If you access the site via https://webserver01, then the certificate
mismatch error will happen before the HTTP transaction (and redirect)
can happen.
This is the same for http://webserver01, since your redirect to HTTPS
does not rewrite the hostname.
On 03/12/15 11:01, Will Dennis wrote:
Hi all,
I have an Apache site running that should only be accessed via HTTPS.
What we wish to ensure is that if the site is called by it's DNS
shortname (example, `https://webserver01` rather than
`https://webserver01.mycompany.com`, that the URL request is rewritten
to be for "https://webserver01.mycompany.com";, and also if the URL has
the `http://` protocol, that is rewritten to `https://`.
In the conf file for this site, we have the following rewrite rules:
(in httpd.conf:)
<VirtualHost *:80>
RequestHeader set X-Forwarded-Proto "http"
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</VirtualHost>
(and in the include file ssl.conf:)
RewriteEngine on
RewriteCond %{HTTP_HOST} !^webserver01\.mycompany\.com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^(.*)$ https://webserver01.mycompany.com$1 [r=301,nc]
What is happening is that if I call the site as
`http://webserver01.mycompany.com`, the URL is indeed transformed into
`https://webserver01.mycompany.com` and the SSL connection works fine
(no errors.) However, if I form the URL as either `http://webserver01`
or `https://webserver01`, it does not get rewritten correctly (it does
switch the proto to HTTPS, but doesn't rewrite the rest of the URL), and
I get a resulting SSL error (`NET::ERR_CERT_COMMON_NAME_INVALID` in
Chrome) since the certificate has the common name of
`webserver01.mycompany.com`.
I have tested the ssl.conf rewrite rule via the site
http://htaccess.madewithlove.be/ and it is doing the correct rewrite...
So is it a order-of-operations problem or something? (Please excuse my
ignorance with Apache and mod_rewrite, haven't had to admin an Apache
site for many moons now...)
--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
