You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Reindl Harald <h....@thelounge.net> on 2017/09/17 00:24:13 UTC
Re: Listen 443 https (SSLEngine Optional - dual host)
that's even more worse - phpMyAdmin 4.4.15.10 seems to handle something
wrong because $_SERVER['SERVER_PORT'] is wrong - and i had myself some
bad code using that var instead of $_SERVER['HTTPS'] which again leaded
in a endless loop
in case of phpMyAdmin it redirects to https://hostname:80/path/ after
enter username/password - the workaround below in the config file seems
to solve that for now, but all in all that leaves a very bad taste
if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
{
$cfg['ForceSSL'] = false;
}
else
{
$cfg['ForceSSL'] = true;
}
Am 14.09.2017 um 18:16 schrieb Reindl Harald:
> Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
>> Ok, as I read the code a bit more, there is a tangle of things that
>> can influence port/scheme selection. But what I can see, the version
>> in *trunk* should do the right thing *iff*
>>
>> a) you use "SSLEngine *:443" instead of "Optional"
>> b) you use "ServerName xxx.yyy" *without* a port name
>>
>> the a
>> <VirtualHost *:80 *:443>
>> ServerName xxx.yyy
>> SSLEngine *:443
>> ...
>> </VirtualHost>
>>
>> should do the right thing here. Internal methods used to generator
>> Redirect Location headers, namely
>> ap_construct_url()
>> ap_get_server_port()
>> ap_http_scheme()
>> should give back the correct values for each connection and als fill
>> the Env Variables with the correct values.
>
> what means "trunk" here?
> a future 2.5/2.6/3.0 or a 2.4.x in the near future?
>
> within 2 weeks you need TLS on each and every host since Chrome starts
> to warn about every page with a form tag and no TLS
>
> [root@srv-rhsoft:~]$ apachectl -t
> AH00526: Syntax error on line 29 of
> /etc/httpd/conf/sites_enabled/contentlounge.conf:
> Argument must be On, Off, or Optional
>>> Am 14.09.2017 um 15:46 schrieb Reindl Harald <h....@thelounge.net>:
>>>
>>>
>>>
>>> Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
>>>> Harald,
>>>> could you check if a configuration like:
>>>> UseCanonicalPhysicalPort on
>>>> in the server or vhost mitigates the problem?
>>>
>>> it makes it even more terrible and the resulting http:// protocol
>>> instead https// on port 443 here even tiggers mod_security
>>>
>>> even if it would mitigate that issue - having ports in redirect urls
>>> easily leads to a lot of other problems when proxy-servers are part
>>> of the game
>>>
>>> [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head --insecure
>>> https://contentlounge/cms
>>> HTTP/1.1 301 Moved Permanently
>>> Date: Thu, 14 Sep 2017 13:43:06 GMT
>>> X-DNS-Prefetch-Control: off
>>> X-Content-Type-Options: nosniff
>>> X-Response-Time: D=1561 us
>>> Location: http://contentlounge:443/cms/
>>> Cache-Control: max-age=0
>>> Expires: Thu, 14 Sep 2017 13:43:06 GMT
>>> Content-Type: text/html; charset=iso-8859-1
>>>
>>>>> Am 14.09.2017 um 12:00 schrieb Reindl Harald <h....@thelounge.net>:
>>>>>
>>>>>
>>>>>
>>>>> Am 10.08.2017 um 18:22 schrieb Reindl Harald:
>>>>>>> If you want to experiment...
>>>>>>> <VirtualHost IP:80 IP:443>
>>>>>>> is already recognized
>>>>>> but with "SSLEngine On" and "SSLCertificateFile" configured
>>>>>> non-https no longer would work
>>>>>
>>>>> OK, figured it out
>>>>>
>>>>> * you need the *first* vhost with "SSLEngine On"
>>>>> * others can have "SSLEngine optional" and listen to 80 and 443
>>>>>
>>>>> but there is a bug:
>>>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61519
>>>>>
>>>>> if the trailing slash is missing in the url the automatic redirect
>>>>> to the full qualified folder-path points to http:// instead
>>>>> https:// and that does not happen within a vhost dedicated to :443
>>>>> and "SSLEngine On"
>>>>>
>>>>> i was trapped in a endless loop because the php script making a
>>>>> redirect to https:// had a bug and missed the traling / too
>>>>>
>>>>> <VirtualHost *:80 *:443>
>>>>> DocumentRoot "/www/contentlounge"
>>>>> ServerName contentlounge.rhsoft.net
>>>>> SSLEngine optional
>>>>> SSLCertificateFile "conf/ssl/rhsoft.net.pem"
>>>>> </VirtualHost>
>>>>>
>>>>> [harry@srv-rhsoft:~]$ curl --head --insecure https://contentlounge/cms
>>>>> HTTP/1.1 301 Moved Permanently
>>>>> Date: Thu, 14 Sep 2017 09:40:27 GMT
>>>>> X-DNS-Prefetch-Control: off
>>>>> X-Content-Type-Options: nosniff
>>>>> X-Response-Time: D=1311 us
>>>>> Location: http://contentlounge/cms/
>>>>> Cache-Control: max-age=0
>>>>> Expires: Thu, 14 Sep 2017 09:40:27 GMT
>>>>> Content-Type: text/html; charset=iso-8859-1
Re: Listen 443 https (SSLEngine Optional - dual host)
Posted by Reindl Harald <h....@thelounge.net>.
assumption confirmed - and my connection is for sure https:// because of
the mod_rewrite and finally HSTS
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 updated too
phpinfo():
SERVER_PORT 80
<VirtualHost *:80 *:443>
ServerName www.rhsoft.net
SSLEngine Optional
SSLUseStapling On
SSLCertificateFile "certs/rhsoft-www.conf_rsa.pem"
SSLCertificateFile "certs/rhsoft-www.conf_ecdsa.pem"
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
<IfModule mod_headers.c>
Header always set "Strict-Transport-Security" "max-age=31536000"
</IfModule>
</VirtualHost>
Am 17.09.2017 um 02:24 schrieb Reindl Harald:
>
> that's even more worse - phpMyAdmin 4.4.15.10 seems to handle something
> wrong because $_SERVER['SERVER_PORT'] is wrong - and i had myself some
> bad code using that var instead of $_SERVER['HTTPS'] which again leaded
> in a endless loop
>
> in case of phpMyAdmin it redirects to https://hostname:80/path/ after
> enter username/password - the workaround below in the config file seems
> to solve that for now, but all in all that leaves a very bad taste
>
> if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
> {
> $cfg['ForceSSL'] = false;
> }
> else
> {
> $cfg['ForceSSL'] = true;
> }
>
>
> Am 14.09.2017 um 18:16 schrieb Reindl Harald:
>> Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
>>> Ok, as I read the code a bit more, there is a tangle of things that
>>> can influence port/scheme selection. But what I can see, the version
>>> in *trunk* should do the right thing *iff*
>>>
>>> a) you use "SSLEngine *:443" instead of "Optional"
>>> b) you use "ServerName xxx.yyy" *without* a port name
>>>
>>> the a
>>> <VirtualHost *:80 *:443>
>>> ServerName xxx.yyy
>>> SSLEngine *:443
>>> ...
>>> </VirtualHost>
>>>
>>> should do the right thing here. Internal methods used to generator
>>> Redirect Location headers, namely
>>> ap_construct_url()
>>> ap_get_server_port()
>>> ap_http_scheme()
>>> should give back the correct values for each connection and als fill
>>> the Env Variables with the correct values.
>>
>> what means "trunk" here?
>> a future 2.5/2.6/3.0 or a 2.4.x in the near future?
>>
>> within 2 weeks you need TLS on each and every host since Chrome starts
>> to warn about every page with a form tag and no TLS
>>
>> [root@srv-rhsoft:~]$ apachectl -t
>> AH00526: Syntax error on line 29 of
>> /etc/httpd/conf/sites_enabled/contentlounge.conf:
>> Argument must be On, Off, or Optional
>>>> Am 14.09.2017 um 15:46 schrieb Reindl Harald <h....@thelounge.net>:
>>>>
>>>>
>>>>
>>>> Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
>>>>> Harald,
>>>>> could you check if a configuration like:
>>>>> UseCanonicalPhysicalPort on
>>>>> in the server or vhost mitigates the problem?
>>>>
>>>> it makes it even more terrible and the resulting http:// protocol
>>>> instead https// on port 443 here even tiggers mod_security
>>>>
>>>> even if it would mitigate that issue - having ports in redirect urls
>>>> easily leads to a lot of other problems when proxy-servers are part
>>>> of the game
>>>>
>>>> [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head --insecure
>>>> https://contentlounge/cms
>>>> HTTP/1.1 301 Moved Permanently
>>>> Date: Thu, 14 Sep 2017 13:43:06 GMT
>>>> X-DNS-Prefetch-Control: off
>>>> X-Content-Type-Options: nosniff
>>>> X-Response-Time: D=1561 us
>>>> Location: http://contentlounge:443/cms/
>>>> Cache-Control: max-age=0
>>>> Expires: Thu, 14 Sep 2017 13:43:06 GMT
>>>> Content-Type: text/html; charset=iso-8859-1
>>>>
>>>>>> Am 14.09.2017 um 12:00 schrieb Reindl Harald
>>>>>> <h....@thelounge.net>:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Am 10.08.2017 um 18:22 schrieb Reindl Harald:
>>>>>>>> If you want to experiment...
>>>>>>>> <VirtualHost IP:80 IP:443>
>>>>>>>> is already recognized
>>>>>>> but with "SSLEngine On" and "SSLCertificateFile" configured
>>>>>>> non-https no longer would work
>>>>>>
>>>>>> OK, figured it out
>>>>>>
>>>>>> * you need the *first* vhost with "SSLEngine On"
>>>>>> * others can have "SSLEngine optional" and listen to 80 and 443
>>>>>>
>>>>>> but there is a bug:
>>>>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61519
>>>>>>
>>>>>> if the trailing slash is missing in the url the automatic redirect
>>>>>> to the full qualified folder-path points to http:// instead
>>>>>> https:// and that does not happen within a vhost dedicated to :443
>>>>>> and "SSLEngine On"
>>>>>>
>>>>>> i was trapped in a endless loop because the php script making a
>>>>>> redirect to https:// had a bug and missed the traling / too
>>>>>>
>>>>>> <VirtualHost *:80 *:443>
>>>>>> DocumentRoot "/www/contentlounge"
>>>>>> ServerName contentlounge.rhsoft.net
>>>>>> SSLEngine optional
>>>>>> SSLCertificateFile "conf/ssl/rhsoft.net.pem"
>>>>>> </VirtualHost>
>>>>>>
>>>>>> [harry@srv-rhsoft:~]$ curl --head --insecure
>>>>>> https://contentlounge/cms
>>>>>> HTTP/1.1 301 Moved Permanently
>>>>>> Date: Thu, 14 Sep 2017 09:40:27 GMT
>>>>>> X-DNS-Prefetch-Control: off
>>>>>> X-Content-Type-Options: nosniff
>>>>>> X-Response-Time: D=1311 us
>>>>>> Location: http://contentlounge/cms/
>>>>>> Cache-Control: max-age=0
>>>>>> Expires: Thu, 14 Sep 2017 09:40:27 GMT
>>>>>> Content-Type: text/html; charset=iso-8859-1
Re: Listen 443 https (SSLEngine Optional - dual host)
Posted by Yann Ylavic <yl...@gmail.com>.
Come on, let's keep technical once again. Personal grudges ended!
On Sun, Sep 17, 2017 at 3:20 AM, Reindl Harald <h....@thelounge.net> wrote:
>
>
> Am 17.09.2017 um 03:07 schrieb Nick Edwards:
>>
>> phpmyadmin 4.4.15 is YEARS old
>
>
> and how does that change the fact that
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61519#c1 "SERVER_PORT 80" in
> case of a https-connection is plain wrong?
>
>> we using 4.7 for nearly a year, 4.7.2 is current
>
>
> nice for you when you don't have to support older PHP (sync the package to a
> RHEL 7 host with PHP 5.4 - my whole own software is PHP 7.1 only with
> strict-types but that's not related to the topic at all)
>
>> this from a troll who verbally abuses the hell out of people on other
>> lists for posting similar comments using very outdated softwares HAH, this
>> ones in google for life.
>
>
> the only troll in this thread is you and nobody asked you, just because i
> have never seen anything useful on any list since you only post if you face
> something from me and otherwise you are a silent lurker everywhere!
>
>> On Sun, Sep 17, 2017 at 10:24 AM, Reindl Harald <h.reindl@thelounge.net
>> <ma...@thelounge.net>> wrote:
>>
>>
>> that's even more worse - phpMyAdmin 4.4.15.10 seems to handle
>> something wrong because $_SERVER['SERVER_PORT'] is wrong - and i had
>> myself some bad code using that var instead of $_SERVER['HTTPS']
>> which again leaded in a endless loop
>>
>> in case of phpMyAdmin it redirects to https://hostname:80/path/
>> after enter username/password - the workaround below in the config
>> file seems to solve that for now, but all in all that leaves a very
>> bad taste
>>
>> if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
>> {
>> $cfg['ForceSSL'] = false;
>> }
>> else
>> {
>> $cfg['ForceSSL'] = true;
>> }
>>
>>
>> Am 14.09.2017 um 18:16 schrieb Reindl Harald:
>>
>> Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
>>
>> Ok, as I read the code a bit more, there is a tangle of
>> things that can influence port/scheme selection. But what I
>> can see, the version in *trunk* should do the right thing
>> *iff*
>>
>> a) you use "SSLEngine *:443" instead of "Optional"
>> b) you use "ServerName xxx.yyy" *without* a port name
>>
>> the a
>> <VirtualHost *:80 *:443>
>> ServerName xxx.yyy
>> SSLEngine *:443
>> ...
>> </VirtualHost>
>>
>> should do the right thing here. Internal methods used to
>> generator Redirect Location headers, namely
>> ap_construct_url()
>> ap_get_server_port()
>> ap_http_scheme()
>> should give back the correct values for each connection and
>> als fill the Env Variables with the correct values.
>>
>>
>> what means "trunk" here?
>> a future 2.5/2.6/3.0 or a 2.4.x in the near future?
>>
>> within 2 weeks you need TLS on each and every host since Chrome
>> starts to warn about every page with a form tag and no TLS
>>
>> [root@srv-rhsoft:~]$ apachectl -t
>> AH00526: Syntax error on line 29 of
>> /etc/httpd/conf/sites_enabled/contentlounge.conf:
>> Argument must be On, Off, or Optional
>>
>> Am 14.09.2017 um 15:46 schrieb Reindl Harald
>> <h.reindl@thelounge.net <ma...@thelounge.net>>:
>>
>>
>>
>> Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
>>
>> Harald,
>> could you check if a configuration like:
>> UseCanonicalPhysicalPort on
>> in the server or vhost mitigates the problem?
>>
>>
>> it makes it even more terrible and the resulting http://
>> protocol instead https// on port 443 here even tiggers
>> mod_security
>>
>> even if it would mitigate that issue - having ports in
>> redirect urls easily leads to a lot of other problems
>> when proxy-servers are part of the game
>>
>> [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head
>> --insecure https://contentlounge/cms
>> HTTP/1.1 301 Moved Permanently
>> Date: Thu, 14 Sep 2017 13:43:06 GMT
>> X-DNS-Prefetch-Control: off
>> X-Content-Type-Options: nosniff
>> X-Response-Time: D=1561 us
>> Location: http://contentlounge:443/cms/
>> Cache-Control: max-age=0
>> Expires: Thu, 14 Sep 2017 13:43:06 GMT
>> Content-Type: text/html; charset=iso-8859-1
>>
>> Am 14.09.2017 um 12:00 schrieb Reindl Harald
>> <h.reindl@thelounge.net
>> <ma...@thelounge.net>>:
>>
>>
>>
>>
>> Am 10.08.2017 um 18:22 schrieb Reindl Harald:
>>
>> If you want to experiment...
>> <VirtualHost IP:80 IP:443>
>> is already recognized
>>
>> but with "SSLEngine On" and
>> "SSLCertificateFile" configured non-https no
>> longer would work
>>
>>
>> OK, figured it out
>>
>> * you need the *first* vhost with "SSLEngine On"
>> * others can have "SSLEngine optional" and
>> listen to 80 and 443
>>
>> but there is a bug:
>>
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61519
>>
>> <https://bz.apache.org/bugzilla/show_bug.cgi?id=61519>
>>
>> if the trailing slash is missing in the url the
>> automatic redirect to the full qualified
>> folder-path points to http:// instead https://
>> and that does not happen within a vhost
>> dedicated to :443 and "SSLEngine On"
>>
>> i was trapped in a endless loop because the php
>> script making a redirect to https:// had a bug
>> and missed the traling / too
>>
>> <VirtualHost *:80 *:443>
>> DocumentRoot "/www/contentlounge"
>> ServerName contentlounge.rhsoft.net
>> <http://contentlounge.rhsoft.net>
>> SSLEngine optional
>> SSLCertificateFile "conf/ssl/rhsoft.net.pem"
>> </VirtualHost>
>>
>> [harry@srv-rhsoft:~]$ curl --head --insecure
>> https://contentlounge/cms
>> HTTP/1.1 301 Moved Permanently
>> Date: Thu, 14 Sep 2017 09:40:27 GMT
>> X-DNS-Prefetch-Control: off
>> X-Content-Type-Options: nosniff
>> X-Response-Time: D=1311 us
>> Location: http://contentlounge/cms/
>> Cache-Control: max-age=0
>> Expires: Thu, 14 Sep 2017 09:40:27 GMT
>> Content-Type: text/html; charset=iso-8859-1
>
>
Re: Listen 443 https (SSLEngine Optional - dual host)
Posted by Reindl Harald <h....@thelounge.net>.
Am 17.09.2017 um 03:07 schrieb Nick Edwards:
> phpmyadmin 4.4.15 is YEARS old
and how does that change the fact that
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519#c1 "SERVER_PORT 80"
in case of a https-connection is plain wrong?
> we using 4.7 for nearly a year, 4.7.2 is current
nice for you when you don't have to support older PHP (sync the package
to a RHEL 7 host with PHP 5.4 - my whole own software is PHP 7.1 only
with strict-types but that's not related to the topic at all)
> this from a troll who verbally abuses the hell out of people on other
> lists for posting similar comments using very outdated softwares HAH,
> this ones in google for life.
the only troll in this thread is you and nobody asked you, just because
i have never seen anything useful on any list since you only post if you
face something from me and otherwise you are a silent lurker everywhere!
> On Sun, Sep 17, 2017 at 10:24 AM, Reindl Harald <h.reindl@thelounge.net
> <ma...@thelounge.net>> wrote:
>
>
> that's even more worse - phpMyAdmin 4.4.15.10 seems to handle
> something wrong because $_SERVER['SERVER_PORT'] is wrong - and i had
> myself some bad code using that var instead of $_SERVER['HTTPS']
> which again leaded in a endless loop
>
> in case of phpMyAdmin it redirects to https://hostname:80/path/
> after enter username/password - the workaround below in the config
> file seems to solve that for now, but all in all that leaves a very
> bad taste
>
> if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
> {
> $cfg['ForceSSL'] = false;
> }
> else
> {
> $cfg['ForceSSL'] = true;
> }
>
>
> Am 14.09.2017 um 18:16 schrieb Reindl Harald:
>
> Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
>
> Ok, as I read the code a bit more, there is a tangle of
> things that can influence port/scheme selection. But what I
> can see, the version in *trunk* should do the right thing *iff*
>
> a) you use "SSLEngine *:443" instead of "Optional"
> b) you use "ServerName xxx.yyy" *without* a port name
>
> the a
> <VirtualHost *:80 *:443>
> ServerName xxx.yyy
> SSLEngine *:443
> ...
> </VirtualHost>
>
> should do the right thing here. Internal methods used to
> generator Redirect Location headers, namely
> ap_construct_url()
> ap_get_server_port()
> ap_http_scheme()
> should give back the correct values for each connection and
> als fill the Env Variables with the correct values.
>
>
> what means "trunk" here?
> a future 2.5/2.6/3.0 or a 2.4.x in the near future?
>
> within 2 weeks you need TLS on each and every host since Chrome
> starts to warn about every page with a form tag and no TLS
>
> [root@srv-rhsoft:~]$ apachectl -t
> AH00526: Syntax error on line 29 of
> /etc/httpd/conf/sites_enabled/contentlounge.conf:
> Argument must be On, Off, or Optional
>
> Am 14.09.2017 um 15:46 schrieb Reindl Harald
> <h.reindl@thelounge.net <ma...@thelounge.net>>:
>
>
>
> Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
>
> Harald,
> could you check if a configuration like:
> UseCanonicalPhysicalPort on
> in the server or vhost mitigates the problem?
>
>
> it makes it even more terrible and the resulting http://
> protocol instead https// on port 443 here even tiggers
> mod_security
>
> even if it would mitigate that issue - having ports in
> redirect urls easily leads to a lot of other problems
> when proxy-servers are part of the game
>
> [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head
> --insecure https://contentlounge/cms
> HTTP/1.1 301 Moved Permanently
> Date: Thu, 14 Sep 2017 13:43:06 GMT
> X-DNS-Prefetch-Control: off
> X-Content-Type-Options: nosniff
> X-Response-Time: D=1561 us
> Location: http://contentlounge:443/cms/
> Cache-Control: max-age=0
> Expires: Thu, 14 Sep 2017 13:43:06 GMT
> Content-Type: text/html; charset=iso-8859-1
>
> Am 14.09.2017 um 12:00 schrieb Reindl Harald
> <h.reindl@thelounge.net
> <ma...@thelounge.net>>:
>
>
>
> Am 10.08.2017 um 18:22 schrieb Reindl Harald:
>
> If you want to experiment...
> <VirtualHost IP:80 IP:443>
> is already recognized
>
> but with "SSLEngine On" and
> "SSLCertificateFile" configured non-https no
> longer would work
>
>
> OK, figured it out
>
> * you need the *first* vhost with "SSLEngine On"
> * others can have "SSLEngine optional" and
> listen to 80 and 443
>
> but there is a bug:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61519
> <https://bz.apache.org/bugzilla/show_bug.cgi?id=61519>
>
> if the trailing slash is missing in the url the
> automatic redirect to the full qualified
> folder-path points to http:// instead https://
> and that does not happen within a vhost
> dedicated to :443 and "SSLEngine On"
>
> i was trapped in a endless loop because the php
> script making a redirect to https:// had a bug
> and missed the traling / too
>
> <VirtualHost *:80 *:443>
> DocumentRoot "/www/contentlounge"
> ServerName contentlounge.rhsoft.net
> <http://contentlounge.rhsoft.net>
> SSLEngine optional
> SSLCertificateFile "conf/ssl/rhsoft.net.pem"
> </VirtualHost>
>
> [harry@srv-rhsoft:~]$ curl --head --insecure
> https://contentlounge/cms
> HTTP/1.1 301 Moved Permanently
> Date: Thu, 14 Sep 2017 09:40:27 GMT
> X-DNS-Prefetch-Control: off
> X-Content-Type-Options: nosniff
> X-Response-Time: D=1311 us
> Location: http://contentlounge/cms/
> Cache-Control: max-age=0
> Expires: Thu, 14 Sep 2017 09:40:27 GMT
> Content-Type: text/html; charset=iso-8859-1
Re: Listen 443 https (SSLEngine Optional - dual host)
Posted by Nick Edwards <ni...@gmail.com>.
phpmyadmin 4.4.15 is YEARS old
we using 4.7 for nearly a year, 4.7.2 is current
this from a troll who verbally abuses the hell out of people on other lists
for posting similar comments using very outdated softwares HAH, this ones
in google for life.
On Sun, Sep 17, 2017 at 10:24 AM, Reindl Harald <h....@thelounge.net>
wrote:
>
> that's even more worse - phpMyAdmin 4.4.15.10 seems to handle something
> wrong because $_SERVER['SERVER_PORT'] is wrong - and i had myself some bad
> code using that var instead of $_SERVER['HTTPS'] which again leaded in a
> endless loop
>
> in case of phpMyAdmin it redirects to https://hostname:80/path/ after
> enter username/password - the workaround below in the config file seems to
> solve that for now, but all in all that leaves a very bad taste
>
> if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
> {
> $cfg['ForceSSL'] = false;
> }
> else
> {
> $cfg['ForceSSL'] = true;
> }
>
>
> Am 14.09.2017 um 18:16 schrieb Reindl Harald:
>
>> Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
>>
>>> Ok, as I read the code a bit more, there is a tangle of things that can
>>> influence port/scheme selection. But what I can see, the version in *trunk*
>>> should do the right thing *iff*
>>>
>>> a) you use "SSLEngine *:443" instead of "Optional"
>>> b) you use "ServerName xxx.yyy" *without* a port name
>>>
>>> the a
>>> <VirtualHost *:80 *:443>
>>> ServerName xxx.yyy
>>> SSLEngine *:443
>>> ...
>>> </VirtualHost>
>>>
>>> should do the right thing here. Internal methods used to generator
>>> Redirect Location headers, namely
>>> ap_construct_url()
>>> ap_get_server_port()
>>> ap_http_scheme()
>>> should give back the correct values for each connection and als fill the
>>> Env Variables with the correct values.
>>>
>>
>> what means "trunk" here?
>> a future 2.5/2.6/3.0 or a 2.4.x in the near future?
>>
>> within 2 weeks you need TLS on each and every host since Chrome starts to
>> warn about every page with a form tag and no TLS
>>
>> [root@srv-rhsoft:~]$ apachectl -t
>> AH00526: Syntax error on line 29 of /etc/httpd/conf/sites_enabled/
>> contentlounge.conf:
>> Argument must be On, Off, or Optional
>>
>>> Am 14.09.2017 um 15:46 schrieb Reindl Harald <h....@thelounge.net>:
>>>>
>>>>
>>>>
>>>> Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
>>>>
>>>>> Harald,
>>>>> could you check if a configuration like:
>>>>> UseCanonicalPhysicalPort on
>>>>> in the server or vhost mitigates the problem?
>>>>>
>>>>
>>>> it makes it even more terrible and the resulting http:// protocol
>>>> instead https// on port 443 here even tiggers mod_security
>>>>
>>>> even if it would mitigate that issue - having ports in redirect urls
>>>> easily leads to a lot of other problems when proxy-servers are part of the
>>>> game
>>>>
>>>> [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head --insecure
>>>> https://contentlounge/cms
>>>> HTTP/1.1 301 Moved Permanently
>>>> Date: Thu, 14 Sep 2017 13:43:06 GMT
>>>> X-DNS-Prefetch-Control: off
>>>> X-Content-Type-Options: nosniff
>>>> X-Response-Time: D=1561 us
>>>> Location: http://contentlounge:443/cms/
>>>> Cache-Control: max-age=0
>>>> Expires: Thu, 14 Sep 2017 13:43:06 GMT
>>>> Content-Type: text/html; charset=iso-8859-1
>>>>
>>>> Am 14.09.2017 um 12:00 schrieb Reindl Harald <h....@thelounge.net>:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Am 10.08.2017 um 18:22 schrieb Reindl Harald:
>>>>>>
>>>>>>> If you want to experiment...
>>>>>>>> <VirtualHost IP:80 IP:443>
>>>>>>>> is already recognized
>>>>>>>>
>>>>>>> but with "SSLEngine On" and "SSLCertificateFile" configured
>>>>>>> non-https no longer would work
>>>>>>>
>>>>>>
>>>>>> OK, figured it out
>>>>>>
>>>>>> * you need the *first* vhost with "SSLEngine On"
>>>>>> * others can have "SSLEngine optional" and listen to 80 and 443
>>>>>>
>>>>>> but there is a bug: https://bz.apache.org/bugzilla
>>>>>> /show_bug.cgi?id=61519
>>>>>>
>>>>>> if the trailing slash is missing in the url the automatic redirect to
>>>>>> the full qualified folder-path points to http:// instead https://
>>>>>> and that does not happen within a vhost dedicated to :443 and "SSLEngine On"
>>>>>>
>>>>>> i was trapped in a endless loop because the php script making a
>>>>>> redirect to https:// had a bug and missed the traling / too
>>>>>>
>>>>>> <VirtualHost *:80 *:443>
>>>>>> DocumentRoot "/www/contentlounge"
>>>>>> ServerName contentlounge.rhsoft.net
>>>>>> SSLEngine optional
>>>>>> SSLCertificateFile "conf/ssl/rhsoft.net.pem"
>>>>>> </VirtualHost>
>>>>>>
>>>>>> [harry@srv-rhsoft:~]$ curl --head --insecure
>>>>>> https://contentlounge/cms
>>>>>> HTTP/1.1 301 Moved Permanently
>>>>>> Date: Thu, 14 Sep 2017 09:40:27 GMT
>>>>>> X-DNS-Prefetch-Control: off
>>>>>> X-Content-Type-Options: nosniff
>>>>>> X-Response-Time: D=1311 us
>>>>>> Location: http://contentlounge/cms/
>>>>>> Cache-Control: max-age=0
>>>>>> Expires: Thu, 14 Sep 2017 09:40:27 GMT
>>>>>> Content-Type: text/html; charset=iso-8859-1
>>>>>>
>>>>>