Re: [rt-users] Getting Request Tracker to stick to HTTPS
On 2012-05-17 13:47, Ruslan Zakirov wrote:
On Wed, May 16, 2012 at 8:50 PM, Matt Brennan
wrote:
This is how I do this. In my RT_SiteConfig.pm I have:
Set($WebBaseURL,
'https://'
. RT->Config->Get('WebDomain')
);
All traffic on my RT instance is done via HTTPS. I also have an
Apache
rewrite rule in case someone navigates to HTTP instead (as users
often do).
You don't need this. WebDomain, WebPort and WebPath is enough in most
cases.
As documentation in versions says you set WebBaseURL or other options
only
in very specific cases, for example when you want to server RT over
HTTPS
from port 1.
Topic starter needs CanonicalizeRedirectURLs option. He uses reverse
proxy. By
default for redirects RT guesses a few bits from ENV variables (set
by
web server).
This allows you to run the same RT instance with multiple entry
points. However,
if you have something in front of RT then this guessing doesn't work.
And just to confirm, for the reverse SSL offloading proxy case the:
Set($CanonicalizeRedirectURLs, 1);
Option in RT_SiteConfig.pm works just right, my pages stay on https
throughout the session.
Re: [rt-users] Getting Request Tracker to stick to HTTPS
On Wed, May 16, 2012 at 8:50 PM, Matt Brennan wrote:
> This is how I do this. In my RT_SiteConfig.pm I have:
>
> Set($WebBaseURL,
> 'https://'
> . RT->Config->Get('WebDomain')
> );
>
> All traffic on my RT instance is done via HTTPS. I also have an Apache
> rewrite rule in case someone navigates to HTTP instead (as users often do).
You don't need this. WebDomain, WebPort and WebPath is enough in most cases.
As documentation in versions says you set WebBaseURL or other options only
in very specific cases, for example when you want to server RT over HTTPS
from port 1.
Topic starter needs CanonicalizeRedirectURLs option. He uses reverse proxy. By
default for redirects RT guesses a few bits from ENV variables (set by
web server).
This allows you to run the same RT instance with multiple entry points. However,
if you have something in front of RT then this guessing doesn't work.
> HTH,
> -Matt
>
> On Wed, May 16, 2012 at 11:20 AM, Giles Coochey wrote:
>>
>> I have the following set up:
>>
>> Clients --> Squid SSL Offload / Caching Reverse Proxy (HTTPS--->HTTP) -->
>> Apache Routing Proxy (HTTP) --> RT (HTTP)
>>
>> RT (v4.0.5) itself is configured for HTTPS:
>>
>> Set($WebDomain, 'www.domain.net');
>> Set($WebPath, '/ticket');
>> Set($WebPort, 443);
>>
>> On going to Tools --> Configuration --> System Config I see that
>>
>> WebBaseURL is correctly listed as https://www.domain.net
>>
>> So if I navigate to https://www.domain.net/ticket/
>>
>> and Login then next page reverts to http...
>>
>> What do you think I might be missing??
>>
>> How can I force RT to HTTPS?
>>
>
--
Best regards, Ruslan.
Re: [rt-users] Getting Request Tracker to stick to HTTPS
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Might be of interest, if your regular users use firefox, Chrome or Opera.
The other option:
Set up another virtual host on the apache box that only serves a redirect to
the https side.
On the proxy, direct port 80 to that one, and leave 443 pointing at the RT
instance.
If the proxy supports such, at least.
Steve Anderson
-Original Message-
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Giles Coochey
Sent: 16 May 2012 18:05
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Getting Request Tracker to stick to HTTPS
On 16/05/2012 17:27, Darin Perusich wrote:
> On 05/16/2012 11:20 AM, Giles Coochey wrote:
>> How can I force RT to HTTPS?
>>
> Have you tried use mod_rewrite to rewrite the all traffic for that
> virtual host to https?
>
> Stubs of the config's for your RT virtual host. They http vhost only
> needs to have the basic's defined, the rewrite rules will push
> everything to https.
>
>
> ...
> ...
> RewriteEngine On
> RewriteCond %{SERVER_PORT} !^443$
> RewriteRule ^/(.*)https://%{SERVER_NAME}/$1 [L,R=301]
>
>
>
> ...
> ...
>
>Order allow,deny
>Allow from all
>SetHandler modperl
>PerlResponseHandler Plack::Handler::Apache2
>PerlSetVar psgi_app /usr/sbin/rt-server
>
>
>
>use Plack::Handler::Apache2;
>Plack::Handler::Apache2->preload("/usr/sbin/rt-server");
>
> ...
> ...
>
>
I can't do that, the actual RT Apache Server runs on port 80, so the
rewrite condition is always false.
The Reverse Proxy Director runs on port 8080
The Squid SSL-offload caching proxy runs on 443 & 80
So RT needed to act as if it was running on 443, but it didn't do any
SSL itself.
The problem seemed to be this setting, as mentioned by Paul.
Set($CanonicalizeRedirectURLs, 1);
Now it appears to work. If I wanted to do what you suggested I'd need to do the
equivalent in Squid config, I think.
Also, I don't mind it being available on HTTP, I just don't want it bouncing
back to HTTP if I log in with HTTPS.
__
This email has been scanned by Westcoastcloud.
http://www.westcoastcloud.co.uk/
BiP Solutions Limited is a company registered in Scotland with Company
Number SC086146 and VAT number 383030966 and having its registered
office at Medius, 60 Pacific Quay, Glasgow, G51 1DZ.
In order to improve the quality of the service we offer, calls may be recorded
for quality management and training purposes.
This e-mail (and any attachment) is intended only for the attention of
the addressee(s). Its unauthorised use, disclosure, storage or copying
is not permitted. If you are not the intended recipient, please destroy
all copies and inform the sender by return e-mail.
This e-mail (whether you are the sender or the recipient) may be
monitored, recorded and retained by BiP Solutions Ltd.
E-mail monitoring/ blocking software may be used, and e-mail content may
be read at any time.You have a responsibility to ensure laws are not
broken when composing or forwarding e-mails and their contents.
Re: [rt-users] Getting Request Tracker to stick to HTTPS
On 16/05/2012 17:27, Darin Perusich wrote:
On 05/16/2012 11:20 AM, Giles Coochey wrote:
How can I force RT to HTTPS?
Have you tried use mod_rewrite to rewrite the all traffic for that
virtual host to https?
Stubs of the config's for your RT virtual host. They http vhost only
needs to have the basic's defined, the rewrite rules will push
everything to https.
...
...
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*)https://%{SERVER_NAME}/$1 [L,R=301]
...
...
Order allow,deny
Allow from all
SetHandler modperl
PerlResponseHandler Plack::Handler::Apache2
PerlSetVar psgi_app /usr/sbin/rt-server
use Plack::Handler::Apache2;
Plack::Handler::Apache2->preload("/usr/sbin/rt-server");
...
...
I can't do that, the actual RT Apache Server runs on port 80, so the
rewrite condition is always false.
The Reverse Proxy Director runs on port 8080
The Squid SSL-offload caching proxy runs on 443 & 80
So RT needed to act as if it was running on 443, but it didn't do any
SSL itself.
The problem seemed to be this setting, as mentioned by Paul.
Set($CanonicalizeRedirectURLs, 1);
Now it appears to work. If I wanted to do what you suggested I'd need to do the
equivalent in Squid config, I think.
Also, I don't mind it being available on HTTP, I just don't want it bouncing
back to HTTP if I log in with HTTPS.
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [rt-users] Getting Request Tracker to stick to HTTPS
This is how I do this. In my RT_SiteConfig.pm I have:
Set($WebBaseURL,
'https://'
. RT->Config->Get('WebDomain')
);
All traffic on my RT instance is done via HTTPS. I also have an Apache
rewrite rule in case someone navigates to HTTP instead (as users often do).
HTH,
-Matt
On Wed, May 16, 2012 at 11:20 AM, Giles Coochey wrote:
> I have the following set up:
>
> Clients --> Squid SSL Offload / Caching Reverse Proxy (HTTPS--->HTTP) -->
> Apache Routing Proxy (HTTP) --> RT (HTTP)
>
> RT (v4.0.5) itself is configured for HTTPS:
>
> Set($WebDomain, 'www.domain.net');
> Set($WebPath, '/ticket');
> Set($WebPort, 443);
>
> On going to Tools --> Configuration --> System Config I see that
>
> WebBaseURL is correctly listed as https://www.domain.net
>
> So if I navigate to https://www.domain.net/ticket/
>
> and Login then next page reverts to http...
>
> What do you think I might be missing??
>
> How can I force RT to HTTPS?
>
>
Re: [rt-users] Getting Request Tracker to stick to HTTPS
On 05/16/2012 11:20 AM, Giles Coochey wrote:
>
> How can I force RT to HTTPS?
>
Have you tried use mod_rewrite to rewrite the all traffic for that
virtual host to https?
Stubs of the config's for your RT virtual host. They http vhost only
needs to have the basic's defined, the rewrite rules will push
everything to https.
...
...
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*)https://%{SERVER_NAME}/$1 [L,R=301]
...
...
Order allow,deny
Allow from all
SetHandler modperl
PerlResponseHandler Plack::Handler::Apache2
PerlSetVar psgi_app /usr/sbin/rt-server
use Plack::Handler::Apache2;
Plack::Handler::Apache2->preload("/usr/sbin/rt-server");
...
...
--
Darin Perusich
Email: darin.perus...@ctg.com
Office: 716-888-3690
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the
intended recipient is prohibited. If you are not the intended recipient of this
message, please contact the sender and delete this material from this computer.
Re: [rt-users] Getting Request Tracker to stick to HTTPS
On 16/05/2012 16:26, Paul Tomblin wrote: Further reading in RT_Config suggests you may need to look at this: =item C<$CanonicalizeRedirectURLs> Set C<$CanonicalizeRedirectURLs> to 1 to use C<$WebURL> when redirecting rather than the one we get from C<%ENV>. Apache's UseCanonicalName directive changes the hostname that RT finds in C<%ENV>. You can read more about what turning it On or Off means in the documentation for your version of Apache. If you use RT behind a reverse proxy, you almost certainly want to enable this option. =cut Set($CanonicalizeRedirectURLs, 0); Thanks!!! Just tried it and that looks a lot more promising. smime.p7s Description: S/MIME Cryptographic Signature
Re: [rt-users] Getting Request Tracker to stick to HTTPS
On 16/05/2012 16:24, Paul Tomblin wrote: In RT_Config, it looks like you shouldn't even have to specify WebBaseURL - it appears to look to see if WebPort is 443 and changes it to https accordingly. Yes, it is doing that automatically (I have not specified WebBaseURL). But it reverts me to http after logging in via https On Wed, May 16, 2012 at 11:20 AM, Giles Coochey wrote: I have the following set up: Clients --> Squid SSL Offload / Caching Reverse Proxy (HTTPS--->HTTP) --> Apache Routing Proxy (HTTP) --> RT (HTTP) RT (v4.0.5) itself is configured for HTTPS: Set($WebDomain, 'www.domain.net'); Set($WebPath, '/ticket'); Set($WebPort, 443); On going to Tools --> Configuration --> System Config I see that WebBaseURL is correctly listed as https://www.domain.net So if I navigate to https://www.domain.net/ticket/ and Login then next page reverts to http... What do you think I might be missing?? How can I force RT to HTTPS? smime.p7s Description: S/MIME Cryptographic Signature
Re: [rt-users] Getting Request Tracker to stick to HTTPS
Further reading in RT_Config suggests you may need to look at this: =item C<$CanonicalizeRedirectURLs> Set C<$CanonicalizeRedirectURLs> to 1 to use C<$WebURL> when redirecting rather than the one we get from C<%ENV>. Apache's UseCanonicalName directive changes the hostname that RT finds in C<%ENV>. You can read more about what turning it On or Off means in the documentation for your version of Apache. If you use RT behind a reverse proxy, you almost certainly want to enable this option. =cut Set($CanonicalizeRedirectURLs, 0); On Wed, May 16, 2012 at 11:24 AM, Paul Tomblin wrote: > In RT_Config, it looks like you shouldn't even have to specify > WebBaseURL - it appears to look to see if WebPort is 443 and changes > it to https accordingly. > > > On Wed, May 16, 2012 at 11:20 AM, Giles Coochey wrote: >> I have the following set up: >> >> Clients --> Squid SSL Offload / Caching Reverse Proxy (HTTPS--->HTTP) --> >> Apache Routing Proxy (HTTP) --> RT (HTTP) >> >> RT (v4.0.5) itself is configured for HTTPS: >> >> Set($WebDomain, 'www.domain.net'); >> Set($WebPath, '/ticket'); >> Set($WebPort, 443); >> >> On going to Tools --> Configuration --> System Config I see that >> >> WebBaseURL is correctly listed as https://www.domain.net >> >> So if I navigate to https://www.domain.net/ticket/ >> >> and Login then next page reverts to http... >> >> What do you think I might be missing?? >> >> How can I force RT to HTTPS? >> > > > > -- > http://www.linkedin.com/in/paultomblin > http://careers.stackoverflow.com/ptomblin -- http://www.linkedin.com/in/paultomblin http://careers.stackoverflow.com/ptomblin
Re: [rt-users] Getting Request Tracker to stick to HTTPS
In RT_Config, it looks like you shouldn't even have to specify WebBaseURL - it appears to look to see if WebPort is 443 and changes it to https accordingly. On Wed, May 16, 2012 at 11:20 AM, Giles Coochey wrote: > I have the following set up: > > Clients --> Squid SSL Offload / Caching Reverse Proxy (HTTPS--->HTTP) --> > Apache Routing Proxy (HTTP) --> RT (HTTP) > > RT (v4.0.5) itself is configured for HTTPS: > > Set($WebDomain, 'www.domain.net'); > Set($WebPath, '/ticket'); > Set($WebPort, 443); > > On going to Tools --> Configuration --> System Config I see that > > WebBaseURL is correctly listed as https://www.domain.net > > So if I navigate to https://www.domain.net/ticket/ > > and Login then next page reverts to http... > > What do you think I might be missing?? > > How can I force RT to HTTPS? > -- http://www.linkedin.com/in/paultomblin http://careers.stackoverflow.com/ptomblin
[rt-users] Getting Request Tracker to stick to HTTPS
I have the following set up: Clients --> Squid SSL Offload / Caching Reverse Proxy (HTTPS--->HTTP) --> Apache Routing Proxy (HTTP) --> RT (HTTP) RT (v4.0.5) itself is configured for HTTPS: Set($WebDomain, 'www.domain.net'); Set($WebPath, '/ticket'); Set($WebPort, 443); On going to Tools --> Configuration --> System Config I see that WebBaseURL is correctly listed as https://www.domain.net So if I navigate to https://www.domain.net/ticket/ and Login then next page reverts to http... What do you think I might be missing?? How can I force RT to HTTPS? smime.p7s Description: S/MIME Cryptographic Signature
