httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexandru Duzsardi" <alexandru.duzsa...@pitechnologies.ro>
Subject RE: [users@httpd] Configuring redirects httpd behind a TLS-terminating proxy
Date Tue, 24 Jan 2017 05:48:25 GMT
Try this in your non-ssl virtualhost

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

More about mod_ssl variables  http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Tuesday, January 24, 2017 12:07 AM
To: users@httpd.apache.org
Subject: [users@httpd] Configuring redirects httpd behind a TLS-terminating proxy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I've got an EC2 instance behind a load balancer where TLS is being terminated. I've arranged
for two separate httpd (2.4.25)
VirtualHosts: one for the secure connections (proxied from the lb) and another for the non-secure
connections.

I have a Redirect directive that isn't behaving as I'd like it to behave
:

RedirectMatch permanent ^/$    /site/

I have the same redirect in both VirtualHosts. The redirect itself works, but it doesn't preserve
the secure-protocol when I'm using the secure VirtualHost.

I have this directives to attempt to set the HTTPS environment variable:

    # Handle ELB requests; maintain client information
    SetEnvIf X-Forwarded-Proto "https" HTTPS=On
    SetEnvIf X-Forwarded-Port "(.*)" JK_LOCAL_PORT=$1

I can confirm that ELB is in fact sending the "X-Forwarded-Proto:
https" header to my httpd instance.

I can also see that the HTTPS environment variable is in fact being set to "On" when I make
a request.

I'm expecting httpd to redirect a request from "https://www.example.com/" to "https://www.example.com/site/"
but instead I'm getting redirected to "http://www.example.com/site/".

Can anyone see anything wrong with my configuration? Or do I have a misunderstanding of how
RedirectMatch will built its relative URLs?
I'd expect the redirects to be protocol-relative, but even though HTTPS=On, the request from
the LB is actually using HTTP and not HTTPS. Am I not able to override the protocol by setting
the HTTPS environment variable?

Do I have to build an absolute redirect using other environment variable s?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYhn6RAAoJEBzwKT+lPKRYPGgQAJxY2qq2wAxhzV21iQJFz/qz
vviFasPk17/ezD7ZGM1yHuxOrTrZRglvIRUXrRB3MWBX55fX11NsryxfKNigxOpw
TXtmJQNAScvXZfGdSVkVNcSNHN6FWKE+QRNhtPNhVoyxWP1fUdc00bzFCX3PDvoo
+8ASJJDV+0Qy5O0IlVv4B1uBnfzhVaxBgi2UYzGF8jyrbgUXHUA9R14FtXN6DNqw
Q4UKBXD6W5wS1zPYep9oHs0aqQIycvAXTFB20dwfaZ/Qft/wED2ACNOg60hRtQ3x
tP57zjEQqxzHKPHsTYaM4k6so69lIL9uoNUBgN1Q/Eqyl+ufF13y2EasjL4Y2Svz
qUFzyP85xFHTxnR8QvAYvmL4jqrf2ynZWnKHLDoVs1y9BOb0Iv4/8EWqcaIOG4QF
MlUxoSY32Z/BA3oxkE3pTzzqeyjZTY3ITMtdNDFMWFoDa3iTDBFNjfcUOYJSuaZx
7Q9A7NYtMpTFvTxVpQmz+PFkVpDqmF/xxHO/B9LaPcjTCWqqYU+m5/GTugW/pcoH
LVKfiPEbAYkjmOIR/+BE2x2YU4PglTIrzKfB2MlyHq/3qU3/SNvL+qM0xs6V1tdN
OtLx83lrEKecuqiH3A6zGPpcKqzdCGCMJxbg/jq5QJXMLs3/sSYyo15EjUEQYfjZ
Wn+RdQYSpwcWQ8eoLQVF
=mJ4i
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message