[users@httpd] RedirectMatch and rewrite rules not working
Ever have one of those days where after staring at the configuration for hours you don’t see what you are doing wrong? I am having that kind of day. I browse to the URLs https://evumail8prd01.ci.northwestern.edu/activate and https://evumail8prd01.ci.northwestern.edu/manage and all I get is a 404 error. Nothing usable in the logs. I know I am missing something simple but the issue is escaping me. The configuration is stolen from the existing RHEL 6 & Apache 2.2 instance combined with the Mozilla template from https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1k&ocsp=false&guideline=5.7 now on RHEL 8 & Apache 2.4 Please help! My configuration: # generated 2023-06-08, Mozilla Guideline v5.7, Apache 2.4.41, OpenSSL 1.1.1k, modern configuration # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1k&guideline=5.7 # modern configuration SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 SSLHonorCipherOrder off SSLSessionTickets off SSLUseStapling Off SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" # this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers RewriteEngine On RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] ServerName evumail8prd01.ci.northwestern.edu ServerName evumail.northwestern.edu ServerName umail.northwestern.edu DocumentRoot /var/www/html ScriptAlias /cgi-bin /var/www/cgi-bi RewriteEngine on # RewriteRule ^/activate /umail3/netid.php?r=a [R] # RewriteRule ^/manage/umail3/netid.php?r=m [R] LogLevel alert rewrite:trace6 RedirectMatch permanent ^/activate$ "https://evumail8prd01.ci.northwestern.edu/umail3/netid.php?r=a"; RedirectMatch permanent ^/manage$ "https://evumail8prd01.ci.northwestern.edu/umail3/netid.php?r=m"; Options -Indexes SSLOptions +StdEnvVars Options -Indexes DirectorySlash On SSLOptions +StdEnvVars # Qualys Header always append X-Frame-Options SAMEORIGIN # Tenable Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure # enable HTTP/2, if available Protocols h2 http/1.1 # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) Header always set Strict-Transport-Security "max-age=63072000" ErrorLog logs/ssl_error_log #LogLevel debug CustomLog logs/ssl_agent_log agent CustomLog logs/ssl_referer_log referer TransferLog logs/ssl_access_log CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" SSLEngine on SSLCertificateFile /etc/httpd/certs/evumail8prd01_ci_northwestern_edu_cert.cer SSLCertificateKeyFile /etc/httpd/certs/evumail8prd01_ci_northwestern_edu.key ServerName u.northwestern.edu ServerAlias www.u.northwestern.edu Redirect / https://mail.google.com/a/u.northwestern.edu/ ServerName u.northwestern.edu ServerAlias www.u.northwestern.edu Redirect / https://mail.google.com/a/u.northwestern.edu/ Darryl Baker, GSEC, GCLD (he/him/his) Sr. System Administratorhttps://evumail8prd01.ci.northwestern.edu/activate Distributed Application Platform Services Northwestern University 4th Floor 2020 Ridge Avenue Evanston, IL 60208-0801 darryl.ba...@northwestern.edu<mailto:darryl.ba...@northwestern.edu> (847) 467-6674
Re: [users@httpd] node.js application listening on port 8000 enabled with SSL certificate returns ERR_SSL_PROTOCOL_ERROR on browser.
I will be in meeting for the rest of the afternoon. Here is an anonymized version of my working configuration. Hope it helps. The main URL is https://directory.uexample.com/search nodejs is expacting /search ServerName directory.example.com ServerAlias hostnameaa.mid.example.com ServerAlias hostnameab.mid.example.com SSLEngine on SSLCertificateFile /etc/httpd/certs/cert.pem SSLCertificateKeyFile /etc/httpd/certs/cert.pem SSLOptions +StdEnvVars RewriteEngine On LogLevel alert rewrite:trace6 CustomLog logs/nodejs_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ErrorLog/var/log/httpd/nodejs_error.log CustomLog /var/log/httpd/nodejs_access.log combined DocumentRoot /var/www/iam-directory/dist # RewriteRule ^/health-check-test.txt$ /public/health-check-test.txt RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} # When a request comes in, test to see if there's a matching static file in the "public" dir RewriteCond %{DOCUMENT_ROOT}/public/%{REQUEST_URI} !-f # If request does not include a static file, proxy it to the backend RewriteRule ^(.*)$ http://localhost:8000$1 [P] # Otherwise, add "public" to it (e.g., serve the file) RewriteRule ^(.*)$ /public$1 [L] Darryl Baker, GSEC, GCLD (he/him/his) Sr. System Administrator Distributed Application Platform Services Northwestern University 4th Floor 2020 Ridge Avenue Evanston, IL 60208-0801 darryl.ba...@northwestern.edu<mailto:darryl.ba...@northwestern.edu> (847) 467-6674 From: Kaushal Shriyan Reply-To: Apache httpd Users Date: Wednesday, June 21, 2023 at 12:40 PM To: Apache httpd Users Subject: Re: [users@httpd] node.js application listening on port 8000 enabled with SSL certificate returns ERR_SSL_PROTOCOL_ERROR on browser. On Wed, Jun 21, 2023 at 10:35 PM Darryl Baker mailto:darryl.ba...@northwestern.edu>> wrote: Have you tried browsing to https://nodejs.mydomain.com/demo/index.html<https://urldefense.com/v3/__https:/nodejs.mydomain.com/demo/index.html__;!!Dq0X2DkFhyF93HkjWTBQKhk!TZD1QETIHXxGbXkvaOLsX03foc0jn2E1FS5Z_Kja7PeeQR008rxywleqnkIJCYooG8TKmQP23AlrwJfscB6auUCd15KSMzAkvQ$> The proxy configuration in Apache will direct the connection to nodejs over port 8000. Hi Darryl, When I am trying to access the URL https://nodejs.mydomain.com/demo/index.html<https://urldefense.com/v3/__https:/nodejs.mydomain.com/demo/index.html__;!!Dq0X2DkFhyF93HkjWTBQKhk!TZD1QETIHXxGbXkvaOLsX03foc0jn2E1FS5Z_Kja7PeeQR008rxywleqnkIJCYooG8TKmQP23AlrwJfscB6auUCd15KSMzAkvQ$>, I am seeing the below information in Apache HTTP server access logs. 172.16.16.45 - drupaladmin [21/Jun/2023:23:04:07 +0530] "GET /demo/index.html HTTP/1.1" 404 25644 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0<https://urldefense.com/v3/__http:/114.0.0.0__;!!Dq0X2DkFhyF93HkjWTBQKhk!TZD1QETIHXxGbXkvaOLsX03foc0jn2E1FS5Z_Kja7PeeQR008rxywleqnkIJCYooG8TKmQP23AlrwJfscB6auUCd15KJuYS9Rw$> Safari/537.36" 172.16.16.45 - drupaladmin [21/Jun/2023:23:04:18 +0530] "GET /demo/index.html HTTP/1.1" 404 25644 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0<https://urldefense.com/v3/__http:/114.0.0.0__;!!Dq0X2DkFhyF93HkjWTBQKhk!TZD1QETIHXxGbXkvaOLsX03foc0jn2E1FS5Z_Kja7PeeQR008rxywleqnkIJCYooG8TKmQP23AlrwJfscB6auUCd15KJuYS9Rw$> Safari/537.36" 172.16.16.45 - drupaladmin [21/Jun/2023:23:04:39 +0530] "GET /demo/index.html HTTP/1.1" 404 25644 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0<https://urldefense.com/v3/__http:/114.0.0.0__;!!Dq0X2DkFhyF93HkjWTBQKhk!TZD1QETIHXxGbXkvaOLsX03foc0jn2E1FS5Z_Kja7PeeQR008rxywleqnkIJCYooG8TKmQP23AlrwJfscB6auUCd15KJuYS9Rw$> Safari/537.36" Please suggest further. Thanks in advance. Best Regards, Kaushal
Re: [users@httpd] node.js application listening on port 8000 enabled with SSL certificate returns ERR_SSL_PROTOCOL_ERROR on browser.
Have you tried browsing to https://nodejs.mydomain.com/demo/index.html The proxy configuration in Apache will direct the connection to nodejs over port 8000. Darryl Baker, GSEC, GCLD (he/him/his) Sr. System Administrator Distributed Application Platform Services Northwestern University 4th Floor 2020 Ridge Avenue Evanston, IL 60208-0801 darryl.ba...@northwestern.edu<mailto:darryl.ba...@northwestern.edu> (847) 467-6674 From: Kaushal Shriyan Reply-To: Apache httpd Users Date: Wednesday, June 21, 2023 at 11:58 AM To: Apache httpd Users Subject: [users@httpd] node.js application listening on port 8000 enabled with SSL certificate returns ERR_SSL_PROTOCOL_ERROR on browser. Hi, I am running node.js application on port 8000 and Apache HTTP server on CentOS Linux release 7.9.2009 (Core) # node --version v16.20.0 # httpd -v Server version: Apache/2.4.57 (IUS) Server built: Apr 7 2023 14:49:47 # httpd.conf file configuration #cat /etc/httpd/conf.d/nodejsnodejsssl.conf SSLEngine On SSLProxyEngine On ServerName nodejs.mydomain.com<https://urldefense.com/v3/__http:/nodejs.mydomain.com__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2BlwWSOR1BA$> SSLCertificateFile /etc/letsencrypt/live/nodejs.mydomain.com/cert.pem<https://urldefense.com/v3/__http:/nodejs.mydomain.com/cert.pem__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2Blwljjv0qA$> SSLCertificateKeyFile /etc/letsencrypt/live/nodejs.mydomain.com/privkey.pem<https://urldefense.com/v3/__http:/nodejs.mydomain.com/privkey.pem__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2Blx2A5_VMg$> SSLCertificateChainFile /etc/letsencrypt/live/nodejs.mydomain.com/chain.pem<https://urldefense.com/v3/__http:/nodejs.mydomain.com/chain.pem__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2BlxTYFdN1g$> ProxyPass http://localhost:8000/<https://urldefense.com/v3/__http:/localhost:8000/__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2BlyR-o3OPw$> When I am trying to access the URL https://nodejs.mydomain.com:8000/demo/index.html<https://urldefense.com/v3/__https:/nodejs.mydomain.com:8000/demo/index.html__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2BlwxyTdWyQ$>, I am encountering the below error on the browser. This site can’t provide a secure connection nodejs.mydomain.com<https://urldefense.com/v3/__http:/nodejs.mydomain.com__;!!Dq0X2DkFhyF93HkjWTBQKhk!WYdO5ODHp0xIDZWNHki_OiUjJPTc3gEWggbB4kUa2MPDKfnlTEguMJRbRkrx-kqMHMF14hAw_uha7GeWGSbPY7A2BlwWSOR1BA$> sent an invalid response. ERR_SSL_PROTOCOL_ERROR Please comment if the above httpd conf file is incorrect or If i am missing anything. Thanks in advance. Best Regards, Kaushal