#1
  1. Commie Mutant Traitor
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Jun 2004
    Location
    Alpharetta, GA
    Posts
    1,806
    Rep Power
    1570

    Rewriting rules and SSL


    I am currently setting up the latest incarnation of a website I've worked on in the past, and I have hit a wall with the Apache security setup. Since this is an e-commerce site, it requires the use of SSL for (at the very least) the checkout, and I had decided it would be easiest to simply have the whole site encrypted. To this end, I set up a rewriting rule that was supposed to redirect all unsecured page references to secured ones. The ruleset I set up are:

    Code:
    RewriteEngine On
    RewriteCond     %{HTTPS}   Off
    RewriteRule     ^(.*)$     https://%{HTTP_HOST}$1 [R,L]
    As you can see, this just rewrites the URL to use the HTTPS protocol whenever HTTP was originally used. Unfortunately, the result I am getting is exactly the opposite of what I was expecting: not only does it not rewrite unsecured connections, but attempts to connect securely are being re-written as unsecured connections!

    For reference, the default site information (modulo any identifying details) is shown below:
    Code:
    <VirtualHost *:80>
        ServerName www.m****.net
        ServerAdmin ***@****l.com
    
        DocumentRoot "/var/www"
    </VirtualHost>
    
    # =================================================
    # SSL/TLS settings
    # =================================================
    SSLRandomSeed startup file:/dev/urandom 1024
    SSLRandomSeed connect file:/dev/urandom 1024
    SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
    SSLSessionCacheTimeout 600
    
    NameVirtualHost www.m****.net:443
    
    <VirtualHost www.m****.net:443>
        ServerName www.m****.net
        ServerAdmin ****@****.com
    
        DocumentRoot "/var/www/magento"
    
        SSLEngine on
        SSLOptions +StrictRequire
    
        SSLProtocol -all +TLSv1 +SSLv3
        SSLCipherSuite HIGH:MEDIUM:!SSLv2:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
    
        SSLCertificateFile /path/to/server.crt
        SSLCertificateKeyFile /path/to/server.key
        SSLCACertificateFile /path/to/ca.txt
    
        SSLVerifyClient none
        SSLProxyEngine off
    
        <IfModule mime.c>
            AddType application/x-x509-ca-cert      .crt
            AddType application/x-pkcs7-crl         .crl
        </IfModule>
    
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined
    
    </VirtualHost>
    Rev First Speaker Schol-R-LEA;2 JAM LCF ELF KoR KCO BiWM TGIF
    #define KINSEY (rand() % 7) λ Scheme is the Red Pill
    Scheme in Short Understanding the C/C++ Preprocessor
    Taming Python A Highly Opinionated Review of Programming Languages for the Novice, v1.1

    FOR SALE: One ShapeSystem 2300 CMD, extensively modified for human use. Includes s/w for anthro, transgender, sex-appeal enhance, & Gillian Anderson and Jason D. Poit clone forms. Some wear. $4500 obo. tverres@et.ins.gov
  2. #2
  3. Commie Mutant Traitor
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Jun 2004
    Location
    Alpharetta, GA
    Posts
    1,806
    Rep Power
    1570
    I've managed to fix at least part of the problem, but now I have a new one. The current setup correctly redirects to HTTPS (sometimes), but creates a redirect loop. I am still trying to determine what is causing this. The current version of the sites-enabled/000-default file (with some identifying data elided) is:

    Code:
    <VirtualHost *:80>
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^(.*)$    https://%{HTTP_HOST}/$1 [R=301,L]
    </VirtualHost>
    
    # =================================================
    # SSL/TLS settings
    # =================================================
    SSLRandomSeed startup file:/dev/urandom 1024
    SSLRandomSeed connect file:/dev/urandom 1024
    SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
    SSLSessionCacheTimeout 600 
    
    NameVirtualHost masterjoestoybox.net:443
    
    <VirtualHost masterjoestoybox.net:443>
        ServerName masterjoestoybox.net
        ServerAdmin *@*.com
    
        DocumentRoot "/var/www/magento"
    
        SSLEngine on
        SSLOptions +StrictRequire
    
        <Directory />
            SSLRequireSSL
        </Directory>
    
        SSLProtocol -all +TLSv1 +SSLv3
        SSLCipherSuite HIGH:MEDIUM:!SSLv2:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
    
        SSLCertificateFile /path/to/certs/server.crt
        SSLCertificateKeyFile /path/to/private/server.key
        SSLCACertificateFile /path/to/certs/ca.txt
    
        SSLVerifyClient none
        SSLProxyEngine off
    
        <IfModule mime.c>
            AddType application/x-x509-ca-cert      .crt
            AddType application/x-pkcs7-crl         .crl
        </IfModule>
    
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined
    
    </VirtualHost>
    Any advice on this would be helpful.
    Rev First Speaker Schol-R-LEA;2 JAM LCF ELF KoR KCO BiWM TGIF
    #define KINSEY (rand() % 7) λ Scheme is the Red Pill
    Scheme in Short Understanding the C/C++ Preprocessor
    Taming Python A Highly Opinionated Review of Programming Languages for the Novice, v1.1

    FOR SALE: One ShapeSystem 2300 CMD, extensively modified for human use. Includes s/w for anthro, transgender, sex-appeal enhance, & Gillian Anderson and Jason D. Poit clone forms. Some wear. $4500 obo. tverres@et.ins.gov

IMN logo majestic logo threadwatch logo seochat tools logo