Mod-rewrite / mod-env weirdness

[Alan Skea <sk...@acm.org>]

I'm trying to use mod-rewrite to selectively redirect requests to the secure side of a web site, but I'm finding some weird behaviour.  I was running 1.3.26 and this prompted me to pull my finger out and install 1.3.28 but this hasn't fixed the problem.  I wonder if anyone else has seen anything like this.

I have a main config file that includes the same web site config file for both the normal and secure parts of the web site: i.e.:

<VirtualHost 192.168.22.1:80>
ServerName signup.CredGuard-dev.com
ServerAdmin webmaster@skea.com
Define SiteRoot /var/www/sites/signup.CredGuard.com/dev
Include ${SiteRoot}/wwwetc/config
</VirtualHost>

<IfDefine SSL>
<VirtualHost 192.168.22.1:443>
ServerName signup.CredGuard-dev.com
ServerAdmin webmaster@CredGuard.com
Define SiteRoot /var/www/sites/signup.CredGuard.com/dev
SetEnv SSL 1
Include ${SiteRoot}/wwwetc/config
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile ${SiteRoot}_data/cert/CredGuard-dev.crt
SSLCertificateKeyFile ${SiteRoot}_data/cert/CredGuard-dev.key.plain
SSLVerifyClient none
SSLOptions +FakeBasicAuth +ExportCertData
</VirtualHost>
</IfDefine>

In the included config file, I want to do this:

RewriteEngine on
RewriteCond %{ENV:SSL}		!=1
RewriteCond %{REQUEST_URI}	!^/(img)|(ssi)|(obj)/
RewriteRule ^/(.*)$		/redir

The trouble is, it works intermittently.  When I turn on all the logging that I can for mod_rewrite I see that some requests that come in on port 443 can be seen to have the SSL env var set, and others don't so mod_rewrite sends them to the redir page all over again.

The access logs show that the request is going to the right virtual host but the rewrite log shows that the secure virtual host doesn't have the env var set when it looks.  After a few attempts to get the page, it all settles down and works reliably so it looks to me like only the first request through each process has a problem.

Anyone got any insights?

Thanks,
 -_-_ Alan.

Re: Mod-rewrite / mod-env weirdness

[André Malo <nd...@perlig.de>]

* Alan Skea wrote:

> However ... now I'm using the HTTPS variable and getting exactly the same
> behaviour. The problem is only in the top-level request - in
> subrequests, as you say, the variables have been initialised.Also
> it's only the first time that the virtual server is used in a given httpd
> process. Subsequent requests to the same URL in the same httpd
> process are OK and the top-level request has the variable set. It
> looks to me like there is some curiosity in the way that a virtual server
> gets initialised.

Uuh, I have taken a look into mod_ssl now. HTTPS will be set very late as well
:-(. I'm not a mod_ssl guru, so I don't know whether it could be set
earlier...

Fortunately you can use the mod_rewrite lookahead feature in order to solve
this. The following should work reliably:

RewriteCond %{LA-U:ENV:HTTPS} !=on
...

nd

P.S.: please avoid HTML(-only) postings.

Re: Mod-rewrite / mod-env weirdness

[André Malo <nd...@perlig.de>]

* Alan Skea wrote:

> SetEnv SSL 1
...
> RewriteEngine on
> RewriteCond %{ENV:SSL}                !=1
> RewriteCond %{REQUEST_URI}    !^/(img)|(ssi)|(obj)/
> RewriteRule ^/(.*)$           /redir

SetEnv variables will we set much later than mod_rewrite can check them, so
the successful requests, you're seeing are probably subrequests, caused be a
handler.

mod_ssl should set the HTTPS variable (on or off) which is for that purpose.
You should use this one.

nd