.htaccess Redirect based on SSL Protocol - apache

Following the POODLE SSL 3.0 exploit we are removing support for SSL 3.0 accross our servers. Ideally we would like to clearly let users on legacy clients know why they aren't able to access the site now.
We could redirect IE6 users to a help page automatically, but as a neater, cross client solution, is it possible to create a .htaccess directive to redirect clients based on them trying to negotiate a connection using the SSL 3.0 protocol?

RewriteEngine On
RewriteCond %{SSL:SSL_PROTOCOL} ^SSLv3$
RewriteRule ^.*$ https://zmap.io/sslv3/ [L,R=302]
This redirects it to https://zmap.io/sslv3/ but you can change the URL to your own help page.

Related

Had webserver "infinite redirect" errors, thought it was permissions or Apache, but it was a WordPress plugin setting

No matter what, I keep getting "ERR_TOO_MANY_REDIRECTS". Is there a "proper" way to redirect all http requests to https? (other than the five listed below...)
I have this:
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
I also tried the top four answers in this article: http to https apache redirection. Nothing works, all infinite redirects.
Please try following:
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
As others said, If you share you config file, it would be more easy to answer. Probably, some config cause a loop.
My problem was a WordPress plugin...
Solution: Set Paid Memberships Pro Stripe Gateway "force SSL" setting to "No"
Considerations that got me here:
1. EVERY suggestion for configs works, my config files work on nearly 100 sites I manage.
2. I have a near-identical WP site to this and it works.
3. I started re-activating plugins one by one.
The problem I found:
On first activation, Paid Memberships Pro detects http or https, then permanently disables "force SSL" setting on an https site. My working site had this happen, so no problem. My broken site had PMP installed on http, then I got the SSL cert later. SSL (Yes via JavaScript) created a non-breaking redirect loop. Turning off "force SSL" did the trick.
Moral of my story: When using WP, deactivate plugins before asking for help.

how to stop to use ssl on tuleap 9.1?

On centos 6, tuleap 9.1, after installation I am only able to access the main page on http, the rest is not available because each links are root on https. Is there's a way to deactivate ssl completely?
I installed all, now can access to the first presentation page, but only if I use http and not https. Problem all the rest of the link of page ( create account, connexion etc...) redirect to https. I already try to deactivate https without success.
Can anyone can help to disable https and is stopping using ssl definitely can generate issue when using this tool?
You could force your website to only load on HTTP through your .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} =on
RewriteRule ^(.*)$ http://www.{HTTP_HOST}%{REQUEST_URI} [R=302,L,NE]
I've included www in the Rewrite, if you don't want that then you can remove that section. I've also set R=302so that it is a temporary redirect. Set this to R=301 once you know it is working, as that will make it permanent.
Make sure you clear your cache before you test this.

Only allow redirects within the same domain with mod_rewrite

I would like to limit any redirects to URLs within the same application. Is this possible with ISAPI Rewrite (mod_rewrite for IIS)? Basically I want to prevent against open redirection attacks.
One example is where a URL may come from a query string, or some other source. I want to check that any use of that URL, for a redirect, is only permitted if it's within the same domain. For example: Response.Redirect("some URL");
Mine is an ASP.NET application, running under IIS 6.
You can try to use the following to check the domain in query string and show 403 Forbidden if it's an external one:
RewriteBase /
RewriteCond %{QUERY_STRING} !^.*yourdomain.com.* [NC]
RewriteRule .? - [F]
You'll need to do that check on ASP.NET side, not to allow redirects outside your domain. Once redirect instruction is sent to client, your server will never get another chance to bump in because client will immediately go to other domain.
If you don't control ASP.NET code of this application you may try to use Helicon Ape (instead of ISAPI_Rewrite). Helicon Ape has more features and also offers outbound response rewrites, so it may intercept "redirect" response of your application before it is sent to client. Two options are available:
mod_header with "Header" directive;
mod_replace with "HeaderReplacePattern" directive

using proxy instead of redirection with htaccess rewriteRule

I'm developing a webapp and for the static files I'm simply using apache at localhost while the backend is on a couchdb instance running at localhost:5984.
The webapp interacts with files from the backend all the time. So what is happening when trying to test on apache all file requests to localhost:5984 are getting blocked due the cross-domain policy so the only way to get that working is starting the browser by setting flags to ignore that.
But again I get stuck when trying to test the app on mobile such ipad or iphone.
Currently I have this on my .htaccess file.
RewriteEngine on
# these are 302 http redirections instead of serving as a proxy
RewriteRule auth http://localhost:5984/auth [L]
RewriteRule db/([\s\S]+) http://localhost:5984/db/$1 [L]
RewriteRule send/([\s\S]+) http://localhost:5984/send/$1 [L]
# these are just redirections to static files and work great
RewriteRule ^([a-z/.]+) _attachments/$1 [L]
RewriteRule ^$ _attachments/ [L]
As you can see I have really no idea on how to deal with apache configuration unfortunately.
But what is happening right now is that for some of these rules apache is simply redirecting the page instead of provide it as a proxy server which causes the issue with cross-domain.
Also on the first auth rule I send POST and DELETE requests which as a redirection instead of proxy it won't pass the data being POSTed through.
So what I would like to achieve is to activate some kind of feature (if it exists) which will make apache simply render the page as it was on the localhost domain instead of redirect it. (I named this a a proxy, but perhaps that's not even the right term, sorry for any mistake committed with the nomenclatures).
Is is possible to achieve such action?
Thanks in advance
Have a look at these links / options:
[P] flag:
http://httpd.apache.org/docs/current/rewrite/flags.html#flag_p
http://httpd.apache.org/docs/current/rewrite/proxy.html
mod_proxy (possibly -- but I think #1 should be enough if it's on the same server):
http://httpd.apache.org/docs/current/mod/mod_proxy.htm

How do I send users to a different "site" in Apache while also using mod_proxy?

I have a web site that I administer that uses Apache 2.0 on the front with Tomcat 6 on the back-end (with mod_proxy proxying the connection between the two).
I want to be able to use the same VirtualHost to also access the phpMyAdmin application running on the box. So, for example, www.mywebsite.com will pass all traffic to Tomcat, but www.mywebsite.com/myadmin (with obvious security) will pass traffic to phpMyAdmin.
How about using mod_rewrite instead of mod_proxy?
You can use the P modifier to send certain request (i.e. all those that aren't to /phpmyadmin*) through a proxy. This actually uses mod_proxy internally.
Something like this (not tested):
RewriteCond %{REQUEST_URI} !^/phpmyadmin
RewriteRule ^.*$ http://tomcat/$0 [P,L]