Simplest way to get MediaWiki to require HTTPS on all pages? - apache

I need a MediaWiki installation to require the use of https (and reject normal http). I've spent 2 hours looking. Setting $wgServer doesn't work and closing port 80 in httpd.conf doesn't work either.
My wiki installation is run on an Apache server.

I've just done this on Ubuntu 14 (for the first time today, so there may be a better way!) by setting
$wgServer = "//myhostname.com/mediawiki";
This makes the server name "protocol relative" so it works with either HTTP or HTTPS. You can probably just set it to https://... though.
Then configure apache2 to redirect all HTTP traffic to HTTPS:
Edit the default SSL configuration (this assumes you are just using the default site):
sudo vim /etc/apache2/sites-available/default-ssl.conf
to read something like:
# Redirect HTTP to HTTPS
<VirtualHost *:80>
ServerAdmin admin#example.com
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
# Normal HTTPS config for default site
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ServerAdmin admin#example.com
ServerName example.com
DocumentRoot /var/www/html/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Enable the default SSL site, if you haven't already (this creates a link from sites-enabled to sites-available)
sudo a2ensite default-ssl
This assumes that you have already obtained an SSL certificate (I generated a self-signed one) which has been placed in /etc/apache2/ssl/apache.pem and /etc/apache2/ssl/apache.key as referenced in the config above.
Finally get apache to use the new config:
sudo service apache2 restart
(Or reload may be enough)

My answer assumes that you already have Apache listening for https traffic on port 443. If that's not the case, you need to set that up first. The procedure will be different depending on what operating system you are running.
You want to do this in Apache. On my Ubuntu system, there's a file /etc/apache2/ports.conf which contains the following line:
Listen 80
You will have a similar config file that contains that line. Delete it, and don't forget to restart Apache.
Another way to accomplish this, which allows for more complex Apache configurations where you allow HTTP access to some parts of the site, is to use a .htaccess file in your MediaWiki directory. Try this:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Given that your web server is set up to support https in general, insert or update the following line in your LocalSettings.php configuration file of MediaWiki:
$wgForceHTTPS = true;
This redirects all queries using http to https and is an alternative to a redirect rule in the web-server configuration.
See also:
$wgForceHTTPS
MediaWiki HTTPS Manual

Related

Best options for Apache server to access only www version of URL

What are all of the options to access only the www version of a URL e.g. https://www.example.com. The website in question has 150 pages and we need to ensure all traffic resolves to the www version.
Example: All options for this URL https://example.com to resolve to htts://www.example.com.
I’ve used an .htaccess redirect in the past, but the question is are there any other options and which is the best option
You have a tag of Apache, so assume you are running a reasonably recent version of Apache.
You can handle it with Apache Virtual Hosts. You will set up two files:
/etc/apache2/sites-available/www.example.com.conf
<VirtualHost *:80>
ServerName www.example.com
DocumentRoot /var/www/...
...
</VirtualHost>
/etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://www.example.com/
...
</VirtualHost>
In Apache you then need to enable both sites:
a2ensite www.example.com
a2ensite example.com
service apache2 reload
The first file sets up the main website: www.example.com, which directs Apache to load the DocumentRoot directory when it comes in.
The second file indicates that when example.com comes in on Port 80 - redirect to the https://www.example.com. Be sure to set the http or https depending on whether it is secure.
This kind of redirect causes the browser to change the address in the browser bar, which is the best redirect for what you are looking to do.

Apache config issue - redirect all traffic to https using Apache

I'm struggling tremendously with the concept of webservers. I will describe my desired solution and current situation as clear as possible.
I have an on-premise server, where Debian is running. I have installed several pieces of software on the server, including a full LAMP stack, Kibana, ThingsBoard etc. We got a public IP and recently acquired a domain, let's say apachenoob.com.
I can access my applications via a web browser at <ip>:<port> or apachenoob.com:<port>. However, I want those application to run over HTTPS, so I acquired a free SSL certificate with Certbot. Now https://apachenoob.com is working and showing the default Apache homepage.
What I want are a few things:
Instead of apachenoob.com:9090 I want users and myself to go to
thingsboard.apachenoob.com, or other URLS for other applications than ThingsBoard.
MY SOLUTION:
Add the following line to /etc/apache2/apache2.conf:
LoadModule rewrite_module modules/mod_rewrite.so
Add the following thingsboard.conf to /etc/apache2/sites-enabled/ (Debian):
<VirtualHost *:443>
ServerName thingsboard.apachenoob.com
ProxyPreserveHost On
SSLEngine on
ProxyPass / http://localhost:9090/
ProxyPassReverse / http://localhost:9090/
SSLCertificateFile /path/to/cert/file
SSLCertificateKeyFile /path/to/key
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost *:80>
ServerName thingsboard.apachenoob.com
Redirect / https://thingsboard.apachenoob.com/
</VirtualHost>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://thingsboard.apachenoob.com/$1 [R,L]
</IfModule>
I want to disable traffic to the IP (and optionally port number) or redirect everything to https://apachenoob.com
Less important: I developed an API using Python and Flask and got it to run over the MOD_WSGI module. But, it is also running over HTTP, where HTTPS is the goal.
For the first, I tried adding VirtualHosts, in seperate files and in the main apache2.conf, no result (as described in several posts). Someone even told me the application might have an own internal web server (HELP?!).
For the second, I tried redirecting rules (described here), both in the main config and in seperate files, no result.
For the third, I haven't even begun trying things as I'm feeling lost in a swamp of apache.
By all means, if this makes no sense please tell me and I will try to clarify.
For point 1. you need something like this (put it in file named thingsboard.conf in folder sites-enabled/ (add correct path to certificate/key):
<VirtualHost *:443>
ServerName thingsboard.apachenoob.com
ProxyPreserveHost On
SSLEngine on
SSLCertificateFile ...
SSLCertificateKeyFile ...
ProxyPass / http://localhost:9090/
ProxyPassReverse / http://localhost:9090/
</VirtualHost>
<VirtualHost *:80>
ServerName thingsboard.apachenoob.com
Redirect / https://thingsboard.apachenoob.com/
</VirtualHost>

Cannot Stay Logged in to PhpMyAdmin after Installing SSL Certificate

After installing the SSL Cert for my domain, I can no longer stay logged in to PhpMyAdmin remotely via SSH.
Before SSL:
PHP-based migrated to a fresh Bitnami LAMP Stack deployed and hosted with Google Cloud Platform.
I updated to PMA 4.6.5.1
I successfully used Putty to tunnel from http://127.0.0.1:8888/phpmyadmin to http://localhost:80/phpmyadmin on the server using local 127.0.0.1:8888 --> remote localhost:80
After SSL:
SSL installed via Comodo's generic Linux Apache directions here. (bitnami.conf changes shown below)
Web app is publicly accessible via https://EPHEMERAL_IP_ADDRESS/ (and redirect from http://EPHEMERAL_IP_ADDRESS/ to http://EPHEMERAL_IP_ADDRESS/)
Previously accessible on live server https://my.domain/ (and redirects from http://my.domain/ to https://my.domain), but I haven't swapped IPs yet so ServerName might be an issue?
I added local 127.0.0.1:8383 --> remote localhost:443 to my Putty configuration.
I can access https://127.0.0.1:8383/phpmyadmin and log in. But as soon as click anything (e.g. a database name) within PMA, I am booted out to the PMA login screen.
Changes made to /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
<VirtualHost _default_:80>
DocumentRoot "/opt/bitnami/apache2/htdocs"
RewriteEngine On #added
RewriteCond %{HTTPS} !=on #added
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L] #added
<Directory "/opt/bitnami/apache2/htdocs">
...
</VirtualHost>
...
<VirtualHost _default_:443>
DocumentRoot "/opt/bitnami/apache2/htdocs"
ServerName mydomain.com:443 #added
ServerAdmin my#email.address #added
SSLEngine on
SSLCertificateFile "/path/to/my_domain.crt" #changed
SSLCertificateKeyFile "/path/to/myserver.key" #changed
SSLCACertificateFile "/path/tof/my_domain.ca-bundle" #added
...
</VirtualHost>
Essentially: I turned on SSL per client specification, but this has broken my PMA access. Any help is greatly appreciated!
SO's suggestion Installing SSL certificate breaks phpmyadmin with 403 error came through for the win:
While I simply accessed PMA from a different browser, the more commonly applicable solution is deleting the specific PMA cookies. (HT Isaac Bennetch)
See here for specifics on how to delete specific cookies in various browsers.

htaccess redirect NOT working for HTTPS - 400 Bad Request Apache 2.4.6

I have just installed SSL certs on a variety of sites. They work fine if I go directly to the https version of the site, but when I go to the http version, I get: "Reason: You're speaking plain HTTP to an SSL-enabled server port."
This is what SHOULD work but does NOT...
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Nor does any version of it
!=on =80 !=443, etc.
I even tried putting this in the vhost.conf file on the server.
My developers and I are out of ideas and we, shockingly, cannot find anything with the almighty Google to help us. Anyone have any thoughts?
Have you tried these from the Apache HTTPD wiki?
https://wiki.apache.org/httpd/RedirectSSL
https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
Ok, so in case others come across this issue, I wanted to update now that I've finally fixed. For us, we had some other stuff in our vhost.conf file that was interfering. Once I wiped it out and took some of this other advice, this is the code that ended up working in vhost.conf. The .htaccess file now has nothing in it as it is not needed.
## -- VIRTUAL HOSTS -- ##
NameVirtualHost *:80
<VirtualHost *:80>
ServerName dev.example.net
Redirect permanent / https://dev.example.net/
</VirtualHost>
<VirtualHost *:443>
#-SERVER CONFIG-#
ServerAdmin webmaster#example.net
ServerName dev.example.net
ServerAlias dev.example.net
DocumentRoot /var/www/html/example
#-SSL-#
SSLEngine On
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /etc/httpd/conf/ssl.crt/...
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/...
SSLCACertificateFile /etc/httpd/conf/ssl.crt/...
SSLCertificateChainFile /etc/pki/tls/certs/...
SSLCACertificateFile /etc/pki/tls/certs/...
#-LOGGING-#
ErrorLog /var/www/html/example/error_log
</VirtualHost>
I am using these rewrite rules to redirect my http request to https on my application with SSL certs.
RewriteEngine Off
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
I think your problem comes very early, even before mod_rewrite is applied on the request.
Your VirtualHost listening on port 80 is an https virtualhost, but browsers are trying to speak plain http on port 80, and that does not work.
On Apache SSL is activated with :
SSLEngine on
This instruction should only be activated for your Virtualhost listening on *:443 (or any variations of something:443).
You should add some Virtualhost listening on port 80, supporting a bunch of ServerName and ServerAlias that could be used on that server (or maybe all the names, by ensuring this Virtualhost is the default one for port 80), and whose only job is to redirect on port 443.
here you can use links provided by #Anand Bhat to perform this task (and mod_rewrite is not needed).
But all theses 'redirect to https' tasks assume that you already have a working Virtualhost where https is not activated. Because if https is activated everywhere you cannot even start a discussion with the server to receive a redirection, there're no 'plain http' canal to receive this response or even to start asking for something.

Apache Virtualhost Redirect Not Working

I have two simple redirects set up in my virtualhost for a subdomain; one is working, one is not:
<VirtualHost *:80>
ServerName subdomain.site.com
Redirect / https://subdomain.site.com/subdirectory/login.php
</VirtualHost>
<VirtualHost x.x.x.x:443>
ServerName subdomain.site.com
Redirect / https://subdomain.site.com/subdirectory/login.php
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/subdomain.site.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/subdomain.site.com.key
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_access_log common
</VirtualHost>
The first redirect is working. That is, if someone simply types in subdomain.site.com in their browser it redirects to https and to the correct subdirectory. The second redirect is not working. If someone types in https://subdomain.site.com it says "Firefox has detected that the server is redirecting the request for this address in a way that will never complete" and the browser URL becomes "subdomain.site.com/subdirectory/login.phpsubdirectory/login.phpsubdirectory/login.phpsubdirectory/login.php..." instead of redirecting to the correct https://subdomain.site.com/subdirectory/login.php page. Can anyone point me in the right direction?
Edit: I updated the above VirtualHosts file to the newer version and the problem has changed so I updated the problem description as well.
Alright, none of the answers above worked so I had to keep working on this. Ultimately I removed the redirect line from the :443 virtualhost section and added the following two lines to the same section to get this to work correctly:
RewriteEngine On
RewriteRule ^/$ https://subdomain.site.com/subdirectory/login.php [R=301,NC,L]
You have to add this line to top of file
NameVirtualHost x.x.x.x:443 or domaine name:443
check you apache version.
You have to add this line to top of file :
NameVirtualHost x.x.x.x
and
Listen 80
Listen 443
regards
if you are on ubuntu (I mean debian based linux distro)in your /etc/hosts you should define a line like below :
127.0.0.1 yourdomain
and then in make a new file for your new site configuration in :
/etc/apache2/sites-available/
and name it like your domain name .conf just to don't forget what is that conf file for.
then enable new conf with following command
a2ensite your_conf_name
then restart apache.
now your new site configuration is ready.
now look at following link :
http://httpd.apache.org/docs/2.2/bind.html
you have to mention that your apache should listen on multiple port
in your case 80 , 443
If you are using SSL you should change default-ssl.conf settings like
<VirtualHost *:443>
ServerName subdomain.site.com
ServerAlias subdomain.site.com
DocumentRoot /var/www/html/subdomain.site.com