[Httpd Wiki] Update of "ScratchPad/RedirectSSL" by JohnCrown

[Apache Wiki <wi...@apache.org>]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The following page has been changed by JohnCrown:
http://wiki.apache.org/httpd/ScratchPad/RedirectSSL

The comment on the change is:
Added tons of stuff, hopefully enough to meet the S-T-R-I-C-T rules here.

------------------------------------------------------------------------------
- Pepper:
+ [[Navigation(slideshow)]]
+ [[FullSearch]]
  = Redirect Request to SSL =
  Let's say you want http://www.domain.com/secure/ to always be sent over SSL (I presume here that both the normal and the SSL vhost have the same content). You could do this by linking to the correct page from within your HTML pages... but there will always be some user who will sneak by it that way.
  
+ [[TableOfContents([3])]]
  
+ ----
+ 
+ [[Anchor("context_nonhtaccess)]]
+ == Context: server config, virtual host, directory ==
+ [[Anchor("using_mod_rewrite)]]
- == Using mod_rewrite ==
+ === Using mod_rewrite ===
  {{{
  <Location /secure>
     RewriteEngine On
     ReWriteCond %{HTTPS} !=on
-    RewriteRule .* https://%{HTTP_HOST}:8443%{REQUEST_URI} [QSA,R=permanent,L]
+    RewriteRule .* https://%{HTTP_HOST}:8443%{REQUEST_URI} [QSA,R=301,L]
  </Location>
  }}}
  
- '''Note: This snippet can also be used inside a directory or vhost container. If the SSL port is 443 (the default), you don't need it (or the colon) in the RewriteRule, as all browsers which support SSL will automatically use port 443; this example redirects to an SSL server on port 8443.'''
+ '''Note:''' This snippet can also be used inside a directory or vhost container. If the SSL port is 443 (the default), you don't need it (or the colon) in the RewriteRule, as all browsers which support SSL will automatically use port 443; this example redirects to an SSL server on port 8443.
  
  Make sure you have loaded [http://httpd.apache.org/docs/trunk/mod/mod_rewrite.html mod_rewrite] and have it enabled.
  
@@ -22, +29 @@

     LoadModule rewrite_module modules/mod_rewrite.so
     RewriteEngine On
  }}}
- 
+ [[Anchor("using_virtual_hosts)]]
- == Using virtual hosts ==
+ === Using virtual hosts ===
- 
  When using SSL, you will frequently have at least two virtual hosts: one on port 80 to serve ordinary requests, and one on port 443 to serve SSL.  If you wish to redirect users from the non-secure site to the SSL site, you can use an ordinary [http://httpd.apache.org/docs/trunk/mod/mod_alias.html#redirect Redirect] directive inside the non-secure VirtualHost:
  
  {{{
@@ -43, +49 @@

  </VirtualHost>
  }}}
  
+ ----
  
+ [[Anchor("context_htaccess")]]
+ == Context: .htaccess, server config, virtual host, directory  ==
  
+ [[Anchor("most_secure_ssl_redirect_method)]]
- == Most Secure SSL Redirect Method (doesn't require mod_rewrite!) ==
+ === Most Secure SSL Redirect Method (doesn't require mod_rewrite!) ===
- This will check to make sure that the connection is using SSL, or it will fail. This works whether you are serving SSL on port 443, 80, 81, or elsewhere. This is the most secure setting for SSL logins.
+ [[FootNote(Based on article at http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html with explicit permission given by site owner and article author to repost here.)]][http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#ssloptions SSLOptions +StrictRequire] forces forbidden access (403) when `SSLRequireSSL` or `SSLRequire` decide access should be forbidden. Usually where a [http://httpd.apache.org/docs/trunk/mod/mod_access_compat.html#satisfy Satisfy Any] directive is used, this denial of access is overridden.  For strict access restriction you can use `SSLRequireSSL` and/or `SSLRequire` in combination with an `SSLOptions +StrictRequire` Then an additional `Satisfy Any` has no chance once [http://httpd.apache.org/docs/trunk/mod/mod_ssl.html mod_ssl] has decided to deny access.
  
- This also avoids having to type in the username and password twice by requiring the HTTP_HOST to match the HTTP_HOST that your SSL certificate is set up for; in the case above, the certificate is for `askapache.com` rather than `www.askapache.com`
+ [http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslrequiressl SSLRequireSSL] forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for the current connection.[[BR]]
+ [http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslrequire SSLRequire] forbids access unless HTTP_HOST matches your SSL certificate ''(in this case, the certificate is for `askapache.com` not `www.askapache.com`)''.
  
- So if either of those 2 checks fail '''(no SSL or incorrect domain)''' then the (403) ErrorDocument directive redirects the browser to try again at https://askapache.com .
+ If either of those 2 checks fail (403), then the [http://httpd.apache.org/docs/trunk/mod/core.html#errordocument ErrorDocument] directive uses a `302` to redirect the browser to `https://askapache.com`.
  {{{
- [IfModule mod_ssl.c]
- SSLOptions +StrictRequire
+    SSLOptions +StrictRequire
- SSLRequireSSL
+    SSLRequireSSL
- SSLRequire %{HTTP_HOST} eq "askapache.com"
+    SSLRequire %{HTTP_HOST} eq "askapache.com"
- ErrorDocument 403 https://askapache.com
+    ErrorDocument 403 https://askapache.com
- [/IfModule]
+ }}}
+ '''Note:''' Checking for the correct HTTP_HOST fixes the problem with Basic Authentication asking for the username/password twice, and also fixes security errors about your SSL certificate.
+ 
+ [[Anchor("alternative_most_secure_redirect_method)]]
+ === Alternative to above method (doesn't require mod_ssl!) ===
+ [[FootNote(Based on article at http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html with explicit permission given by site owner and article author to repost here.)]]{{{
+    RewriteCond %{HTTPS} !=on
+    RewriteRule .* - [F]
+    ErrorDocument 403 https://askapache.com
+ }}}
+ 
+ [[Anchor(rewrite_non_ssl_with_mod_rewrite)]]
+ === Rewrite non-SSL to SSL with mod_rewrite (doesn't require mod_ssl!) ===
+ [[FootNote(Based on article at http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html with explicit permission given by site owner and article author to repost here.)]]{{{
+    RewriteCond %{HTTPS} !=on
+    RewriteRule .*$ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
+ }}}
+ '''NOTE''': The ''HTTPS'' variable is always present, even if `mod_ssl` isn’t loaded! This is useful if a non-SSL server is redirecting to a different SSL-enabled server.
+ 
+ [[Anchor(redirect_everything_served_on_port_80_to_ssl)]]
+ === Redirect everything served on port 80 to SSL ===
+ [[FootNote(Based on article at http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html with explicit permission given by site owner and article author to repost here.)]]{{{
+    RewriteCond %{SERVER_PORT} ^80$
+    RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
+ }}}
+ 
+ [[Anchor(redirecting_to_ssl_or_non_ssl_using_relative_uris)]]
+ === Redirecting to SSL or non-SSL using relative URIs ===
+ [[FootNote(Based on article at http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#aboutconfig)]]{{{
+    RewriteRule ^/(.*):SSL$   https://%{SERVER_NAME}/$1 [QSA,R=302,L]
+    RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [QSA,R=302,L]
+ }}}
+ This lets you use URIs in your html like:
+ {{{
+ http://askapache.com/index.html:SSL           ==>  http'''s'''://askapache.com/index.html
+ http'''s'''://askapache.com/index.html:NOSSL  ==>  http://askapache.com/index.html
  }}}
  
  
+ ----
+ [[FootNote()]]
- == Rewrite non-SSL requests to SSL with `mod_rewrite` ==
- {{{
- [IfModule !mod_rewrite.c]
- RewriteCond %{HTTPS} !=on
- RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
- [/IfModule]
- }}}
- ''NOTE'': The ''HTTPS'' variable is always present, even if `mod_ssl` isn’t loaded! This is useful if a non-SSL server is redirecting to a different SSL-enabled server.
  
+ ----
+ [wiki:ScratchPad ScratchPad]
  
- == Redirect everything served on port 80 to SSL ==
- {{{
- RewriteCond %{SERVER_PORT} ^80$
- RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
- }}}
- 
- 
- == Changing to SSL or non-SSL using relative URLs ==
- {{{
- RewriteRule ^/(.*):SSL$   https://%{SERVER_NAME}/$1 [QSA,R,L]
- RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [QSA,R,L]
- }}}
- This lets you use URIs like:
- {{{
- /document.html:SSL    --> https://askapache.com/document.html
- /document.html:NOSSL  --> http://askapache.com/document.html
- }}}
-