You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mike Soultanian <ms...@csulb.edu> on 2008/09/29 22:25:30 UTC
[users@httpd] Question about SSL and Apache and a certificate error
Our campus has an SSL certificate for www.csulb.edu. If you go to
https://www.csulb.edu everything works peachy.
Now, if you go to https://csulb.edu, you get an error. I talked to our
server admin and he said it's because our certificate is registered to
www.csulb.edu and not csulb.edu. He said only a wildcard certificate
would fix this problem, but that something that the campus doesn't want
to do for security and cost reasons.
So, is it possible to set up a rewrite condition such that when someone
tries to navigate to https://csulb.edu, it will automatically redirect
the user to https://www.csulb.edu and avoid the certificate error? I
tried using the following in a .htaccess file and it didn't work (still
got the error):
RewriteEngine on
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !www
RewriteRule (.*) http://www.%{HTTP_HOST}%{REQUEST_URI} [R]
I thought maybe if the above code was put somewhere in the httpd.conf
file it might work?
It seems like a long-shot (admin didn't think it'd work), but I figured
I'd ask the experts here. Any other possible ways to work around this?
Thanks!
Mike
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about SSL and Apache and a certificate
error
Posted by Mike Soultanian <ms...@csulb.edu>.
Justin Pasher wrote:
> If you have more (sub)domains that point to the same virtualhost, then
> you won't be able to use the above directive as-is, since it's
> designed to funnel ALL requests through www.csulb.edu. It's mainly
> designed for sites that have a handful of alias domains, but only one
> primary domain. The redirect makes sure all traffic see the same
> domain in the URL (and it also aids in generating traffic statistics
> when different domains are treated as different sites to the outside
> world).
>
> If you only have a small handful of domains that should be left alone,
> you can put some exceptions in the rules, like this:
>
> # leave these domains alone
> RewriteCond %{HTTP_HOST} ^www\.cota\.csulb\.edu$ [NC,OR]
> RewriteCond %{HTTP_HOST} ^cota\.csulb\.edu$ [NC]
> RewriteRule . - [L]
>
> # push everyone else to www.csulb.edu
> RewriteCond %{HTTP_HOST} !^www\.csulb\.edu$ [NC]
> RewriteRule ^/(.*) http://www.csulb.edu/$1 [R=permanent,L]
>
Hey Justin,
I'll forward this over to our admins and see what they think. I
appreciate all of your help!!
thanks!
Mike
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about SSL and Apache and a certificate
error
Posted by Justin Pasher <ju...@newmediagateway.com>.
Mike Soultanian wrote:
> Justin Pasher wrote:
>> Ahhh... Now it should actually be possible. If possible, I would
>> (personally) try to push all traffic to www.csulb.edu whenever they
>> try to pull csulb.edu. Whether or not this is possible in your
>> situation, I do not know. Something like this in the VirtualHost
>> config would do it.
>>
>> RewriteCond %{HTTP_HOST} !^www\.csulb\.edu$ [NC]
>> RewriteRule ^/(.*)$ http://www.csulb.edu/$1 [R=permanent]
>>
>> This would make sure that requests for any pages are always going
>> through www.csulb.edu (as opposed to csulb.edu or any other
>> ServerAlias setting).
>>
> Would this affect sites like cota.csulb.edu?
>
> We do make sure that www.cota.csulb.edu and cota.csulb.edu are both
> valid.
If you have more (sub)domains that point to the same virtualhost, then
you won't be able to use the above directive as-is, since it's designed
to funnel ALL requests through www.csulb.edu. It's mainly designed for
sites that have a handful of alias domains, but only one primary domain.
The redirect makes sure all traffic see the same domain in the URL (and
it also aids in generating traffic statistics when different domains are
treated as different sites to the outside world).
If you only have a small handful of domains that should be left alone,
you can put some exceptions in the rules, like this:
# leave these domains alone
RewriteCond %{HTTP_HOST} ^www\.cota\.csulb\.edu$ [NC,OR]
RewriteCond %{HTTP_HOST} ^cota\.csulb\.edu$ [NC]
RewriteRule . - [L]
# push everyone else to www.csulb.edu
RewriteCond %{HTTP_HOST} !^www\.csulb\.edu$ [NC]
RewriteRule ^/(.*) http://www.csulb.edu/$1 [R=permanent,L]
>> FWIW, I tried visiting the test pages you mentioned above, and both
>> of them actually pushed me to https. Have you cleared your cache to
>> make sure the browser isn't trying to do something weird by caching
>> the previous response it received?
> that's odd.. .I did refresh my browser and like you said, it started
> working. I did still use your version as it has some definite
> advantages.
>
> Thanks for your help!!
> Mike
Good to hear it's working now.
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about SSL and Apache and a certificate
error
Posted by Mike Soultanian <ms...@csulb.edu>.
Justin Pasher wrote:
> Ahhh... Now it should actually be possible. If possible, I would
> (personally) try to push all traffic to www.csulb.edu whenever they
> try to pull csulb.edu. Whether or not this is possible in your
> situation, I do not know. Something like this in the VirtualHost
> config would do it.
>
> RewriteCond %{HTTP_HOST} !^www\.csulb\.edu$ [NC]
> RewriteRule ^/(.*)$ http://www.csulb.edu/$1 [R=permanent]
>
> This would make sure that requests for any pages are always going
> through www.csulb.edu (as opposed to csulb.edu or any other
> ServerAlias setting).
>
Would this affect sites like cota.csulb.edu?
We do make sure that www.cota.csulb.edu and cota.csulb.edu are both valid.
>
>
> FWIW, I tried visiting the test pages you mentioned above, and both of
> them actually pushed me to https. Have you cleared your cache to make
> sure the browser isn't trying to do something weird by caching the
> previous response it received?
that's odd.. .I did refresh my browser and like you said, it started
working. I did still use your version as it has some definite advantages.
Thanks for your help!!
Mike
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about SSL and Apache and a certificate
error
Posted by Justin Pasher <ju...@newmediagateway.com>.
Mike Soultanian wrote:
>
>
> Justin Pasher wrote:
>>
>> Actually, ignore everything I just said. All this time I thought that
>> was what apache was doing, but it's actually occurring after the
>> mismatched server name warning is presented. The rewrite rule will
>> still catch the request and redirect them to https://www.csulb.edu,
>> but not until after the warning has already been issued.
>>
> Heh, no worries ;)
>
> However, I think you might be able to help me solve a few of the
> problem cases. Here's what's going on. I have a message forum
> running at http://www.csulb.edu/itforums. When you hit the site there
> is an .htaccess directive that automatically redirects you to to the
> SSL version of the site:
>
> RewriteEngine on
> RewriteCond %{HTTPS} off
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
>
> This works great, except when someone types csulb.edu/itforums in
> their browser. They then get redirected to https://csulb.edu/itforums
> and receive a certificate error. I can't really fix the case of
> someone typing https://csulb.edu/itforums (which will probably be
> rare), I can still take care of the other cases: having both
> http://www.csulb.edu/itforums and http://csulb.edu/itforums forward to
> https://www.csulb.edu/itforums. I tried to do this but my rewrite
> statements don't seem to work right:
>
> RewriteEngine on
> RewriteCond %{HTTPS} off
> RewriteCond %{HTTP_HOST} !www
> RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI}
>
> RewriteCond %{HTTPS} off
> RewriteCond %{HTTP_HOST} www
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
>
> Here are some test pages where I've applied the above directives:
>
> http://csulb.edu/projects/itforums/dev/ ->
> https://www.csulb.edu/projects/itforums/dev/
> The above correctly updated the URL and is running SSL
>
> http://www.csulb.edu/projects/itforums/dev/ ->
> http://www.csulb.edu/projects/itforums/dev/
> The above doesn't work correctly as it doesn't go SSL
>
> Notice the second case doesn't forward to https. Any idea why?
>
> Thanks!
> Mike
Ahhh... Now it should actually be possible. If possible, I would
(personally) try to push all traffic to www.csulb.edu whenever they try
to pull csulb.edu. Whether or not this is possible in your situation, I
do not know. Something like this in the VirtualHost config would do it.
RewriteCond %{HTTP_HOST} !^www\.csulb\.edu$ [NC]
RewriteRule ^/(.*)$ http://www.csulb.edu/$1 [R=permanent]
This would make sure that requests for any pages are always going
through www.csulb.edu (as opposed to csulb.edu or any other ServerAlias
setting).
Now, back to your specific situation (if it must remain the same
format). For one, you'll want to anchor the check for HTTP_HOST to the
beginning of the string (just to avoid matching something unexpected if
other subdomain ever point to the site. I have also never tried a
rewrite rule that changes from http to https without forcing an actual
redirect (as opposed to an internal rewrite). I would think apache is
forced to perform a redirect when switching protocols, otherwise the
browser would probably get confused (and I'm not sure you could even
make SSL work like that). Adding the [R] flag will force the redirect,
but it might not be necessary.
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [R=permanent]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^www\.
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent]
FWIW, I tried visiting the test pages you mentioned above, and both of
them actually pushed me to https. Have you cleared your cache to make
sure the browser isn't trying to do something weird by caching the
previous response it received?
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about SSL and Apache and a certificate
error
Posted by Mike Soultanian <ms...@csulb.edu>.
Justin Pasher wrote:
>
> Actually, ignore everything I just said. All this time I thought that
> was what apache was doing, but it's actually occurring after the
> mismatched server name warning is presented. The rewrite rule will
> still catch the request and redirect them to https://www.csulb.edu,
> but not until after the warning has already been issued.
>
Heh, no worries ;)
However, I think you might be able to help me solve a few of the problem
cases. Here's what's going on. I have a message forum running at
http://www.csulb.edu/itforums. When you hit the site there is an
.htaccess directive that automatically redirects you to to the SSL
version of the site:
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
This works great, except when someone types csulb.edu/itforums in their
browser. They then get redirected to https://csulb.edu/itforums and
receive a certificate error. I can't really fix the case of someone
typing https://csulb.edu/itforums (which will probably be rare), I can
still take care of the other cases: having both
http://www.csulb.edu/itforums and http://csulb.edu/itforums forward to
https://www.csulb.edu/itforums. I tried to do this but my rewrite
statements don't seem to work right:
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !www
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} www
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Here are some test pages where I've applied the above directives:
http://csulb.edu/projects/itforums/dev/ ->
https://www.csulb.edu/projects/itforums/dev/
The above correctly updated the URL and is running SSL
http://www.csulb.edu/projects/itforums/dev/ ->
http://www.csulb.edu/projects/itforums/dev/
The above doesn't work correctly as it doesn't go SSL
Notice the second case doesn't forward to https. Any idea why?
Thanks!
Mike
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about SSL and Apache and a certificate
error
Posted by Justin Pasher <ju...@newmediagateway.com>.
Justin Pasher wrote:
> Mike Soultanian wrote:
>> Justin Pasher wrote:
>>>
>>> You can simplify this a bit by saying "redirect anything that is not
>>> going to www.csulb.edu". However, you'll have to put the rewrite
>>> directives inside the <VirtualHost> configuration for the SSL
>>> version of the site, as the .htaccess file is run after a connection
>>> is established with the browser.
>>>
>>> RewriteEngine on
>>> RewriteCond %{HTTP_HOST} !^www\.csulb\.edu$
>>> RewriteRule ^/(.*)$ https://www.csulb.edu/$1 [R=permanent,L]
>>>
>> Hey Justin,
>> But will this still avoid the certificate error that is received upon
>> going to https://csulb.edu? According to a previous reply, Eric said
>> that the SSL handshake is handled before the redirect.
>>
>> thanks,
>> Mike
>
> If you do it within the apache config, the server will send the 302
> redirect header before trying to exchange any SSL key related
> information. Once they have been kicked over to
> https://www.csulb.edu/, the normal SSL handshake will occur, since
> they will not hit the rewrite rule.
Actually, ignore everything I just said. All this time I thought that
was what apache was doing, but it's actually occurring after the
mismatched server name warning is presented. The rewrite rule will still
catch the request and redirect them to https://www.csulb.edu, but not
until after the warning has already been issued.
*sigh*
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about SSL and Apache and a certificate error
Posted by Dan Poirier <po...@pobox.com>.
On Mon, 29 Sep 2008 16:40:49 -0500, "Justin Pasher"
<ju...@newmediagateway.com> said:
>
> If you do it within the apache config, the server will send the 302
> redirect header before trying to exchange any SSL key related
> information. Once they have been kicked over to
> https://www.csulb.edu/, the normal SSL handshake will occur, since
> they will not hit the rewrite rule.
Unfortunately, Apache can't even see the request until after a
successful SSL handshake (it's encrypted, after all), so nothing that
depends on anything but the IP address and port the request is received
on can really be taken into account before the handshake.
Dan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about SSL and Apache and a certificate
error
Posted by Justin Pasher <ju...@newmediagateway.com>.
Mike Soultanian wrote:
> Justin Pasher wrote:
>>
>> You can simplify this a bit by saying "redirect anything that is not
>> going to www.csulb.edu". However, you'll have to put the rewrite
>> directives inside the <VirtualHost> configuration for the SSL version
>> of the site, as the .htaccess file is run after a connection is
>> established with the browser.
>>
>> RewriteEngine on
>> RewriteCond %{HTTP_HOST} !^www\.csulb\.edu$
>> RewriteRule ^/(.*)$ https://www.csulb.edu/$1 [R=permanent,L]
>>
> Hey Justin,
> But will this still avoid the certificate error that is received upon
> going to https://csulb.edu? According to a previous reply, Eric said
> that the SSL handshake is handled before the redirect.
>
> thanks,
> Mike
If you do it within the apache config, the server will send the 302
redirect header before trying to exchange any SSL key related
information. Once they have been kicked over to https://www.csulb.edu/,
the normal SSL handshake will occur, since they will not hit the rewrite
rule.
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about SSL and Apache and a certificate
error
Posted by Mike Soultanian <ms...@csulb.edu>.
Justin Pasher wrote:
>
> You can simplify this a bit by saying "redirect anything that is not
> going to www.csulb.edu". However, you'll have to put the rewrite
> directives inside the <VirtualHost> configuration for the SSL version
> of the site, as the .htaccess file is run after a connection is
> established with the browser.
>
> RewriteEngine on
> RewriteCond %{HTTP_HOST} !^www\.csulb\.edu$
> RewriteRule ^/(.*)$ https://www.csulb.edu/$1 [R=permanent,L]
>
Hey Justin,
But will this still avoid the certificate error that is received upon
going to https://csulb.edu? According to a previous reply, Eric said
that the SSL handshake is handled before the redirect.
thanks,
Mike
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about SSL and Apache and a certificate
error
Posted by Justin Pasher <ju...@newmediagateway.com>.
Mike Soultanian wrote:
> Our campus has an SSL certificate for www.csulb.edu. If you go to
> https://www.csulb.edu everything works peachy.
>
> Now, if you go to https://csulb.edu, you get an error. I talked to
> our server admin and he said it's because our certificate is
> registered to www.csulb.edu and not csulb.edu. He said only a
> wildcard certificate would fix this problem, but that something that
> the campus doesn't want to do for security and cost reasons.
>
> So, is it possible to set up a rewrite condition such that when
> someone tries to navigate to https://csulb.edu, it will automatically
> redirect the user to https://www.csulb.edu and avoid the certificate
> error? I tried using the following in a .htaccess file and it didn't
> work (still got the error):
>
> RewriteEngine on
> RewriteCond %{HTTPS} on
> RewriteCond %{HTTP_HOST} !www
> RewriteRule (.*) http://www.%{HTTP_HOST}%{REQUEST_URI} [R]
>
> I thought maybe if the above code was put somewhere in the httpd.conf
> file it might work?
>
> It seems like a long-shot (admin didn't think it'd work), but I
> figured I'd ask the experts here. Any other possible ways to work
> around this?
>
> Thanks!
> Mike
You can simplify this a bit by saying "redirect anything that is not
going to www.csulb.edu". However, you'll have to put the rewrite
directives inside the <VirtualHost> configuration for the SSL version of
the site, as the .htaccess file is run after a connection is established
with the browser.
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.csulb\.edu$
RewriteRule ^/(.*)$ https://www.csulb.edu/$1 [R=permanent,L]
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question about SSL and Apache and a certificate
error
Posted by Mike Soultanian <ms...@csulb.edu>.
Eric Covener wrote:
> On Mon, Sep 29, 2008 at 4:25 PM, Mike Soultanian <ms...@csulb.edu> wrote:
>
>> So, is it possible to set up a rewrite condition such that when someone
>> tries to navigate to https://csulb.edu, it will automatically redirect the
>> user to https://www.csulb.edu and avoid the certificate error? I tried
>> using the following in a .htaccess file and it didn't work (still got the
>> error):
>>
>
> You can't do this -- you get that popup during the SSL handshake,
> which has completed long before you can get redirected.
>
>
Ok.. thanks for the confirmation!
Mike
Re: [users@httpd] Question about SSL and Apache and a certificate error
Posted by Eric Covener <co...@gmail.com>.
On Mon, Sep 29, 2008 at 4:25 PM, Mike Soultanian <ms...@csulb.edu> wrote:
> Our campus has an SSL certificate for www.csulb.edu. If you go to
> https://www.csulb.edu everything works peachy.
>
> Now, if you go to https://csulb.edu, you get an error. I talked to our
> server admin and he said it's because our certificate is registered to
> www.csulb.edu and not csulb.edu. He said only a wildcard certificate would
> fix this problem, but that something that the campus doesn't want to do for
> security and cost reasons.
>
> So, is it possible to set up a rewrite condition such that when someone
> tries to navigate to https://csulb.edu, it will automatically redirect the
> user to https://www.csulb.edu and avoid the certificate error? I tried
> using the following in a .htaccess file and it didn't work (still got the
> error):
You can't do this -- you get that popup during the SSL handshake,
which has completed long before you can get redirected.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org