[Httpd Wiki] Update of "Recipes/RedirectSSL" by JohnCrown

[Apache Wiki <wi...@apache.org>]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The following page has been changed by JohnCrown:
http://wiki.apache.org/httpd/Recipes/RedirectSSL

The comment on the change is:
added a bunch of improved code

------------------------------------------------------------------------------
- = Redirect Request To SSL =
+ = Redirect Request To SSL with httpd.conf =
+ 
  Let's say you want http://www.domain.com/secure/ to always be sent over SSL (I presume here that both the normal and the SSL vhost have the same content). You could do this by linking to the correct page from within your HTML pages... but there will always be some user who will sneak by it that way.
  
  
- == Using mod_rewrite ==
+ === Using mod_rewrite ===
+ 
  {{{
  <Location /secure>
     RewriteEngine On
@@ -12, +14 @@

     RewriteRule .* https://%{HTTP_HOST}:443%{REQUEST_URI} [QSA,R=permanent,L]
  </Location>
  }}}
- 
- '''Note: This snippet can also be used inside a directory or vhost container.'''
+ '''Note:''' This snippet can also be used inside a directory or vhost container.
  
  Make sure you have loaded [http://httpd.apache.org/docs/trunk/mod/mod_rewrite.html mod_rewrite] and have it enabled.
- 
  {{{
     LoadModule rewrite_module modules/mod_rewrite.so
     RewriteEngine On
  }}}
  
- == Using virtual hosts ==
+ === Using virtual hosts ===
  
  When using SSL, you will frequently have at least two virtual hosts: one on port 80 to serve ordinary requests, and one on port 443 to serve SSL.  If you wish to redirect users from the non-secure site to the SSL site, you can use an ordinary [http://httpd.apache.org/docs/trunk/mod/mod_alias.html#redirect Redirect] directive inside the non-secure VirtualHost:
  
@@ -40, +40 @@

     SSLEngine On
  # etc...
  </VirtualHost>
+ }}}
  
+ 
+ 
+ 
+ = Redirect To SSL with .htaccess =
+ '''following htaccess methods are from: [http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html askApache.com]'''
+ {{{
+ # If server does not have mod_ssl or mod_rewrite deny access
+ [IfModule !mod_rewrite.c]
+ [IfModule !mod_ssl.c]
+ deny from all
+ [/IfModule]
+ [/IfModule]
+ }}}
+ 
+ 
+ 
+ === Most Secure SSL Forcing Method '''(doesn't require mod_rewrite!)''' ===
+ 
+ This will check to make sure that the connection is using SSL, or it will fail. This works regardless of if you are serving SSL on port 443, 80, 81, etc. This is the most secure setting for SSL logins.
+ 
+ This also fixes having to type in the username and password twice by requiring the HTTP_HOST to match the HTTP_HOST that your SSL certificate is set-up for, in the case above, the SSL is for google.com not www.google.com
+ 
+ So if either of those 2 checks fail '''(!SSL or !correct domain)''' than the (403) ErrorDocument directive issues a 302 Found, Location: https://google.com which forces the client to connect to the correct location. 
+ 
+ {{{
+ [IfModule mod_ssl.c]
+ SSLOptions +StrictRequire
+ SSLRequireSSL
+ SSLRequire %{HTTP_HOST} eq "google.com"
+ ErrorDocument 403 https://google.com
+ [/IfModule]
+ }}}
+ 
+ 
+ 
+ 
+ 
+ === Rewrite non-SSL requests to SSL '''(doesn't require mod_ssl!)''' ===
+ 
+ {{{
+ [IfModule !mod_rewrite.c]
+ RewriteCond %{HTTPS} !=on
+ RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
+ [/IfModule]
+ }}}
+ 
+ ''NOTE'': The HTTPS variable is always present, even if mod_ssl isn’t loaded!
+ 
+ 
+ 
+ 
+ === Redirect everything served on port 80 to SSL ===
+ 
+ {{{
+ RewriteCond %{SERVER_PORT} ^80$
+ RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
+ }}}
+ 
+ 
+ 
+ === Changing to SSL or non-SSL using relative URLs ===
+ 
+ {{{
+ RewriteRule ^/(.*):SSL$   https://%{SERVER_NAME}/$1 [QSA,R,L]
+ RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [QSA,R,L]
+ }}}
+ This lets you use hyperlinks in your web document of the form
+ {{{
+ /document.html:SSL    --> https://google.com/document.html
+ /document.html:NOSSL  --> http://google.com/document.html
+ }}}
+ 

Re: [Httpd Wiki] Update of "Recipes/RedirectSSL" by JohnCrown

[Rich Bowen <rb...@rcbowen.com>]

On Jan 3, 2007, at 09:13, Apache Wiki wrote:

>
> + = Redirect To SSL with .htaccess =
> + '''following htaccess methods are from: [http://www.askapache.com/ 
> 2006/htaccess/apache-ssl-in-htaccess-examples.html askApache.com]'''
> + {{{
> + # If server does not have mod_ssl or mod_rewrite deny access
> + [IfModule !mod_rewrite.c]
> + [IfModule !mod_ssl.c]
> + deny from all
> + [/IfModule]
> + [/IfModule]
> + }}}

This, and other bits on this page, appear to be cargo-culted from  
modssl.org, askapache.com, and various other places. I'm not real  
comfortable with that precedent, particularly when the given examples  
are inaccurate. Can we stick to functional examples, and original  
work, please?

JohnCrown, are you on this mailing list? We've got some rather  
specific goals for the wiki. Foremost is the enhancement of the  
official documentation. As such, contributions must be stuff that  
you're actually legally able to give to the ASF. And, of course, they  
also need to be accurate. I see that a number of your edits have been  
reverted, and I imagine that must be frustrating. But you can't copy  
stuff from other websites and paste it onto this website. We take  
copyright pretty seriously.

--
If we only live,
We too will go to sea in a Sieve,---
   To the hills of the Chankly Bore!

Re: [Httpd Wiki] Update of "Recipes/RedirectSSL" by JohnCrown

[Rich Bowen <rb...@rcbowen.com>]

On Jan 3, 2007, at 09:13, Apache Wiki wrote:

>
> + = Redirect To SSL with .htaccess =
> + '''following htaccess methods are from: [http://www.askapache.com/ 
> 2006/htaccess/apache-ssl-in-htaccess-examples.html askApache.com]'''
> + {{{
> + # If server does not have mod_ssl or mod_rewrite deny access
> + [IfModule !mod_rewrite.c]
> + [IfModule !mod_ssl.c]
> + deny from all
> + [/IfModule]
> + [/IfModule]
> + }}}

This, and other bits on this page, appear to be cargo-culted from  
modssl.org, askapache.com, and various other places. I'm not real  
comfortable with that precedent, particularly when the given examples  
are inaccurate. Can we stick to functional examples, and original  
work, please?

JohnCrown, are you on this mailing list? We've got some rather  
specific goals for the wiki. Foremost is the enhancement of the  
official documentation. As such, contributions must be stuff that  
you're actually legally able to give to the ASF. And, of course, they  
also need to be accurate. I see that a number of your edits have been  
reverted, and I imagine that must be frustrating. But you can't copy  
stuff from other websites and paste it onto this website. We take  
copyright pretty seriously.

--
If we only live,
We too will go to sea in a Sieve,---
   To the hills of the Chankly Bore!



---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org