Quick synapisisCorrect method of redirecting HTTP to HTTPS 1

[bazil2]

(Very elementary user)

I have successfully set an Apache 2 webserver to now receive requests from HTTPS.

As I'm sure most of you are aware, this involved:

• generating a KEY and CSR file
• obtaining an SSL and CA directive certificates
• configuring /etc/httpd/conf.d/ssl.conf

In the conf file I put in the paths to my certificates and keys.

I lastly configured the main firewall to NAT https to this sever.

It was all going so well, but I forgot one major thing that prevented all this from working; can you get what it was?

The RHEL5 sever has it's own firewall, and it needed to have https enabled - this was a stupid mistake as I checked everything else several times ... but didn't think of this (not SE Linux)!

Is there a method however of forcing or redirecting all http requests to https?

Here are some examples of how users currently access the server:

http://sub.somedomain.com/Billy

http://sub.somedomain.com/Snubby

http://sub.somedomain.com/Charlie

The goal is, irrespective as to whether the users use http or https, that they can connect to the server, however, Apache should handle the requests always as https.

Is there a best practice method of doing this; presumably with an entry in the /etc/httpd/conf/httpd.conf ?

Best regards

 

[ChrisHirst]

https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[bazil2]

Thank you so much; this worked like a charm!

Are you familiar with the correct permissions for the .htaccess file; mine are as follows:


-rw-r--r-- 1 root root 477 May 4 01:22 .htaccess

Do you know if that is correct?

Best regards

 

[ChrisHirst]

644 (as the flags -rw-r--r-- show) is more secure, 477 (-r--rwxrwx) gives "world" write access, so leaves it potentially vulnerable to attack such as this one.

.htaccess does not actually need 'execute' permission rwx as it is only read and parsed for directives, not 'run' to execute code.


Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[bazil2]

Thanks Chris,

that link was indeed a horror story, I'm glad I asked!

Can I ask you a question about the httpd.conf file ....

in order to respect the .htaccess file, it is necessary to change the following entry; in an effort to keep security 'tight', is it possible to restrict the 'Rewrite' function to any of the listed keywords?

# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All

Best regards
Stephen

 

[ChrisHirst]

It all depends on what kind of server you are running. If you are a shared hosting provider, restricting what clients/users can override in local .htaccess files can reduce the risks of one of them 'accidentally' allowing directory traversal attacks or cross site scripting exploits to gain a foothold.

If it is a dedicated box or a VM where you are the only user it's not that important, cos' anything you 'break' you also have to fix



Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum