I'm looking for a method to confirm traffic between an origin server and the CloudFlare CDN is encrypted with HTTPS.
I have a Let's Encrypt SSL cert installed on the origin server and at the CloudFlare CDN, I have CloudFlare's universal free generated SSL cert installed.
With caching activated, the browser sees the CloudFlare SSL cert. With caching deactivated, the browser sees the Let's Encrypt SSL cert. So both certs are working fine. But with caching activated, I can't actually see what's happening between the origin and the CDN.
In CloudFlare I have Full (Strict) SSL activated. Ostensibly this means traffic is encrypted between the origin and CDN. But is there a way to confirm this independantly?
One method I know is to use Netstat at the origin to check which port is taking the traffic. Netstat is installed but I don't have root SSH access to it. ss is not installed. I do have Python installed and was able to execute a Hello World python script. I don't have Java installed. wget works and can download files. Is there any other method?
Assuming Apache, modify your VirtualHost, add an entry to check and modify your logs.
Here's an answer, https://serverfault.com/a/359482/266552
Option 2, log the port
Here's an answer from that same thread, https://serverfault.com/a/665620/266552
Option 3, redirect all HTTP requests to HTTPS.
Option 3a, you could use mod_rewrite:
RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e. http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context
https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
Option 3b, an alternative without mod_rewrite:
<VirtualHost *:80>
ServerName mysite.example.com
DocumentRoot /usr/local/apache2/htdocs
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost _default_:443>
ServerName mysite.example.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine On
# etc...
</VirtualHost>
Replace #etc... with the rest of your configuration.
https://wiki.apache.org/httpd/RedirectSSL
Related
site1.com does not have https enabled and no SSL cert installed.
site2.com does have https enabled.
When a site visitor requests https://site1.com, they receive a SSL certificate mismatch error and if they click 'proceed anyway', they are sent to https://site2.com
What can I do to either host, to redirect the traffic back to site1.com, while removing the https, since site1.com does not have an SSL cert?
I tried this in the .htaccess file of site2.com
RewriteEngine on
#if the request is actually for site1 forward them to site1
RewriteRule "^site1.com" "http://site1.com" [R]
#if the request is actually for site1 (with www prefix) forward them to site 1
RewriteRule "^www.site1.com" "http://site1.com" [R]
I'm using Apache 2.4 on Windows Server 2008 R2.
On the server itself and all company-internal clients, HTTP works fine and HTTPS works fine. Redirecting from HTTP to HTTPS also works fine.
On clients outside the company (i.e., a home machine), HTTP works fine and HTTPS works fine. However, redirecting from HTTP to HTTPS is broken.
The error message that appears is as follows: ERR_CERT_AUTHORITY_INVALID.
When this error occurs, if I look at the details of the certificate, they indicate that the certificate is issued to "localhost.localdomain." I haven't found that domain name in my Apache config files. The details also say that the organization of the certificate is our internet service provider and was issued on May 7, 2011 and expires on March 4, 2021. None of these certificate details are true of our actual certificate. Our certificate was issued by Digicert and expires in 2019.
When I use SSL Labs to diagnose, the test doesn't even fully run and the following error message appears:
Certificate name mismatch
Try these other domain names (extracted from the certificates):
localhost.localdomain
These are my VirtualHost configs:
<VirtualHost *:80>
ServerName www.example.com:80
ServerAlias example.com:80
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*)$ https://www.example.com/$1 [NE,L,R=301]
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com:443
ServerAlias example.com:443
SSLEngine on
SSLCertificateFile "C:\https\star_example_com.crt"
SSLCertificateKeyFile "C:\https\star_example.com.key"
SSLCertificateChainFile "C:\https\DigiCertCA.crt"
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
RewriteRule ^/?(.*)$ https://www.example.com/$1 [NE,L,R=301]
</VirtualHost>
I have also tried redirecting using the following redirect command, but the same thing happens:
Redirect permanent / https://www.example.com/
So, we figured it out. It has very little to do with HTTPS or the redirect.
We have a website failover server that kicks in if it detects that our main site is offline or malfunctioning.
Well, apparently, the failover logic detected 301/302 redirects as failures. The mysterious certificate was being served by the failover server.
We had to change the failover logic to no longer see redirects as failures.
I have installed SSL certificates in my WAS 7.0 and pointed to IBM Http Server under httd.conf file. I have implemented the below rewrite mechanism also.But still unable to redirect from http request to https for specific context root applications.
Please suggest me.
implemented below lines under httpd.conf file.
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<IfModule mod_ibm_ssl.c>
Listen 443
<VirtualHost *:443>
SSLEnable
SSLProtocolDisable SSLv2
ErrorLog logs/error_log
CustomLog logs/access_log common
RewriteEngine On
RewriteOptions Inherit
</VirtualHost>
</IfModule>
KeyFile "/IBM/HTTPServer/testSSL/testkey.kdb"
SSLStashFile "/IBM/HTTPServer/testSSL/testkey.sth"
RewriteEngine on
RewriteRule ^/testPOC/(.*)$ https://localhost/testPOC/$1
Config look OK. Perhaps you have an explicit *:80 virtualhost defined somewhere, in which case you need to put the mod_rewrite directives there instead.
Like Eric stated the most likely answer is a VH for *:80 needing the RewriteRule. Another outside possibility would be the use of localhost for the host name. Make sure you haven't done something that causes the loopback to not be handled properly. You can always try the real host name or IP to make sure using localhost does not cause problems (hosts file, A load balancer using the loopback, etc).
Use RewriteLog to verify rewrite was done. Also make sure plugin-cfg.xml is set up to recognize port 443. It might have an explicit host name:443 for a VH as opposed to *:443. Using localhost would not match in that case. If you have a Load Balancer in front of IHS, it might be doing SSL offloading and SSL never makes it to IHS for the problem context roots.
I recently purchased a new domain name from 1and1.com and used their HTTP redirect option to point to the address of my server. Let's say, for example, the fresh domain is new.com and the established server is old.com.
I have it redirecting to old.com/new via 1and1's configuration page, which works, save for the fact that when I visit new.com, it changes the browser's URL to old.com/new. This is obviously not what I want to happen.
I've set up htaccess rules:
# BEGIN New.com
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^new.com
RewriteRule ^(.*) http://old.com/new [P]
</IfModule>
# END New.com
Likewise, I've done the Apache configuration of Virtual Hosts:
<VirtualHost *:80>
ServerName www.new.com
DocumentRoot /www/old/html/new/
</VirtualHost>
I then proceeded to flush my local DNS cache. Yet still, it persists in changing the address bar in my browser to old.com/new. What am I missing? Does it just need time to propagate or have I misconfigured / failed to properly set something up?
You need to change the 1and1's "new.com" DNS entry to point to the same IP that "old.com" is using. While the htaccess rule (which I assume is at the new.com document root) kind of does what you want, it requires the mod_proxy be loaded, which is something I doubt 1and1 hosting allows.
What you need to do is set it up such that when you go to a site like this and do a DNS lookup for new.com, you get the same IP as when you lookup "old.com".
On old.com's server, you have the vhost setup:
<VirtualHost *:80>
ServerName www.new.com
DocumentRoot /www/old/html/new/
</VirtualHost>
which should be all you need to at least access the contents in /www/old/html/new/.
What is the best way to transparently rewrite a URL over an SSL connection with Apache 2.2?
Apache 2 does not natively support multiple name-based virtual hosts for an SSL connection and I have heard that mod_rewrite can help with this. I would like to do something like this:
I have set up the server so that the sites can be accessed by
https://secure.example.com/dbadmin
but I would like to have this as https://dbadmin.example.com
How do I set it up so that the Rewrite rule will rewrite dbadmin.example.com to secure.example.com/dbadmin, but without displaying the rewrite on the client's address bar (i.e. the client will still just see dbadmin.example.com), all over https?
Configure a single VirtualHost to serve both secure.example.com and dbadmin.example.com (making it the only *:443 VirtualHost achieves this). You can then use mod_rewrite to adjust the URI for requests to dbadmin.example.com:
<VirtualHost *:443>
ServerName secure.example.com
ServerAlias dbadmin.example.com
RewriteEngine on
RewriteCond %{SERVER_NAME} dbadmin.example.com
RewriteRule !/dbadmin(.*)$ /dbadmin$1
</VirtualHost>
Your SSL certificate will need to be valid for both secure.example.com and dbadmin.example.com. It can be a wildcard certificate as mentioned by Terry Lorber, or you can use the subjectAltName field to add additional host names.
If you're having trouble, first set it up on <VirtualHost *> and check that it works without SSL. The SSL connection and certificate is a separate layer of complexity that you can set up after the URI rewriting is working.
Unless your SSL certificate is the "wildcard" or multi-site kind, then I don't think this will work. The rewrite will display in the browser and the name in the address bar must be valid against the certificate, or your users will see a security error (which they can always accept and continue, but that doesn't sound like what you'd like).
More here.
There is apaches mod_rewrite, or you could setup apache to direct https://dbadmin.example.com to path/to/example.com/dbadmin on the server
<VirtualHost *>
ServerName subdomain.domain.com
DocumentRoot /home/httpd/htdocs/subdomain/
</VirtualHost>