Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

In moving to SSL what configuration 1

Status
Not open for further replies.
SirCharles

SirCharles

Programmer
Jun 10, 2002
212
US
In moving to SSL what configuration directives should be given to get communication going on SSL in the Apache configuration file. IE. Is a redirect directive needed to direct all traffic from port 80 to 443? Where and how should this be implemented so that an individual could type:
and get redirected to foo.bar over https?
ie Do DNS entries have to be modified?
Does the httpd.conf file need to have a redirect directive to get port 80 going to 443? Does one need a 'shim' site on port 80 redirected to 443?
 
Sort by date Sort by votes
You don't redirect port 80 to port 443. You either modify Apache using Apache-SSL ( or you install mod_ssl ( This adds SSL capabilities to Apache, and make available an additional set of configuration directives for setting up SSL.

There are no DNS changes necessary to switch from to
Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote

To have users on an intranet be able to access site with http and external users, those from internet, access site with https?

 
Upvote 0 Downvote
I'm having difficulty getting the rewrite to work properly. It seems as though the <VirtualHost ###.###.### ###.###.###:443> wont work as can't mix * and non-* here per error message on startup.
 
Upvote 0 Downvote
Should I have a separate site for http and a rewrite rule that rewrites the URL to the https/ssl site? This would server same content off of two sites. Is this wise?
 
Upvote 0 Downvote
If the site scripts specify as prefix to some of the docs, how to get the rewrite rule to translate these references to https? Ie. If the scripts referenced on the site refer to documents with an http prefix, can the rewrite rule be made to translate the URL previx from http to https on a per directory specification? The RewriteRule doc mentions a fix-it phase. Would this be possible to do through this fix-it phase? It doesn't appear to work by just having the rewrite rule directive at the top of the site speicifcations - before the Alias and Script Alias directives.
 
Upvote 0 Downvote
I am trying to emulate the same behavior as SirCharles, to no avail.

I have already set up my SSL (it works!). Whenever a user attempts to traverse to the the encryption, password verification, certificate authorization, et. al. all work as expected. My virtual host is configured according to several sources. Everything is almost great...almost.

The problem is that I have a GREAT BIG GAPING HOLE in my security for this site in that ANY user attempting to traverse to the secure pages via they waltz right in, no authentication, not even a password verification.

So, I did my homework. Looks as if mod_rewrite is what I need; however, I can't get anything to redirect. It's as if the rule is not being read. Here are my relevant http.conf lines:

[tt]
LoadModule ssl_module modules/mod_ssl.so
Include conf/ssl.conf
[/tt]

Here is my entire ssl.conf (values changed to protect my ignorance ;):

[tt]
<IfDefine SSL>
SSLProtocol -all +SSLv3
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost *:443>
DocumentRoot &quot;C:/securearea&quot;
ServerName [MY SERVER NAME]
ServerAdmin [MY SERVER ADMIN E-MAIL ADDRESS]

LogLevel warn
ErrorLog [LOG DIRECTORY]/SSLApacheError.log
TransferLog [LOG DIRECTORY]/SSLApacheTransfer.log
CustomLog [LOG DIRECTORY]/SSLApacheRequest.log &quot;%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \&quot;%r\&quot; %b&quot;

SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile [SSL CERTIFICATE FILE]
SSLCertificateKeyFile &quot;[SSL CERTIFICATE KEY FILE]

<Files ~ &quot;\.(cgi|shtml|phtml|php3?)$&quot;>
SSLOptions +StdEnvVars
</Files>
<Directory &quot;c:/apache/cgi-bin&quot;>
SSLOptions +StdEnvVars
</Directory>
SSLOptions +FakeBasicAuth

SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

<Directory &quot;C:/securearea/&quot;>
AllowOverride None
AuthName &quot;Restricted to Authorized MyPhotoAlbum Users&quot;
AuthType Basic
AuthDBMUserFile [AUTHORIZATION DATABASE USER FILE]
AuthDBMGroupFile [AUTHORIZATION DATABASE GROUP FILE]
require group MyPhotoAlbum

RewriteEngine on
RewriteRule ^/ [R,L]
</Directory>
</VirtualHost>
</IfDefine>
[/tt]

Is there any issue with mod_rewrite of which I am unaware (i.e., my syntax, placement in config, et. al.).

Thank you in advance for your assistance.

Ivan
 
Upvote 0 Downvote
I am trying to emulate the same behavior as SirCharles, to no avail.

I have already set up my SSL (it works!). Whenever a user attempts to traverse to the the encryption, password verification, certificate authorization, et. al. all work as expected. My virtual host is configured according to several sources. Everything is almost great...almost.

The problem is that I have a GREAT BIG GAPING HOLE in my security for this site in that ANY user attempting to traverse to the secure pages via they waltz right in, no authentication, not even a password verification.

So, I did my homework. Looks as if mod_rewrite is what I need; however, I can't get anything to redirect. It's as if the rule is not being read. Here are my relevant http.conf lines:

[tt]
LoadModule ssl_module modules/mod_ssl.so
Include conf/ssl.conf
[/tt]

Here is my entire ssl.conf (values changed to protect my ignorance ;):

[tt]
<IfDefine SSL>
SSLProtocol -all +SSLv3
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost *:443>
DocumentRoot &quot;C:/securearea&quot;
ServerName [MY SERVER NAME]
ServerAdmin [MY SERVER ADMIN E-MAIL ADDRESS]

LogLevel warn
ErrorLog [LOG DIRECTORY]/SSLApacheError.log
TransferLog [LOG DIRECTORY]/SSLApacheTransfer.log
CustomLog [LOG DIRECTORY]/SSLApacheRequest.log &quot;%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \&quot;%r\&quot; %b&quot;

SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile [SSL CERTIFICATE FILE]
SSLCertificateKeyFile [SSL CERTIFICATE KEY FILE]

<Files ~ &quot;\.(cgi|shtml|phtml|php3?)$&quot;>
SSLOptions +StdEnvVars
</Files>
<Directory &quot;c:/apache/cgi-bin&quot;>
SSLOptions +StdEnvVars
</Directory>
SSLOptions +FakeBasicAuth

SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

<Directory &quot;C:/securearea/&quot;>
AllowOverride None
AuthName &quot;Restricted to Authorized MyPhotoAlbum Users&quot;
AuthType Basic
AuthDBMUserFile [AUTHORIZATION DATABASE USER FILE]
AuthDBMGroupFile [AUTHORIZATION DATABASE GROUP FILE]
require group [MY SECURE GROUP]

RewriteEngine on
RewriteRule ^/ [R,L]
</Directory>
</VirtualHost>
</IfDefine>
[/tt]

Is there any issue with mod_rewrite of which I am unaware (i.e., my syntax, placement in config, et. al.).

Thank you in advance for your assistance.

Ivan
 
Upvote 0 Downvote
The rewrite rule goes under the VHOST on port 80. You rewrite from there to https (443).
 
Upvote 0 Downvote
Thanks, that was the problem.

Now a new issue has been uncovered.

When the user traverses to http://[SERVER NAME], the rewrite rule is redirecting to https://[SERVER NAME], even though it is not a secure area.

How is it possible to ONLY have the secure area rewrite?

I have the following hierarchy:

[tt]
ApacheRoot
|
|--->All of the unsecure documents
|
|--->SSLDirs
|
|--->All of the secure documents
[/tt]

The relevant httpd.conf statments are:

[tt]
Listen 80

LoadModule auth_module modules/mod_auth.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ssl_module modules/mod_ssl.so

ServerAdmin [SERVER ADMIN EMAIL]
ServerName [SERVER NAME]:80
UseCanonicalName On
DocumentRoot [DOCUMENT ROOT DIRECTORY]
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory [DOCUMENT ROOT DIRECTORY]>
Options Indexes FollowSymLinks
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>

Include conf/ssl.conf

NameVirtualHost *:80

#IF I UNCOMMENT THIS SEEMINGLY REDUNDANT SEGMENT, NO REWRITES OCCUR.
#<VirtualHost *:80>
# ServerAdmin [SERVER ADMIN EMAIL]
# DocumentRoot [DOCUMENT ROOT DIRECTORY]
# ServerName [SERVER NAME]
# SSLEngine off
#</VirtualHost>
<VirtualHost *:80>
ServerAdmin [SERVER ADMIN EMAIL]
DocumentRoot [DOCUMENT ROOT DIRECTORY]/SSLDirs
ServerName [SERVER NAME]
SSLEngine off
RewriteEngine on
RewriteRule ^/(.*)$ [R,L]
</VirtualHost>
[/tt]

The ssl.conf file is:

[tt]
<IfDefine SSL>
SSLProtocol -all +SSLv3
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost *:443>
DocumentRoot [DOCUMENT ROOT DIRECTORY]/SSLDirs
ServerName [MY SERVER NAME]
ServerAdmin [MY SERVER ADMIN E-MAIL ADDRESS]

SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile [SSL CERTIFICATE FILE]
SSLCertificateKeyFile [SSL CERTIFICATE KEY FILE]

<Files ~ &quot;\.(cgi|shtml|phtml|php3?)$&quot;>
SSLOptions +StdEnvVars
</Files>
<Directory &quot;c:/apache/cgi-bin&quot;>
SSLOptions +StdEnvVars
</Directory>
SSLOptions +FakeBasicAuth

SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

<Directory [DOCUMENT ROOT DIRECTORY]/SSLDirs>
AllowOverride None
AuthName &quot;Restricted to Authorized Users&quot;
AuthType Basic
AuthDBMUserFile [AUTHORIZATION DATABASE USER FILE]
AuthDBMGroupFile [AUTHORIZATION DATABASE GROUP FILE]
require group [MY SECURE GROUP]
</Directory>
</VirtualHost>
</IfDefine>
[/tt]

I guess my question is this: Is it possible to have BOTH an HTTP *and* an HTTPS server for the same name/IP? If so, what, in my configuration, is preventing this?
 
Upvote 0 Downvote
You could use incoming ips to determine if a redirect to https is needed. This would be done with a rewrite condition placed between the
'RewriteEngine on' and 'RewriteRule ...'
Example to redirect everything not coming from subnet 10.51:

...
RewriteCond %{REMOTE_ADDR} !^10\.51\.[0-9]+\.[0-9]+$
RewriteCond %{HTTPS} !=on
...

Side note: you cannot used named virtual hosts with ssl. I'm not sure why the snippet you give is even working as listed. Go to the docs listed in the above url references to learn more about ssl vs ip based virtual hosts (not with named virtual hosts)
 
Upvote 0 Downvote
I figured it out. You have to have a [tt]RewriteCond[/tt] in order to rewrite ONLY those requests attempting to go to the secure area.

Thanks for all of your help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
376
spamjim
spamjim
hobbytech
  • Locked
  • Question
Internet not connecting
Replies
5
Views
385
Stephen_Hawk
Stephen_Hawk
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
177
kasperelectronics
kasperelectronics
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
239
spamjim
spamjim
bhuv560
  • Locked
  • Question
Postfix Installation on EC2 AWS Linux
Replies
0
Views
171
bhuv560
bhuv560

Part and Inventory Search

Sponsor

Back
Top