Apache-SSL 2.0.45: redirect changes URL from https:... to http://server...:443/.. which fails

Apache-SSL 2.0.45: redirect changes URL from https:... to http://server...:443/.. which fails

Post by Herbert Neugebau » Thu, 03 Jul 2003 01:55:06



Hello,

we're experiencing a strange problem with apache. I know this at the
first glance looks almost like "FAQ", but it isn't, we've spend days
looking through all docu, FAQ's, googled groups and the web... to no
avail.

We've successfully setup the server to listen both on 80 and an SSL
version on 443. At some time later we will have some pages served via
80 (non-secure) and some pages only after certificate based
authentication via SSL. At the moment everything works both on
http://... and https://...

We first had everything working via normal prot 80. Then we configured
SSL and set up a VirtualHost for that. So far so fine. Everything
seemed to work, including the certificate based authentication.

However if any of the Web-pages issues a "redirect" on the secure
server side, e.g. after a login on
https://host.sub.domain.com/umufasel/login.jsp, the web-browser is
redirected to http://host.sub.domain.com:443/umufasel/index.jsp
instead of https://host.sub.domain.com/umufasel/index.jsp
This of course then fails as the browser tries to speak http while on
443 https is waiting and SSL can't decrypt.

It can't be obvious stuff like missing "-D SSL" when starting apache
or missing certificate. Not tripple, but 100 times checked. https
protocol really works. It's just the redirect that somehow generates a
wrong URL and sends it to the brower.
Also be assured, that the JSP pages where this happens DO use relative
URL. They do not specify the crappy URL hardcoded.
(e.g.: response.sendRedirect(response.encodeRedirectURL("../index.jsp")
 )

I've already browsed/search both on apache and the rest of the web
with google. However I've not been able to solve the problem. All the
hints I get describing exactly this problem are related to
Tomcat/Jakarta. Well, I followed their hints, but most of the Tomcat
cases are relevant when using Tomcat standalone, but in our case we
use Tomcat via Apache, so those solution do not apply.

I have no clue where the new, redirected, URL is generated and how it
can get so strangely wrong. I've but debugging in Tomcat and apache on
debug, but I can't find a clue in the logfile.

We thought of workaround using redirect or rewrite. Unfortunately
rewrite doesn't help, as the browser tries to speak HTTP to the server
via port 443, but the SSL handshake fails of course on such a low
level, that apache does not even get the request, so that rewrite does
not fire.

Any ideas? I stripped the comment from httpd.conf and ssl.conf (which
is included by httpd.conf) and included both below. I also included
mod_jk.conf, which is also included by httpd.conf.

What did we overlook? We're lost!

   Thanks in advance for any hint!

        Herbert

httpd.conf:  (almost complete, just removed definitely unrelated
stuff)
-----------
ServerRoot "/opt/hpws/apache"

PidFile logs/httpd.pid

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

Listen 80

LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule echo_module modules/mod_echo.so
LoadModule charset_lite_module modules/mod_charset_lite.so
LoadModule cache_module modules/mod_cache.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule case_filter_module modules/mod_case_filter.so
LoadModule case_filter_in_module modules/mod_case_filter_in.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
<IfDefine SSL>
LoadModule ssl_module modules/mod_ssl.so
</IfDefine>
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule cgid_module modules/mod_cgid.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule php4_module        modules/libphp4.so

User www
Group other

ServerAdmin w...@host.sub.domain.com

ServerName host.sub.domain.com

UseCanonicalName Off

DocumentRoot "/web/prod"

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/web/prod">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

DirectoryIndex index.html index.html.var index.php index.cgi

AccessFileName .htaccess

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

TypesConfig conf/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>
    MIMEMagicFile conf/magic
</IfModule>

HostnameLookups Off

ErrorLog logs/error_log

LogLevel info

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog logs/access_log common

ServerTokens Full

ServerSignature On

Alias /icons/ "/opt/hpws/apache/icons/"

<Directory "/opt/hpws/apache/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Alias /licsign/ /web/prod/licsign/

<Directory "/web/prod/licsign">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Alias /manual "/opt/hpws/apache/manual"

<Directory "/opt/hpws/apache/manual">
    Options Indexes FollowSymLinks MultiViews IncludesNoExec
    AddOutputFilter Includes html
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

ScriptAlias /cgi-bin/ "/web/prod/cgi-bin/"

<IfModule mod_cgid.c>
Scriptsock            logs/cgisock
</IfModule>

<Directory "/web/prod/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

IndexOptions FancyIndexing VersionSort

<Files *.php>      
    SetOutputFilter PHP
    SetInputFilter PHP
</Files>

<IfModule mod_alias.c>
    # Allows access to hp_docs from a browser
    # use http://yourserver.com/hp_docs
    # To prevent access, comment the following lines out.
    Alias /hp_docs "/opt/hpws/hp_docs"
    <Directory "/opt/hpws/hp_docs">
        AddHandler cgi-script .cgi
        Options ExecCGI FollowSymLinks MultiViews Indexes
        Order allow,deny
        Allow from all
    </Directory>
</IfModule>

<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

Include /opt/hpws/tomcat/jk/apache2/mod_jk.conf

ssl.conf:
---------
<IfModule mod_ssl.c>
<IfDefine SSL>

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache        shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout  300

SSLMutex  file:logs/ssl_mutex

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>

DocumentRoot "/web/prod"
ServerName host.sub.domain.com
ServerAdmin w...@host.sub.domain.com
ErrorLog logs/https-error_log
TransferLog logs/https-access_log

SSLEngine on
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/host.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/host.key
SSLCACertificatePath /opt/hpws/apache/conf/ssl.crt
SSLCACertificateFile /opt/hpws/apache/conf/ssl.crt/ca-bundle.crt

SSLVerifyClient require
SSLVerifyDepth  10

SSLOptions +ExportCertData +StdEnvVars
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars +ExportCertData
</Files>

<Directory "/opt/hpws/apache/cgi-bin">
    SSLOptions +StdEnvVars +ExportCertData
</Directory>

<Directory "/web/prod">
    SSLOptions +ExportCertData +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

</VirtualHost>                                  

</IfDefine>
</IfModule>

mod_jk.conf.
------------
<IfModule !mod_jk.c>
  LoadModule jk_module /opt/hpws/tomcat/jk/apache2/mod_jk.so
</IfModule>

JkWorkersFile /opt/hpws/tomcat/jk/apache2/workers.properties
JkLogFile /opt/hpws/tomcat/logs/jk.log
JkLogLevel emerg

JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT

JkMount /licsign ajp13
JkMount /licsign/* ajp13

 
 
 

Apache-SSL 2.0.45: redirect changes URL from https:... to http://server...:443/.. which fails

Post by Chris Morri » Thu, 03 Jul 2003 17:15:30



> However if any of the Web-pages issues a "redirect" on the secure
> server side, e.g. after a login on

If you put together a redirect in httpd.conf or .htaccess does the
same thing happen?  If not I suspect a JSP bug/miscoding.

Quote:> Also be assured, that the JSP pages where this happens DO use relative
> URL. They do not specify the crappy URL hardcoded.
> (e.g.: response.sendRedirect(response.encodeRedirectURL("../index.jsp")
>  )

If you specify an absolute URL here (probably with some sort of if
statement needed to get the protocol right) does it work?  Unless JSP
does some sort of filtering, you should use absolute URLs for
redirects anyway.

--
Chris

 
 
 

Apache-SSL 2.0.45: redirect changes URL from https:... to http://server...:443/.. which fails

Post by Joachim Zobe » Fri, 04 Jul 2003 01:17:07


Hi.

This might come from an incorrect SCRIPT_URI. Here is a workaround.

RewriteRule  .* -   [E=SCRIPT_URI:https://%{SERVER_NAME}%{ENV:SCRIPT_URL}]

Hth,
Joachim

--
"Geld ist ein Zeichen von Armut."    - Iain Banks - Ein Geschenk der Kultur

 
 
 

1. SSL--URL Redirect http to https

When I first set up mod_ssl I seem to remember that if I went to a secure
site using an http URL that Apache sent back a page with an https URL.

Try to go to:
http://my.server.com/some/dir

Apache sends back a page:
Try using this address instead https://my.server.com/some/dir

I've done so much testing in the past month that I don't know what changes I
have made that got rid of this functionality.  Is this a built in function
of Apache or a figment of my frazzled brain?

Is there a relatively easy way to create something along those lines?  I'm
changing all of our servers to SSL and would like to have something in place
so that the end users will have an easier transition.
Thanks,
-Mark

2. key remap on on console

3. apache-ssl: how to setup two versions of server, http:// and https:// ?

4. .hushlogin

5. Apache-SSL for both HTTP and HTTPS?

6. Commercial scale space tourism

7. rewrite rule for http URL -> https URL on specified directory

8. Support for OpenWindows in Linux: How much?

9. Apache + mod_ssl problem: Unwanted 443 appended to my https request

10. updatemanager : Server returned HTTP response code: 403 for URL: https://getupdates.sun .com/solaris/

11. HTTP redirecting to HTTPS directly in apache 2

12. Apache redirect rule from http to https

13. Apache and redirecting http:// to https://