assumption confirmed - and my connection is for sure https:// because of
the mod_rewrite and finally HSTS
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 updated too
phpinfo():
SERVER_PORT 80
<VirtualHost *:80 *:443>
ServerName www.rhsoft.net
SSLEngine Optional
SSLUseStapling On
SSLCertificateFile "certs/rhsoft-www.conf_rsa.pem"
SSLCertificateFile "certs/rhsoft-www.conf_ecdsa.pem"
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
<IfModule mod_headers.c>
Header always set "Strict-Transport-Security" "max-age=31536000"
</IfModule>
</VirtualHost>
Am 17.09.2017 um 02:24 schrieb Reindl Harald:
that's even more worse - phpMyAdmin 4.4.15.10 seems to handle something
wrong because $_SERVER['SERVER_PORT'] is wrong - and i had myself some
bad code using that var instead of $_SERVER['HTTPS'] which again leaded
in a endless loop
in case of phpMyAdmin it redirects to https://hostname:80/path/ after
enter username/password - the workaround below in the config file seems
to solve that for now, but all in all that leaves a very bad taste
if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
{
$cfg['ForceSSL'] = false;
}
else
{
$cfg['ForceSSL'] = true;
}
Am 14.09.2017 um 18:16 schrieb Reindl Harald:
Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
Ok, as I read the code a bit more, there is a tangle of things that
can influence port/scheme selection. But what I can see, the version
in *trunk* should do the right thing *iff*
a) you use "SSLEngine *:443" instead of "Optional"
b) you use "ServerName xxx.yyy" *without* a port name
the a
<VirtualHost *:80 *:443>
ServerName xxx.yyy
SSLEngine *:443
...
</VirtualHost>
should do the right thing here. Internal methods used to generator
Redirect Location headers, namely
ap_construct_url()
ap_get_server_port()
ap_http_scheme()
should give back the correct values for each connection and als fill
the Env Variables with the correct values.
what means "trunk" here?
a future 2.5/2.6/3.0 or a 2.4.x in the near future?
within 2 weeks you need TLS on each and every host since Chrome starts
to warn about every page with a form tag and no TLS
[root@srv-rhsoft:~]$ apachectl -t
AH00526: Syntax error on line 29 of
/etc/httpd/conf/sites_enabled/contentlounge.conf:
Argument must be On, Off, or Optional
Am 14.09.2017 um 15:46 schrieb Reindl Harald <h.rei...@thelounge.net>:
Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
Harald,
could you check if a configuration like:
UseCanonicalPhysicalPort on
in the server or vhost mitigates the problem?
it makes it even more terrible and the resulting http:// protocol
instead https// on port 443 here even tiggers mod_security
even if it would mitigate that issue - having ports in redirect urls
easily leads to a lot of other problems when proxy-servers are part
of the game
[harry@srv-rhsoft:/mnt/data/downloads]$ curl --head --insecure
https://contentlounge/cms
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Sep 2017 13:43:06 GMT
X-DNS-Prefetch-Control: off
X-Content-Type-Options: nosniff
X-Response-Time: D=1561 us
Location: http://contentlounge:443/cms/
Cache-Control: max-age=0
Expires: Thu, 14 Sep 2017 13:43:06 GMT
Content-Type: text/html; charset=iso-8859-1
Am 14.09.2017 um 12:00 schrieb Reindl Harald
<h.rei...@thelounge.net>:
Am 10.08.2017 um 18:22 schrieb Reindl Harald:
If you want to experiment...
<VirtualHost IP:80 IP:443>
is already recognized
but with "SSLEngine On" and "SSLCertificateFile" configured
non-https no longer would work
OK, figured it out
* you need the *first* vhost with "SSLEngine On"
* others can have "SSLEngine optional" and listen to 80 and 443
but there is a bug:
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519
if the trailing slash is missing in the url the automatic redirect
to the full qualified folder-path points to http:// instead
https:// and that does not happen within a vhost dedicated to :443
and "SSLEngine On"
i was trapped in a endless loop because the php script making a
redirect to https:// had a bug and missed the traling / too
<VirtualHost *:80 *:443>
DocumentRoot "/www/contentlounge"
ServerName contentlounge.rhsoft.net
SSLEngine optional
SSLCertificateFile "conf/ssl/rhsoft.net.pem"
</VirtualHost>
[harry@srv-rhsoft:~]$ curl --head --insecure
https://contentlounge/cms
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Sep 2017 09:40:27 GMT
X-DNS-Prefetch-Control: off
X-Content-Type-Options: nosniff
X-Response-Time: D=1311 us
Location: http://contentlounge/cms/
Cache-Control: max-age=0
Expires: Thu, 14 Sep 2017 09:40:27 GMT
Content-Type: text/html; charset=iso-8859-1