[users@httpd] RedirectMatch and rewrite rules not working
Ever have one of those days where after staring at the configuration for hours
you don’t see what you are doing wrong?
I am having that kind of day. I browse to the URLs
https://evumail8prd01.ci.northwestern.edu/activate and
https://evumail8prd01.ci.northwestern.edu/manage and all I get is a 404 error.
Nothing usable in the logs. I know I am missing something simple but the issue
is escaping me. The configuration is stolen from the existing RHEL 6 & Apache
2.2 instance combined with the Mozilla template from
https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1k&ocsp=false&guideline=5.7
now on RHEL 8 & Apache 2.4
Please help!
My configuration:
# generated 2023-06-08, Mozilla Guideline v5.7, Apache 2.4.41, OpenSSL 1.1.1k,
modern configuration
#
https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1k&guideline=5.7
# modern configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling Off
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and
mod_headers
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
ServerName evumail8prd01.ci.northwestern.edu
ServerName evumail.northwestern.edu
ServerName umail.northwestern.edu
DocumentRoot /var/www/html
ScriptAlias /cgi-bin /var/www/cgi-bi
RewriteEngine on
# RewriteRule ^/activate /umail3/netid.php?r=a [R]
# RewriteRule ^/manage/umail3/netid.php?r=m [R]
LogLevel alert rewrite:trace6
RedirectMatch permanent ^/activate$
"https://evumail8prd01.ci.northwestern.edu/umail3/netid.php?r=a";
RedirectMatch permanent ^/manage$
"https://evumail8prd01.ci.northwestern.edu/umail3/netid.php?r=m";
Options -Indexes
SSLOptions +StdEnvVars
Options -Indexes
DirectorySlash On
SSLOptions +StdEnvVars
# Qualys
Header always append X-Frame-Options SAMEORIGIN
# Tenable
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# enable HTTP/2, if available
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000
seconds)
Header always set Strict-Transport-Security "max-age=63072000"
ErrorLog logs/ssl_error_log
#LogLevel debug
CustomLog logs/ssl_agent_log agent
CustomLog logs/ssl_referer_log referer
TransferLog logs/ssl_access_log
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLCertificateFile
/etc/httpd/certs/evumail8prd01_ci_northwestern_edu_cert.cer
SSLCertificateKeyFile
/etc/httpd/certs/evumail8prd01_ci_northwestern_edu.key
ServerName u.northwestern.edu
ServerAlias www.u.northwestern.edu
Redirect / https://mail.google.com/a/u.northwestern.edu/
ServerName u.northwestern.edu
ServerAlias www.u.northwestern.edu
Redirect / https://mail.google.com/a/u.northwestern.edu/
Darryl Baker, GSEC, GCLD (he/him/his)
Sr. System Administratorhttps://evumail8prd01.ci.northwestern.edu/activate
Distributed Application Platform Services
Northwestern University
4th Floor
2020 Ridge Avenue
Evanston, IL 60208-0801
darryl.ba...@northwestern.edu<mailto:darryl.ba...@northwestern.edu>
(847) 467-6674
Re: [users@httpd] node.js application listening on port 8000 enabled with SSL certificate returns ERR_SSL_PROTOCOL_ERROR on browser.
I will be in meeting for the rest of the afternoon. Here is an anonymized
version of my working configuration. Hope it helps.
The main URL is https://directory.uexample.com/search
nodejs is expacting /search
ServerName directory.example.com
ServerAlias hostnameaa.mid.example.com
ServerAlias hostnameab.mid.example.com
SSLEngine on
SSLCertificateFile /etc/httpd/certs/cert.pem
SSLCertificateKeyFile /etc/httpd/certs/cert.pem
SSLOptions +StdEnvVars
RewriteEngine On
LogLevel alert rewrite:trace6
CustomLog logs/nodejs_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ErrorLog/var/log/httpd/nodejs_error.log
CustomLog /var/log/httpd/nodejs_access.log combined
DocumentRoot /var/www/iam-directory/dist
# RewriteRule ^/health-check-test.txt$ /public/health-check-test.txt
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
# When a request comes in, test to see if there's a matching static
file in the "public" dir
RewriteCond %{DOCUMENT_ROOT}/public/%{REQUEST_URI} !-f
# If request does not include a static file, proxy it to the backend
RewriteRule ^(.*)$ http://localhost:8000$1 [P]
# Otherwise, add "public" to it (e.g., serve the file)
RewriteRule ^(.*)$ /public$1 [L]
Darryl Baker, GSEC, GCLD (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
4th Floor
2020 Ridge Avenue
Evanston, IL 60208-0801
darryl.ba...@northwestern.edu<mailto:darryl.ba...@northwestern.edu>
(847) 467-6674
From: Kaushal Shriyan
Reply-To: Apache httpd Users
Date: Wednesday, June 21, 2023 at 12:40 PM
To: Apache httpd Users
Subject: Re: [users@httpd] node.js application listening on port 8000 enabled
with SSL certificate returns ERR_SSL_PROTOCOL_ERROR on browser.
On Wed, Jun 21, 2023 at 10:35 PM Darryl Baker
mailto:darryl.ba...@northwestern.edu>> wrote:
Have you tried browsing to
https://nodejs.mydomain.com/demo/index.html<https://urldefense.com/v3/__https:/nodejs.mydomain.com/demo/index.html__;!!Dq0X2DkFhyF93HkjWTBQKhk!TZD1QETIHXxGbXkvaOLsX03foc0jn2E1FS5Z_Kja7PeeQR008rxywleqnkIJCYooG8TKmQP23AlrwJfscB6auUCd15KSMzAkvQ$>
The proxy configuration in Apache will direct the connection to nodejs over
port 8000.
Hi Darryl,
When I am trying to access the URL
https://nodejs.mydomain.com/demo/index.html<https://urldefense.com/v3/__https:/nodejs.mydomain.com/demo/index.html__;!!Dq0X2DkFhyF93HkjWTBQKhk!TZD1QETIHXxGbXkvaOLsX03foc0jn2E1FS5Z_Kja7PeeQR008rxywleqnkIJCYooG8TKmQP23AlrwJfscB6auUCd15KSMzAkvQ$>,
I am seeing the below information in Apache HTTP server access logs.
172.16.16.45 - drupaladmin [21/Jun/2023:23:04:07 +0530] "GET /demo/index.html
HTTP/1.1" 404 25644 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/114.0.0.0<https://urldefense.com/v3/__http:/114.0.0.0__;!!Dq0X2DkFhyF93HkjWTBQKhk!TZD1QETIHXxGbXkvaOLsX03foc0jn2E1FS5Z_Kja7PeeQR008rxywleqnkIJCYooG8TKmQP23AlrwJfscB6auUCd15KJuYS9Rw$>
Safari/537.36"
172.16.16.45 - drupaladmin [21/Jun/2023:23:04:18 +0530] "GET /demo/index.html
HTTP/1.1" 404 25644 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/114.0.0.0<https://urldefense.com/v3/__http:/114.0.0.0__;!!Dq0X2DkFhyF93HkjWTBQKhk!TZD1QETIHXxGbXkvaOLsX03foc0jn2E1FS5Z_Kja7PeeQR008rxywleqnkIJCYooG8TKmQP23AlrwJfscB6auUCd15KJuYS9Rw$>
Safari/537.36"
172.16.16.45 - drupaladmin [21/Jun/2023:23:04:39 +0530] "GET /demo/index.html
HTTP/1.1" 404 25644 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/114.0.0.0<https://urldefense.com/v3/__http:/114.0.0.0__;!!Dq0X2DkFhyF93HkjWTBQKhk!TZD1QETIHXxGbXkvaOLsX03foc0jn2E1FS5Z_Kja7PeeQR008rxywleqnkIJCYooG8TKmQP23AlrwJfscB6auUCd15KJuYS9Rw$>
Safari/537.36"
Please suggest further. Thanks in advance.
Best Regards,
Kaushal
Re: [users@httpd] node.js application listening on port 8000 enabled with SSL certificate returns ERR_SSL_PROTOCOL_ERROR on browser.
Have you tried browsing to https://nodejs.mydomain.com/demo/index.html The proxy configuration in Apache will direct the connection to nodejs over port 8000. Darryl Baker, GSEC, GCLD (he/him/his) Sr. System Administrator Distributed Application Platform Services Northwestern University 4th Floor 2020 Ridge Avenue Evanston, IL 60208-0801 darryl.ba...@northwestern.edu<mailto:darryl.ba...@northwestern.edu> (847) 467-6674 From: Kaushal Shriyan Reply-To: Apache httpd Users Date: Wednesday, June 21, 2023 at 11:58 AM To: Apache httpd Users Subject: [users@httpd] node.js application listening on port 8000 enabled with SSL certificate returns ERR_SSL_PROTOCOL_ERROR on browser. Hi, I am running node.js application on port 8000 and Apache HTTP server on CentOS Linux release 7.9.2009 (Core) # node --version v16.20.0 # httpd -v Server version: Apache/2.4.57 (IUS) Server built: Apr 7 2023 14:49:47 # httpd.conf file configuration #cat /etc/httpd/conf.d/nodejsnodejsssl.conf SSLEngine On SSLProxyEngine On ServerName nodejs.mydomain.com<https://urldefense.com/v3/__http:/nodejs.mydomain.com__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2BlwWSOR1BA$> SSLCertificateFile /etc/letsencrypt/live/nodejs.mydomain.com/cert.pem<https://urldefense.com/v3/__http:/nodejs.mydomain.com/cert.pem__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2Blwljjv0qA$> SSLCertificateKeyFile /etc/letsencrypt/live/nodejs.mydomain.com/privkey.pem<https://urldefense.com/v3/__http:/nodejs.mydomain.com/privkey.pem__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2Blx2A5_VMg$> SSLCertificateChainFile /etc/letsencrypt/live/nodejs.mydomain.com/chain.pem<https://urldefense.com/v3/__http:/nodejs.mydomain.com/chain.pem__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2BlxTYFdN1g$> ProxyPass http://localhost:8000/<https://urldefense.com/v3/__http:/localhost:8000/__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2BlyR-o3OPw$> When I am trying to access the URL https://nodejs.mydomain.com:8000/demo/index.html<https://urldefense.com/v3/__https:/nodejs.mydomain.com:8000/demo/index.html__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2BlwxyTdWyQ$>, I am encountering the below error on the browser. This site can’t provide a secure connection nodejs.mydomain.com<https://urldefense.com/v3/__http:/nodejs.mydomain.com__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2BlwWSOR1BA$> sent an invalid response. ERR_SSL_PROTOCOL_ERROR Please comment if the above httpd conf file is incorrect or If i am missing anything. Thanks in advance. Best Regards, Kaushal
