ssl + nginx + apache + php: links are still displayed as http, not https - apache

I am using VBulletin Suite 4.1.4., which is written using PHP and nginx+apache setup (nginx as the front end server and Apache as the back-end server). This is a pretty standard "nginx+apache" configuration with nginx working on port 80 and apache on port 8080. I tried to enable https support and ran into the following problem.
As I read on the web, when one uses "nginx+apache" and wants to have https, he should configure ssl only for nginx server. So, I added required lines into nginx vhost configuration
listen 443;
server_name myserver.org;
ssl on;
ssl_certificate /tmp/myserver.crt;
ssl_certificate_key /tmp/myserver.key;
When I type https://.... the vBulletin forum opens in secure connection and the lock in the right bottom corner of the browser confirms it, so it looks like my settings work. At least to some extent.
But when I bring the mouse over links on the page, these links are showed as http links, not https. So, if I want to stay in secure connection, I can of course add the letter "s" manually each time I open a new page, but normally when you open forum as https://... all displayed links should automatically change to https.
Any ideas why this does not happen?
Even the answer where the problem lies - (a) in nginx configuration, or (b) in apache configuration or (c) in vbulletin configuration would help.
Thanks in advance!

The problem is that vBulletin running on apache detects the HTTP protocol, not HTTPS. But, you can change vbulletin settings in the admin panel in the following way:
Forum URL to 'https://your-site.name'
Always use Forum URL as Base Path to 'yes'

Related

Apache 2.4 https Reverse Proxy not working

Trying to reverse proxy with https only. All though the ssl & https works with the chosen domain, it is directing to the apache root not the desired reverse proxy server.
So far Ive got the server to force https when http is used. I rewrite www to non www. Ive had reverse proxy work fine when its just http but https goes to the "it works" root file with a green lock.
Any ideas?
So i solved this issue at the last hour. But where i am confused is i solved this by manipulating the config files and using the defualt text. Not by adding my own virtual hosts and injecting code at the bottom like the old days or blogs would suggest. I added proxy rules into the proxy config file. Added cert paths into the ssl config file and that seemed to take over randomly pasting code into http config as it might be sugested elsewhere on the net.

apache redirect to SSL configured site

I am trying to setup a gitlab repository and I am quite new to the web server side of things. My setup is the following:
I have an apache server which is running my main website on port 8080.
I have the gitlab configured with SSL and Nginx and running on port 2443.
At the moment, the gitlab site can be accessed through https://www.example.com:2443.
What I would like to do is setup a redirect through my apache server where if someone comes to http://www.example.com/gitlab or https://www.example.com/gitlab, they get redirected to ``https://www.example.com:2443` (preferably without the web browser text field changing).
Could this be done easily with Apache? Also, since the redirect is to an SSL site, any special things we need to consider?
You can try adding the redirect directive to your Apache VirtualHosts (8080 and 443).
Redirect permanent /gitlab https://www.example.com:2443

How to get tomcat to send redirects as https urls when apache handles ssl

I'm a bit out of my depth here and nothing I have found quite addresses my problem. Si any and all suggestions are most welcome.
I've got tomcat6 running on CentOS 6.5 hidden behind an apache server (v2.2.15) and I am using Apache's mod_proxy to expose the tomcat webapps, which are running on port 8080. The tomcat hosts one production application and several development applications. On the apache side, both a Drupal site and the aforementioned tomcat production application are on the same domain and, thanks to rewrite rules, all requests to this domain are changed to https. The development sites are reached via subdomains and do not get re-written as https requests.
For the most part, this arrangement works fine. But parts of the tomcat apps are AJAX (calling a Java Struts 1.2 backend). Most of those requests are handled OK. But a few AJAX requests result in redirects (i.e., forward.setRedirect(true)) and that redirect is http (I guess because the container itself is not secure). As a result, I run into cross site scripting issues. I imagine I can use CORS headers to avoid the problem. But that seems like a hack. Is there a relatively painless way I can use to have tomcat send redirects back as https without making tomcat handle ssl directly?
Cris
You could configure the RemoteIpValve in Tomcat:
Another feature of this valve is to replace the apparent scheme
(http/https) and server port with the scheme presented by a proxy or a
load balancer via a request header (e.g. "X-Forwarded-Proto").
To configure Apache to forward the original protocol in the X-Forwarded-Proto header, add a RequestHeader directive in your Apache config, e.g.:
<VirtualHost *:443>
RequestHeader set X-Forwarded-Proto "https"
...
Note that in Tomcat 7, there is also a RemoteIpFilter.
You don't need to do anything special. It already works. Make sure you set the "redirectPort" in server.xml to Apache's HTTPS port, usually 443, and add the following to your <security-constraint> sections for resources you want secured by HTTPS:
<user-data-constraint>
<description>HTTPS</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</‌​user-data-constraint>
Late to the game here but others may find this-- we had a similar setup and issue where everything worked fine until the application started using ajax posts which did redirects for the response. The fix was to use mod_header in apache to rewrite redirects using "Header edit Location"
http://httpd.apache.org/docs/current/mod/mod_headers.html
Header edit Location ^http://www.example.com/ https://www.example.com/
This went unnoticed prior to the ajax redirects because the browser has no problem doing page level redirects to http (which apache would then redirect back to https). But the ajax cross-site prevention halts at the initial http missing out on that would then be redirected to https by a subsequent request.

How to disable Owncloud https redirect?

I installed Owncloud on Ubuntu 12.04 with an apache server. I use ssl for authentication but when sharing links and data it is cumbersome for the user to accept the self signed certificate. Is there a way to disable the automatic redirect to https? I did not see any related commands in the .htaccess file.
Thanks
SSL is enforced by the OwnCloud installation routine in your Web server as a rewrite rule. Unchecking the box in the OC FrontEnd won't help. This can be regarded as bug.
To change this, you will have to edit your Web server config. For instance, if you chose nginx as your Web server, uncomment the https rewrite rule in your nginx config file.
Open your config file in an editor:
sudo emacs /etc/nginx/sites-enabled/default
For Apache it should be somewhere in /etc/httpd/conf.d/ssl.conf
Comment out or change the lines containing (this is for nginx):
the server block containing the redirect
change listen 443 ssl to listen 80
ssl_certificate and ssl_certificate_key
fastcgi_params HTTPS on
Re-Read the nginx config files:
sudo kill -HUP `cat /var/run/nginx.pid`
For other servers see:
http://doc.owncloud.org/server/5.0/admin_manual/installation/installation_others.html
There should be a setting in the "Admin" section when logged in as administrative user ("Force SSL") for exactly that.

Joomla ssl problem

I have a site on joomla and I want to make some specific pages works by secure connection ,
other by simple http connection. Is there some step-by-step manual how to setup apache and joomla for such needs.
You must create a two Apache configuration for this site. One for port 80 (http), and the other for 443 (https). In the settings menu in the admin panel to specify "ssl enabled" to the desired value.
There's a Joomla Plugin called SSL Redirect plugin by Yireo software that might simplify the setup if some parts of the site are SSL and some not.
http://joomlawebhosting.ca/joomla-15-tips/63-joomla-ssl-https-setup.html
http://www.joomlahackers.net/joomla-tutorials/how-to-setup-ssl-in-a-joomla-site.html
http://www.joomlahackers.net/virtuemart-tutorials/how-to-setup-ssl-in-virtuemart-in-a-joomla-site.html