[opensuse] Question of http to https rewriting with apache and openSuSE 10.3
Listmates, I think I am doing this right, but it doesn't work. I have a "Directory" covered by "AuthType" Basic that I want to cause an non-secure (http:) access attempts to be rewritten to secure (https:) access. I am using the Directory definition to set up the rewrite instead of using .htaccess. The rewrite would work the same either way. mod_rewrite.c is loaded and happy. Here is what I have so far in the Directory definition to try and accomplish this: Options +Indexes +FollowSymLinks # RewriteEngine On RewriteBase /dcr # SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.3111skyline.com/dcr" ErrorDocument 403 default # RewriteCond %{HTTPS} !=on RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L] What happens is that upon trying to access the url, you are immediately rewritten to https:, but you are not directed back to /dcr, instead you end up at the home page for the site in secure mode. ( https://www.3111skyline.com ) So it is nearly working, but not quite. I am a noob at this rewriting stuff. Do any of you veterans have an ideas what is going wrong or where I should look for answers? The only error in the log is: [Fri Jun 06 01:23:21 2008] [error] [client 192.168.6.101] access to /srv/www/dcr/ failed, reason: SSL connection required But, from my understanding, this isn't a problem because this occurs at the SSLRequire stage which is just a log of the attempted access by http: before redirection to https: occurs. Thanks for any help you can offer. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.3111skyline.com/dcr" ErrorDocument 403 default
David, I haven't looked at using any of this SSLrequire stuff, but isn't there a problem in SSLRequire %{HTTP_HOST} eq "www.3111skyline.com/dcr" HTTP_HOST will never have the "/dcr" part. Maybe you need to use REQUEST_URI or something similar instead. /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
David C. Rankin wrote:
SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.3111skyline.com/dcr" ErrorDocument 403 default
David,
I haven't looked at using any of this SSLrequire stuff, but isn't there a problem in
SSLRequire %{HTTP_HOST} eq "www.3111skyline.com/dcr"
HTTP_HOST will never have the "/dcr" part. Maybe you need to use REQUEST_URI or something similar instead.
/Per Jessen, Zürich
Hmmm, Good call Per. The /dcr doesn't need to be there. The HTTP_HOST is OK though since it appears inside the /dcr <Directory> definition in httpd.conf.local. I think my problem is with the lines: RewriteCond %{HTTPS} !=on RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L] I'll keep plugging away. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
Good call Per. The /dcr doesn't need to be there. The HTTP_HOST is OK though since it appears inside the /dcr <Directory> definition in httpd.conf.local. I think my problem is with the lines:
RewriteCond %{HTTPS} !=on RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Those two lines add up to: if the request isn't using https, redirect to the same URI, but with https://. RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L] I'm not at all certain, but shouldn't you be using HTTP_HOST instead of SERVER_NAME? /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
David C. Rankin wrote:
Good call Per. The /dcr doesn't need to be there. The HTTP_HOST is OK though since it appears inside the /dcr <Directory> definition in httpd.conf.local. I think my problem is with the lines:
RewriteCond %{HTTPS} !=on RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Those two lines add up to: if the request isn't using https, redirect to the same URI, but with https://.
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
I'm not at all certain, but shouldn't you be using HTTP_HOST instead of SERVER_NAME?
/Per Jessen, Zürich
Hmmm, I try switching, but according to phpinfo(); they both hold the same thing: HTTP_HOST www.3111skyline.com SERVER_NAME www.3111skyline.com -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
David C. Rankin wrote:
Good call Per. The /dcr doesn't need to be there. The HTTP_HOST is OK though since it appears inside the /dcr <Directory> definition in httpd.conf.local. I think my problem is with the lines:
RewriteCond %{HTTPS} !=on RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Those two lines add up to: if the request isn't using https, redirect to the same URI, but with https://.
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
I'm not at all certain, but shouldn't you be using HTTP_HOST instead of SERVER_NAME?
/Per Jessen, Zürich
Per, Now the server is going whacko on me. Instead of redirecting me to https://www.3111skyline.com as it did last night, now it is just giving me the 403 message "Access Denied". I can still go straight to the location with https://www.3111skyline.com/dcr just fine, but now rewrite seems to be not working at all. The only apache "error_log" says is: [Fri Jun 06 11:37:06 2008] [error] [client 192.168.6.101] access to /srv/www/dcr/ failed, reason: SSL connection required Which is the same as it was giving me last night, but then it would redirect me to https://www.3111skyline.com/. The complete <Directory> definition follows below. Can you take a quick look and see if anything is glaringly wrong. Does the order of the statements matter? Thanks again for your help. Here is the listing: <Directory "/srv/www/dcr"> # ## always include either in <Directory> or .htaccess if rewriting # Options +Indexes +FollowSymLinks # <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{HTTPS} !=on # RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L] RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L] </IfModule> # ## http-to-https ssl rewriting (can be in .htaccess also) # SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.3111skyline.com" ErrorDocument 403 default # ## Basic Auth # AuthType Basic AuthName "Restricted Files" # ## dbm Auth # AuthBasicProvider dbm AuthDBMUserFile /usr/local/lib/apache2/passwd Require valid-user # ## General Options # IndexOptions FancyIndexing IconsAreLinks AllowOverride AuthConfig # ## normal allow,deny with nopasswd from IP and auth from any # Order allow,deny # Allow from all Allow from 192.168.6 66.76.63.60 Satisfy Any </Directory> -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
David C. Rankin wrote:
Good call Per. The /dcr doesn't need to be there. The HTTP_HOST is OK though since it appears inside the /dcr <Directory> definition in httpd.conf.local. I think my problem is with the lines:
RewriteCond %{HTTPS} !=on RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Those two lines add up to: if the request isn't using https, redirect to the same URI, but with https://.
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
I'm not at all certain, but shouldn't you be using HTTP_HOST instead of SERVER_NAME?
/Per Jessen, Zürich
SMACKS SELF IN THE HEAD, All that is required is: SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.3111skyline.com" ErrorDocument 403 https://www.3111skyline.com/dcr You are using ErrorDocument to rewrite the url without an need for mod_rewrite! Thanks for your feedback! This is actually a cool way to do it. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
SMACKS SELF IN THE HEAD,
All that is required is:
SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.3111skyline.com" ErrorDocument 403 https://www.3111skyline.com/dcr
You are using ErrorDocument to rewrite the url without an need for mod_rewrite! Thanks for your feedback! This is actually a cool way to do it.
Almost 20 years ago I was on assembler programming class i Copenhagen. One of the most valuable tricks I was taught was: when it's 4 in the morning, and you've been working on the same problem for the last couple of hours - when the cleaning staff turns up towards 5, drag one of them into your office and explain the code to her step by step. /Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
David C. Rankin -
Per Jessen