServerName www.mydomain.com
>> >>         Redirect / https://www.mydomain.com/
>> >> </VirtualHost>
>> >
>> > You probably want to redirect to https when the request is plain http,
>> > hence :
>> >   <VirtualHost *:80>
>> > above.
>>
>> Sorry, I completely misread your issue, please ignore this.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> This is the list of virtualhosts you need. It could be reduced, but for
> educational purposes here is how all virtualhosts should look to represent
> your scenario more or less as I have understood you were asking. As you will
> see there is no need for mod_rewrite at all for this case.
>
> I assumed you want to redirect port 80 to SSL too, if not, ignore the first
> non-ssl virtualhost examples.
>
> ###
> # domain.com port 80 redirects to SSL www.domain.com
> <VirtualHost *:80>
> ServerName domain.com
> DocumentRoot /path/to/docroot
> Redirect / https://www.domain.com/
> </VirtualHost>
>
> ###
> # www.domain.com port 80 redirects to SSL www.domain.com
> <VirtualHost *:80>
> ServerName www.domain.com
> DocumentRoot /path/to/docroot
> Redirect / https://www.domain.com/
> </VirtualHost>
>
> ###
> # domain.com port 443 SSL redirects to SSL www.domain.com
> <VirtualHost *:443>
> ServerName domain.com
> DocumentRoot /path/to/docroot
> SSLEngine on
> SSLCertificateKeyFile /my/path/to/domain.com.key
> SSLCertficicateFile /my/path/do/domain.com.crt
> Redirect / https://www.domain.com/
> </VirtualHost>
>
> ####
> # www.domain.com port 443 SSL
> <VirtualHost *:443>
> ServerName www.domain.com
> DocumentRoot /path/to/docroot
> SSLEngine on
> SSLCertificateKeyFile /my/path/to/www.domain.com.key
> SSLCertificateFile /my/path/do/www.domain.com.crt
>
> ###
> # And your actual configuration from here on
> </VirtualHost>
>
>
> Hope this helps

Thank you for great list of virtualhosts.
What I want to do are 2 things;
1st: redirect from http://mydomain.com(:80) to http://www.mydomain.com(:80)
2nd: redirect from https://mydomain.com(:443) to https://www.mydomain.com(:443)

Your list is great help for me.
I exchanged redirect for rewrite on
/etc/apache2/sites-available/000-default.conf.
But my Google Chrome said an error "ERR_TOO_MANY_REDIRECTS".
Additionally it shows another error when I added # mydomain.com port
443 SSL redirects to SSL www.mydomain.com to
/etc/apache2/mods-available/ssl.conf and restarted apache.

root@hostname:~# service apache2 restart
 * Restarting web server apache2                                         [fail]
 * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 95 of /etc/apache2/mods-enabled/ssl.conf:
Invalid command 'SSLCertficicateFile', perhaps misspelled or defined
by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.
root@hostname:~#

My configurations already have some <VirtualHost>. And I am not sure
where I should add that list...

The followings are my /etc/apache2/sites-available/000-default.conf
and /etc/apache2/mods-available/ssl.conf.

root@hostname:~# cat /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname
and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin contact@mydomain.com
        DocumentRoot /var/www/html

# mydomain.com port 80 redirects to www.mydomain.com port 80
Redirect / http://www.mydomain.com/

        <Directory "/var/www/html">
            AllowOverride All
            Options +ExecCGI
            Require all granted
        </Directory>

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
root@hostname:~#
------------------------------------------------------
root@hostname:~# cat /etc/apache2/mods-available/ssl.conf
<IfModule mod_ssl.c>

        # Pseudo Random Number Generator (PRNG):
        # Configure one or more sources to seed the PRNG of the SSL library.
        # The seed data should be of good random quality.
        # WARNING! On some platforms /dev/random blocks if not enough entropy
        # is available. This means you then cannot use the /dev/random device
        # because it would lead to very long connection times (as long as
        # it requires to make more entropy available). But usually those
        # platforms additionally provide a /dev/urandom device which doesn't
        # block. So, if available, use this one instead. Read the mod_ssl User
        # Manual for more details.
        #
        SSLRandomSeed startup builtin
        SSLRandomSeed startup file:/dev/urandom 512
        SSLRandomSeed connect builtin
        SSLRandomSeed connect file:/dev/urandom 512

        ##
        ##  SSL Global Context
        ##
        ##  All SSL configuration in this context applies both to
        ##  the main server and all SSL-enabled virtual hosts.
        ##

        #
        #   Some MIME-types for downloading Certificates and CRLs
        #
        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl .crl

        #   Pass Phrase Dialog:
        #   Configure the pass phrase gathering process.
        #   The filtering dialog program (`builtin' is a internal
        #   terminal dialog) has to provide the pass phrase on stdout.
        SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase

        #   Inter-Process Session Cache:
        #   Configure the SSL Session Cache: First the mechanism
        #   to use and second the expiring timeout (in seconds).
        #   (The mechanism dbm has known memory leaks and should not be used).
        #SSLSessionCache                 dbm:${APACHE_RUN_DIR}/ssl_scache
        SSLSessionCache         shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
        SSLSessionCacheTimeout  300

        #   Semaphore:
        #   Configure the path to the mutual exclusion semaphore the
        #   SSL engine uses internally for inter-process synchronization.
        #   (Disabled by default, the global Mutex directive
consolidates by default
        #   this)
        #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache


        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate. See the
        #   ciphers(1) man page from the openssl package for list of
all available
        #   options.
        #   Enable only secure ciphers:
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

        #   Speed-optimized SSL Cipher configuration:
        #   If speed is your main concern (on busy HTTPS servers e.g.),
        #   you might want to force clients to specific, performance
        #   optimized ciphers. In this case, prepend those ciphers
        #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
        #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
        #   (as in the example below), most connections will no longer
        #   have perfect forward secrecy - if the server's key is
        #   compromised, captures of past or future traffic must be
        #   considered compromised, too.
        #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
        #SSLHonorCipherOrder on

        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported
        SSLProtocol all

        #   Allow insecure renegotiation with clients which do not yet
support the
        #   secure renegotiation protocol. Default: Off
        #SSLInsecureRenegotiation on

        #   Whether to forbid non-SNI clients to access name based
virtual hosts.
        #   Default: Off
        #SSLStrictSNIVHostCheck On

</IfModule>

# mydomain.com port 443 SSL redirects to SSL www.mydomain.com
<VirtualHost *:443>
        ServerName mydomain.com
        DocumentRoot /var/www/html
        SSLEngine on
        SSLCertificateKeyFile /etc/ssl/CA/certs/www.mydomain.com/server.key
        SSLCertficicateFile /etc/ssl/CA/certs/www.mydomain.com/server.crt
        Redirect / https://www.mydomain.com/
</VirtualHost>

#test for redirect https
#<VirtualHost *:443>
#        ServerName www.mydomain.com
#        Redirect / https://www.mydomain.com/
#</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
root@hostname:~#

Yusui

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message