You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Carter Sema <CS...@acschools.org> on 2017/10/16 19:42:06 UTC
Apache Force Re-Direct to HTTPS
So, guac is configured to use Lets Encrypt for a SSL cert and it works great. But, my unsecured version is still open. My Apache configuration is set to redirect to HTTPs, but guac doesn't seem to be listening, or my apache rules are incorrect.
My current apache config is listed below.
<VirtualHost *:80>
# redirect to https
Redirect permanent / https://myURL
</VirtualHost>
<VirtualHost *:443
# LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# Enable SSL for this virtual host.
SSLEngine on
SSLCertificateKeyFile /etc/letsencrypt/live/myurl.org/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/myurl.org/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/myurl.org/chain.pem
# Configure proxy with tomcat
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
After doing some searching I found that I needed to add this, to my configuration. But it didn't seem to work and my rewrite module has been enable.
RewriteEngine On
RewriteCond %{HTTPS} On
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}<https://%25%7bHTTP_HOST%7d%25%7bREQUEST_URI%7d>
I know this is a simple question, but would anyone have advice or a suggestion?
Thanks!
Carter Sema
Network Support Specialist
CSema@acschools.org<ma...@acschools.org>
[CertBadge_Administrator_web]
Re: Apache Force Re-Direct to HTTPS
Posted by Nick Couchman <ni...@gmail.com>.
On Mon, Oct 16, 2017 at 10:25 PM, Carter Sema <CS...@acschools.org> wrote:
> I checked my Apache folders and my only site-enabled is my tomcat one, and
> just to be safe, I deleted the default ones in sites-available, rebooted
> apache2 and reloaded, still no luck. I can actually access HTTP content
> such as Guac(not static default tomcat sites) and it works. Any other
> tricks or ideas?
>
Nothing off the top of my head - clearly something else there is still
servicing the traffic on port 80, but I'm not able to spot what it is in
the configs you've posted.
> Do I need to enable Rewrite? The only reason I ask, is because on my other
> ubuntu-apache2-tomcat8 box, I don't have Rewrite enabled, and it works.
>
I think you should be able to do it without rewrite and with alias, using
the Redirect permanent line you have. According to docs, the Redirect
directive is part of mod_alias, so you should only need to enable mod_alias
and then put that Redirect permanent / https://<host>/ line in there.
> I ended up doing what you suggested and blocking my traffic to port 80. As
> a fix for right now, eventually I will go back and investigate more. As you
> said, it's not pretty, but it restricts unwanted access on unsecured ports.
> I'm pretty new to linux in general but quickly learning, is blocking the
> port 80/8080 just as secure as forcing a redirect to https?
>
It's certainly no less secure that forcing a redirect - it might be
slightly more secure than allowing port 80 through and forcing the
redirect, since it's truly blocking all non-SSL/TLS traffic, so there's not
anything unencrypted that will get by. Based on your setup, proxying
through Apache httpd, I would *definitely* block port 8080 and 8009 from
the outside world - my usual practice is to reconfigure Tomcat to only
listen on 127.0.0.1 so that the 8080/8009 traffic remains internal to the
host, and httpd (or nginx when I use that) is handling all of the requests
coming in from the network.
-Nick
Re: Apache Force Re-Direct to HTTPS
Posted by Carter Sema <CS...@acschools.org>.
I checked my Apache folders and my only site-enabled is my tomcat one, and just to be safe, I deleted the default ones in sites-available, rebooted apache2 and reloaded, still no luck. I can actually access HTTP content such as Guac(not static default tomcat sites) and it works. Any other tricks or ideas?
Do I need to enable Rewrite? The only reason I ask, is because on my other ubuntu-apache2-tomcat8 box, I don't have Rewrite enabled, and it works.
I ended up doing what you suggested and blocking my traffic to port 80. As a fix for right now, eventually I will go back and investigate more. As you said, it's not pretty, but it restricts unwanted access on unsecured ports. I'm pretty new to linux in general but quickly learning, is blocking the port 80/8080 just as secure as forcing a redirect to https?
Carter Sema
Network Support Specialist
CSema@acschools.org
________________________________
From: Carter Sema <CS...@acschools.org>
Sent: Monday, October 16, 2017 3:42:06 PM
To: user@guacamole.incubator.apache.org
Subject: Apache Force Re-Direct to HTTPS
So, guac is configured to use Lets Encrypt for a SSL cert and it works great. But, my unsecured version is still open. My Apache configuration is set to redirect to HTTPs, but guac doesn’t seem to be listening, or my apache rules are incorrect.
My current apache config is listed below.
<VirtualHost *:80>
# redirect to https
Redirect permanent / https://myURL
</VirtualHost>
<VirtualHost *:443
# LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# Enable SSL for this virtual host.
SSLEngine on
SSLCertificateKeyFile /etc/letsencrypt/live/myurl.org/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/myurl.org/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/myurl.org/chain.pem
# Configure proxy with tomcat
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
After doing some searching I found that I needed to add this, to my configuration. But it didn’t seem to work and my rewrite module has been enable.
RewriteEngine On
RewriteCond %{HTTPS} On
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}<https://%25%7bHTTP_HOST%7d%25%7bREQUEST_URI%7d>
I know this is a simple question, but would anyone have advice or a suggestion?
Thanks!
Carter Sema
Network Support Specialist
CSema@acschools.org<ma...@acschools.org>
[CertBadge_Administrator_web]
Re: Apache Force Re-Direct to HTTPS
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Oct 16, 2017 at 3:42 PM, Carter Sema <CS...@acschools.org> wrote:
> So, guac is configured to use Lets Encrypt for a SSL cert and it works
> great. But, my unsecured version is still open. My Apache configuration is
> set to redirect to HTTPs, but guac doesn’t seem to be listening, or my
> apache rules are incorrect.
>
>
>
> My current apache config is listed below.
>
>
>
> <VirtualHost *:80>
>
> # redirect to https
>
> Redirect permanent / https://myURL
>
> </VirtualHost>
>
Is there another VirtualHost directive elsewhere in your Apache config that
might be overwriting this? Are you able to access Guacamole via HTTP, or
does it just go to some other generic HTML content?
If you are able to access Guacamole via HTTP (vs. static content), make
sure you don't have any other ProxyPass/ProxyPassReverse directives in any
other Apache config files, as those might be take precedence over the
Rewrite conditions. You should only need those ProxyPass directives in
your <VirtualHost *:443> directive.
Finally, you always have the option of firewalling port 80 on your Apache
host - it isn't as user-friendly, but it keeps people from using HTTP :-).
-Nick