Re: mod_ssl, mod_rewrite, apache2 problem.

[Victoriano Giralt]

simontst wrote:

> The nasty problem is that when I redirect a request for a page (e.g.
> index.html) that contains an  tag in the form of:
>
> http://server/logos.gif";>
>
> IE 6 continually complains that the page contains insecured items and
> refuses to display the yellow padlock. However, an examination of my 
rewrite
> logs indicates that the GET for the logos.gif is being redirected:
[snip]
>
> If I remove the  tag from index.html, the complaints go away,
> index.html is accessed using https, and the padlock appears. So it would
> appear that there is an issue with the GET for the .gif
>
> Thinking that browser might be getting confused by two redirects in a row
> (the first for http://server/index.html, and the second for
> http://server/logos.gif) I have tried to GET the logos.gif directly via
> http://server/logos.gif. But again, even though the request is 
redirected to
> https://server/logos.gif, the same warning message pops up and IE 
refuses to
> display the padlock. But if I bypass mod_rewrite and GET the gif 
using the
> URL: https://server/logos.gif, IE does not complain.
>
> Finally, Mozilla does not complain at all!! Jeez! My inclination is to
> modify the s so that they all point to a relative path name 
instead
I cannot verify what I'm talking about, both because you have not
provided the URLs to test (than can be solved by local testest, but no
time at the moment)  and because I do not use any for of windoze, I'm
just wild gessing IE's reasonig. In a wild gess, IE is right (I hate to
say so :), though you are redirecting the request, the source for the
page it is presenting has unsecure elements, the parser does not know in
advance that the objects it will have to present to the user (your
images with absolute references), are really server by secure means, it
is asked to retrieve unsecured URLs (src=http:), though the page
contains mixed elements. This is another example why absolute URLs shall
be avoided when asking for contents from the same server :)

--
---
G & S Sistemas de Informacion, S.L.  | Teléfono:  9 02 01 44 43
Victoriano Giralt| Land line: +34-952-207-741
Torre de San Telmo, 8| Mobile:+34-670-332-720
E-29018 Malaga (Spain)   | http://www.gssi.es/
---
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: mod_ssl, mod_rewrite, apache2 problem.

[Joe Orton]

On Wed, Apr 07, 2004 at 11:36:23AM -0400, simontst wrote:
> Hi,
> 
> I am running apache2, mod_ssl, on freebsd4.9 and I am using the mod_rewrite
> engine to redirect requests for http -> https.
> I have this working using:
> 
> RewriteEngine on
> RewriteCond %{HTTPS} !=on

This doesn't work properly in 2.0: try %{LA-U:HTTPS} instead.  Without
fixing that it's likely the rule is being applied to *all* requests, so
issuing a redirect for https://foo/bar to https://foo/bar which browsers
may do weird things for.

> RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]

Regards,

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]