Discussion:
Directing all http requests to https
(too old to reply)
Swifty
2012-04-26 17:11:21 UTC
Permalink
What is the recommended technique for redirecting all http requests to
https ?

In my particular circumstances, I want to do this only when the URL is
directed at a userdir, so the original URL will be of the form:

http://example.com/~...
--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk
BootNic
2012-04-28 02:58:29 UTC
Permalink
Post by Swifty
What is the recommended technique for redirecting all http
requests to https ?
In my particular circumstances, I want to do this only when the
URL is directed at a userdir, so the original URL will be of the
http://example.com/~...
RewriteCond %{REQUEST_URI} ^/~ [NC]
### test for HTTPS if you DON'T have separate configuration for SSL
### RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
--
BootNic Fri Apr 27, 2012 10:58 pm
"I suppose they are vicious rascals, but it scarcely matters what they are.
I'm after what they know."
*Gibson-Sterling, The Difference Engine*
Swifty
2012-04-29 06:42:14 UTC
Permalink
Post by BootNic
RewriteCond %{REQUEST_URI} ^/~ [NC]
### test for HTTPS if you DON'T have separate configuration for SSL
### RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Thank you for that, which I'll try on my next working day.

I don't understand what is meant by having a separate configuration
for SSL.

The standard installation (Apache 2.2) encourages putting your SSL
definitions in sites-enabled/default-ssl but that is little more than
an administrative convenience, so this is probably not what is meant.

Of course, this is simple to test; if it works as-is then fine,
otherwise take the commenting out and see what happens.

This might take me a few days, as the entire system was built only
last week, and I haven't reached the state where I find it easy to
manipulate the config.

In case anyone is wondering what things I do to make managing the
config easier:

1. I create a CGI script which displays the apache2.conf file with all
of the "include" statements expanded. This way I can use a simple
Ctrl+f (in the browser) to locate any particular directives that
interest me.
2. For #1 to work, I have to persuade the system administrator to
install the processor for the scripting language that I use.
I may be "root", but that gives me only the power, not the wit and
wisdom. (So I'd probably do OK as a politician)
--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk
BootNic
2012-04-29 15:09:19 UTC
Permalink
Post by Swifty
Post by BootNic
RewriteCond %{REQUEST_URI} ^/~ [NC]
### test for HTTPS if you DON'T have separate configuration for SSL
### RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Thank you for that, which I'll try on my next working day.
I don't understand what is meant by having a separate configuration
for SSL.
The standard installation (Apache 2.2) encourages putting your SSL
definitions in sites-enabled/default-ssl but that is little more than
an administrative convenience, so this is probably not what is meant.
If you are going to add this RewriteRule to a virtualhost under
sites-enabled/default-ssl, and DON'T test for HTTPS, it will be and endless
redirect. DO test for HTTPS, it will never redirect anything. It would be
useless to add this RewriteRule to a virtualhost under
sites-enabled/default-ssl.

If you are going to add this RewriteRule to a virtualhost under
sites-enabled/default, there should be no reason to test for HTTPS

If you were to use .htaccess for both SSL and non SSL and add this RewriteRule
to .htaccess then test for HTTPS.

AccessFileName .htaccessSSL could be added to the virtualhost under
sites-enabled/default-ssl.

if .htaccess is used for non SSL and .htaccessSSL for SSL, then this
RewriteRule could be added to .htaccess and no need to test for HTTPS.

It would be just as useless to add this RewriteRule to .htaccessSSl for the
same reasons as adding it to a virtualhost under sites-enabled/default-ssl.

Presuming AllowOverride is set to allow this, good for testing, no
need to restart apache for every change, then move to main server configuration.

[snip]
--
BootNic Sun Apr 29, 2012 11:09 am
Wife who put husband in doghouse soon find him in cat house.
*Ancient Chinese Proverbs*
Swifty
2012-04-30 09:08:56 UTC
Permalink
Post by BootNic
If you were to use .htaccess for both SSL and non SSL and add this RewriteRule
to .htaccess then test for HTTPS.
Thanks for the explanations. I hadn't considered the possibility of an
endless redirect.

I won't be using htaccess as I'm under a corporate mandate forbidding
its use, no matter how handy it may be. The security people are afraid
of what it might enable.

I'm also unlikely to be using VirtualHosts (don't have any yet).
Each person who wants me to host some webpages will be given a userid
on the server, and they'll user the userdir mechanism to host their
webpages from their own filespace.

So, my first test will be to place your example inside the base
configuration, probably inside the userdir.conf

Well, that didn't go so well. Here is most of my userdir.conf (I
deleted some of the authorisation statements):

<IfModule mod_userdir.c>
UserDir public_html
UserDir disabled root
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
AuthType Basic
AuthBasicProvider ldap
AuthName "Intranet Password"
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
RewriteCond %{REQUEST_URI} ^/~ [NC]
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>
</IfModule>

... and I can still get to http://example.com/~steve/
--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk
BootNic
2012-04-30 10:04:05 UTC
Permalink
In article <***@4ax.com>,
Swifty <***@gmail.com> wrote:

[snip]
Post by Swifty
I'm also unlikely to be using VirtualHosts (don't have any yet).
Each person who wants me to host some webpages will be given a
userid on the server, and they'll user the userdir mechanism to
host their webpages from their own filespace.
So, my first test will be to place your example inside the base
configuration, probably inside the userdir.conf
Well, that didn't go so well. Here is most of my userdir.conf (I
[snip]


userdir.conf

<IfModule mod_userdir.c>
UserDir public_html
UserDir disabled root
<Directory /home/*/public_html>
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
</IfModule>

add to default

<Directory /home/*/public_html>
AllowOverride none
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

add to default-ssl

<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
AuthType Basic
AuthBasicProvider ldap
AuthName "Intranet Password"
</Directory>
--
BootNic Mon Apr 30, 2012 06:04 am
A man's got to do what a man's got to do. A woman must do what he can't.
*Rhonda Hansome*
BootNic
2012-04-30 10:33:57 UTC
Permalink
In article <***@bootnic.server>,
BootNic <***@gmail.com> wrote:


[snip]
Post by BootNic
add to default
<Directory /home/*/public_html>
AllowOverride none
RewriteEngine on
Post by BootNic
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>
[snip]
--
BootNic Mon Apr 30, 2012 06:33 am
Our earth is degenerate in these latter days; bribery and corruption are
common; children no longer obey their parents; and the end of the world is
evidently approaching.
*Assyrian clay tablet 2800 B.C.*
Swifty
2012-05-01 08:37:03 UTC
Permalink
Post by BootNic
RewriteEngine on
Thank you for your patience, and help. At this stage, everything
started working.

In the past I've only added rewrite directives on systems where it was
already in use, and I forgot all about enabling it.

#1 in my "New Skills" list is: forgetfulness.
--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk
Swifty
2012-04-30 11:40:27 UTC
Permalink
Post by BootNic
add to default-ssl
I'm not sure I've got a default-ssl (whatever). The fellow who setup
the Linux also setup the SSL on the apache server before handing the
lot over to me. I'll have to take a close look at what I've got.
--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk
Continue reading on narkive:
Loading...