Change Status Code in Apache httpd when certificate auth fails - apache

I'm trying to figure out how to return a different status response code when certificate authentication fails (i.e. no certificate, invalid or revoked, etc.). If the certificate is good, I already have everything working as it should.
What I want is to return a 410 Gone code, to make it look like the domain doesn't even exist, instead of Apache's mod_ssl normal response of "handshake_error" or "revoked_certificate", etc.
I tried using mod_rewrite but since mod_ssl handles this directly, it seems that the rewrite doesn't get used.
Here's what I tried.
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /path/to/cert.pem
SSLVerifyClient require
SSLVerifyDepth 1
RewriteEngine On
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule .* - [R=410,L]
# ... other virtual host configuration ...
</VirtualHost>

My expectation is: as you configure
SSLVerifyClient require
you are mandating that there is a valid client certificate. Without it, no connection will be established, that could transport a proper http status code. As there is no connection, you can't expect mod_rewrite to do anything.
A way to achieve what you want would be to allow connections without client cert and handle behavior in application code. There might be other options.
I'd not use too much time on obfuscating the error condition though. It makes debugging harder and any attacker can see that there is a dns entry and where it points to.

Related

HTTP POST request, subdomain and SSL

A CAS server is trying to send a logout request via HTTP POST request to my webapp. But I'm not able to receive that request.
After few tests, it seems that the problem comes from a mix between the subdomain / the redirection and the SSL.
If I send a POST request to https://mywebsite.com/theapp/ the app receives the request.
But if I send a POST request to https://subdomain.mywebsite.com/theapp/ I never receive it. However, using Python or Curl, when setting the disabling the SSL verification, I receive the POST request on my subdomain.
It seems like a something has to be modified in the configuration file of Apache...but I don't know what.
Could someone help me ?
Thanking you in advance.
EDIT :
Those two part in the /etc/httpd/conf.d/ssl.conf file might help to find the issue :
Redirect /subdomain https://subdomain.website.com
and
<VirtualHost _default_:443>
DocumentRoot /var/www/html/subdomain/
ServerName subdomain.website.com
SSLEngine ON
SSLCertificateFile /etc/letsencrypt/live/subdomain.website.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/subdomain.website.com/privkey.pem
</VirtualHost>
Issue has been resolved, thanks to Steffen. Here's what I (we) did :
Using SSLLabs I've tested the SSL certificate. The result was an "Incomplete Certificate". Apparently browser can overcome this issue, but it wasn't the case of the CAS server (or Curl, or Python).
I had to complete the apache ssl.conf file with the SSLCertificateChainFile option.
That being done, I could send a secure POST request with curl and python. There were then still small changes to do for the logout function but the SSL certificate was the main issue. And now, finally, it all works.
Thank you very much for all your help Steffen (I never thought I could see the end of it, and your help was just tremendous) !

virtual host settings for typo3

DocumentRoot "C:/xampp_7/htdocs/BackupForEdow/Eddddddddd"
<Directory C:/xampp_7/htdocs/BackupForEdow/Eddddddddd>
AllowOverride All
Order Allow,Deny
Allow from All
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond {REQUEST_FILENAME} !-f
RewriteRule . /index.php [L]
</IfModule>
</Directory>
Is this correct for a typo3 project?
I am not able to access the frontend of typo3 but my backend works correctly. The front-end shows an internal server error.
Please help me to create the virtual host.
The vhost really does depend on other things: For example if you use the shipped .htaccess, you don't need the rewrite statements.
Copy the _.htaccess from the TYPO3 source to .htaccess in your document root for that.
About errors in general: As already recommended, look in the Apache (or php) error logs. Also look in the TYPO3 system log ("Log" in the Backend).
About the certificate error: You need to set up an SSL/TLS certificate if you want to be able to access your website via https://. This is not a TYPO3 specific thing. You may want to consult other resources, e.g. search on stackoverflow.
Perhaps this helps.
Also, check if you can load your webpage via http://
For ssl in general you need these things:
Create a signed certificate. Your hoster should be able to help you with that. If you are setting up your TYPO3 installation on your desktop PC, you can skip that part for now and override the error message in the browser. For a public website you should always setup your certificates correctly, though.
Make sure the Apache ssl modules are enabled. I don't know enough about Xampp to help you there.
Create and enable a vhost file for ssl / port 443. Look for an existing example ssl vhost files in the sites-available directory, e.g. default-ssl.conf or search for examples online
Having a not correct server name in the certificate should usually not lead to a 500 error. It should generate a warning in the browser.

AWS - Apache application behind app load server not using SSL certificate

I have placed my instances behind an ALB that has an ACM provided SSL certificate configured with it. However, when I browse to the web page (that I have configured via Route53's alias record to the App Load Balancer), it says that my connection is not secure.
What am I doing wrong here? Do I need to configure Apache somehow?
I got help from the following site. Added the code below to an .htaccess file that I placed at the app root, i.e., /var/www/html.
Caveat: Be aware that even though my app was running behind a load balancer, .htaccess is disabled by default in EC2 as a security measure and therefore needs to be be enabled by editing etc/httpd/conf/httpd.conf, where you change AllowOverRide = None to AllowOverRide = All
Code for .htaccess:
# Begin force ssl
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 443
RewriteRule ^(.*)$ https://your-domain/$1 [R,L]
</IfModule>
Restart apache once you've got this in there. sudo service httpd restart.
If it still doesn't work, clear browser cache. If it doesn't work for www.your-domain.com, it is quite possible that you ordered the certificate for your-domain.com only. Make a new certificate (they are free), with both names added to it.

Apache Conditional Redirect Rule not forwarding header values

Goal:
To perform conditional redirect/forward from Site1 to Site2 based on specific header (HTTP_SM_USER) value of the request (in Site1) and ensure all the current custom header data is forwarded as part of the redirect/forward to Site2. The user can see the url change in the browser window after the redirect.
Flow:
User accesses Site 1 --> External Application Sets few custom headers in addition to default HTTP headers based on certain criteria --> Web-server looks for specific header value and if matches redirect all the headers to Site 2.
Apache Web server Config:
<VirtualHost *.443>
ServerName site1.com
ServerAdmin ashish#test.com
UseCanonicalName on
DocumentRoot /var/www/html
#
# SSL Config comes here
#
ErrorLog /path/to/error/log
TransferLog /path/to/access/log
LogLevel warn
RewriteEngine On
RewriteCond %{HTTP:SM_USER} ^USER1$ [NC]
RewriteRule .* https://site2.com/$1 [R=301, L]
<Location /page1>
.
.
</Location>
.
.
.
</VirtualHost>
Question: The Conditional Redirect happens but the headers are lost. What should I do to ensure the HTTP headers are forwarded as well ? I tried to see into apache mod_proxy but wasn't sure how in this scenario to use it. Experts please help. Any alternative suggestions are welcome too.
Solution:
I finally got it to work (with mod_proxy) after a lot of troubleshooting using the below flags and proxy rules. All Rewrite rules were removed.
ProxyRequests Off
ProxyPreserveHost On
SSLProxyEngine On
ProxyPass "/" "https://site2.com/" Keepalive=On
ProxyPassReverse "/" "https://site2.com/"
Note: User accesses Site 1 -> External app sets headers and apache immediately proxies to Site 2. Headers are now available on Site2.
You can't have the redirect "forward" headers, because it is up to the client what it sends to the next server after it has been issued a redirect. It may choose not to follow the redirect at all! Unlikely but just to make it clear what the situation is.
If you want the URL to change in the browser, then you need to do this on the application side. Have your application handle directing to the next server, and just issue a 200 response with an instruction for it to do so. Then it can send the custom headers as it did with the first request.
If that is not acceptable, then using mod_proxy could work as you said, but it would not change the URL in the browser, because the first server would be proxying the request to the second, so the browser would still see it as being the first.
In summary, you cannot do what you want to do, because HTTP does not work that way, so you are going to have to compromise in some way, either by not changing the URL in the browser, or by updating the application to take care of it.

Reverse proxy with request dispatch (to Rstudio server)

I have a multi-tier application of three layers lets say public, business and workspace (all running apache).
Client requests hits the public servers, requests are processed and dispatched on to business servers that does 'things' and response is returned back to public server which then processes the response and pass it on to the client.
I have a scenario wherein I want a request say /rstudio coming to the public server dispatched onto the business which intern reverse proxy to workspace server. There are two catch here:
the workspace server varies per request
application running on workspace server (Rstudio) uses GWT and references resources (static resources js, css etc and RPC coms) on the root url. All the in-application redirection also happens on the domain.
From the business server, I have setup reverse proxy to Rstudio server from my application server.
<Proxy *>
Allow from localhost
</Proxy>
ProxyPass /rstudio/ http://business_server/
ProxyPassReverse /rstudio/ http://business_server/
RedirectMatch permanent ^/rstudio$ /rstudio/
and this work fine (ref. https://support.rstudio.com/hc/en-us/articles/200552326-Running-with-a-Proxy). To handle dynamic workspace server, I could the following but ProxyPassReverse does not support expression in value and this no joy with this approach.
ProxyPassMatch ^/rstudio/(.*)$ http://$1
ProxyPassReverse ^/rstudio/(.*)$ http://$1
RedirectMatch permanent ^/rstudio$ /rstudio/
I have tried the same with mod_rewrite rule (following) but without ProxyPassReverse and due to domain redirection on the GWT Rstudio, this does not work. Adding ProxyPassReverse would fix the problem but I am caught up with no expression on value part to deal with dynamic workspace server issue.
RewriteRule "^/rstudio/(.*)" "http://$1" [P]
Following is the third approach to solve this problem using LocationMatch and mod_headers:
<LocationMatch ^/rstudio/(.+)>
ProxyPassMatch http://$1
Header edit Location ^http:// "http://%{SERVER_NAME}e/rstudio/"
</LocationMatch>
But this is no joy too because value on header directive is not evaluated against environment variable (and only back-references work here). Althought I can get the reverse proxy thing working if I had code the business_server, which is :
<LocationMatch ^/rstudio/(.+)>
ProxyPassMatch http://$1
Header edit Location ^http:// "http://private_server/rstudio/"
</LocationMatch>
Question 1: I was wondering if there are any better way to solve this problem without hardcoding the server DNS in apache conf?
Question 2: With the hard coded server DNS the reverse proxy works for me (patchy but works) but I am hit with GWT issue of resource references on root and the request dispatch is not fully working. I get to the signin page but resources are not found.
I was wondering if there is any better way to handle that?
Following is the example log from browser:
Navigated to https://public_server/rstudio
rworkspaces:43 GET https://public_server/rstudio.css
rworkspaces:108 GET https://public_server/js/encrypt.min.js
rworkspaces:167 GET https://public_server/images/rstudio.png 404 (Not Found)
rworkspaces:218 GET https://public_server/images/buttonLeft.png 404 (Not Found)
rworkspaces:218 GET https://public_server/images/buttonTile.png 404 (Not Found)
rworkspaces:218 GET https://public_server/images/buttonRight.png 404 (Not Found)