#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2012
    Posts
    1
    Rep Power
    0

    Secure website on Windows Apache which overrides Ruby proxy


    Hi all,

    First of all I will describe the setup and then ask the question.

    I have created a test website which is running on Apache 2.2 on Windows and uses Ruby on Rails 1.8 ( this older version is a requirement, but I think irrelevant to this question ) for a couple of dynamic pages, the rest of the pages are static.

    The main website runs in "C:/MyRubyWebsite" through Ruby on Rails with 2 pages, "profile" and "other1", having dynamic URL which are re-written to HTTPS protocol (please see the configuration at the end of the question). The rest of the pages are served as is, they are static.

    The same root directory, "C:/MyRubyWebsite", also contains a subdirectory for a PHP website, which does not depend on Ruby on Rails, e.g. "C:/MyRubyWebsite/phpwebsite". The latter would be accessible by going to "http://www.rubywebsitedomain.com/phpwebsite".

    Now is the actual question. I need the PHP website, which is independent on Ruby on Rails, to be served under HTTPS. Given all the configuration below that would seem to be straightforward, just type HTTPS in front of the php website url, but when I do that the URL is re-written back to regular HTTP, e.g. non-secure.

    What can be done here to allow for having non-Ruby website to be served under HTTPS?

    Thank you ahead.

    ---------------------------------------------------------

    The following is the configuration of the virtual directories within the Apache config (ip addresses, domains, and directory names are fictional, but otherwise the configuration is accurate):

    --------------------- Apache Config ---------------------
    Code:
    Listen 111.222.333.444:80
    Listen 111.222.333.444:443
    
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    
    SSLSessionCache        "shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
    SSLSessionCacheTimeout  300
    
    SSLMutex default
    
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    
    ProxyRequests Off
    AllowCONNECT 443
    
    <VirtualHost www.rubywebsitedomain.com:80>
         ServerAdmin webmaster@rubywebsitedomain.com
         DocumentRoot "C:/MyRubyWebsite"
         ServerName www.rubywebsitedomain.com
         ErrorLog "logs/rubywebsitedomain-err.log"
         CustomLog "logs/rubywebsitedomain-cust.log"
         ErrorDocument 503 /err503.html
         
         RewriteEngine on
    
    # Configure mongrel instances to serve /info requests
         <Proxy balancer://mongrel_cluster>
             BalancerMember http://127.0.0.1:7771
             BalancerMember http://127.0.0.1:7772
    	 BalancerMember http://127.0.0.1:7773
    	 BalancerMember http://127.0.0.1:7774
         </Proxy>
    
       ProxyPass /info balancer://mongrel_cluster/info
       ProxyPassReverse /info balancer://mongrel_cluster/info
    
       RewriteCond %{REQUEST_METHOD} ^TRACE
       RewriteRule .* - [F]
       RewriteRule ^$ /
    
       RewriteRule ^/profile/(.*) https://www.rubywebsitedomain/profile/($1) [R,L]
       RewriteRule ^/other1/(.*) https://www.rubywebsitedomain/other1/($1) [R,L]
    
    </VirtualHost>
    
    
    <VirtualHost www.rubywebsitedomain.com:443>
         ServerAdmin webmaster@rubywebsitedomain.com
         DocumentRoot "C:/MyRubyWebsite"
         ServerName www.rubywebsitedomain.com
         ErrorLog "logs/rubywebsitedomain-secure-err.log"
         CustomLog "logs/rubywebsitedomain-secure-cust.log"
         ErrorDocument 503 http://www.rubywebsitedomain.com/err503.html
    
    # Configure mongrel instances to serve /info requests
         <Proxy balancer://mongrel_cluster>
             BalancerMember http://127.0.0.1:7771
             BalancerMember http://127.0.0.1:7772
    	 BalancerMember http://127.0.0.1:7773
    	 BalancerMember http://127.0.0.1:7774
         </Proxy>
    
       ProxyPass /info balancer://mongrel_cluster/info
       ProxyPassReverse /info balancer://mongrel_cluster/info
    
       RewriteEngine on
    
       RewriteCond %{REQUEST_METHOD} ^TRACE
       RewriteRule .* - [F]
    
       ErrorLog logs/your_app_error_log
       CustomLog logs/your_access_log combined
    
       SSLEngine on
       SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
       SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/ssl/mycert.crt"
       SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/ssl/mycert.key"
       SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/ssl/intercert.crt"
    
       <FilesMatch "\.(cgi|shtml|phtml|php)$">
          SSLOptions +StdEnvVars
       </FilesMatch>
       <Directory "C:/Program Files/Apache Software   Foundation/Apache2.2/cgi-bin">
          SSLOptions +StdEnvVars
       </Directory>
    
       BrowserMatch ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    
       CustomLog "C:/logs/sslrlog.log" \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    
    </VirtualHost>
  2. #2
  3. mod_dev_shed
    Devshed Supreme Being (6500+ posts)

    Join Date
    Sep 2002
    Location
    Atlanta, GA
    Posts
    14,817
    Rep Power
    1100
    I don't have a definitive answer for you, but here are a few ideas:

    I would start by enabling a RewriteLog and turning Apache's LogLevel up so you can get more information about a single request. Hopefully you can do this in a dev environment so it's easier to get the logs for just one request since high log levels in production will produce a lot of records.

    I'm curious to know what happens if you go to https://www.rubywebsitedomain.com/phpwebsite/ (note the trailing slash). If "phpwebsite" is a directory and you request it without a trailing slash, Apache will redirect (not rewrite) the request in order to add the trailing slash. This is controlled by the DirectorySlash directive and is there due to security implications of not doing this (so don't just turn it off). You would think Apache would adhere to the original protocol, but maybe it doesn't (either a bug or possibly by design).
    # Jeremy

    Explain your problem instead of asking how to do what you decided was the solution.

IMN logo majestic logo threadwatch logo seochat tools logo