Re: Forwarding IP to HTTPS. [EXT]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,
Here is the output of "apachectl -S" command:


# apachectl -S
# 


And I changed the config as below:


<VirtualHost *:80>
RequestHeader unset X-is-ssl
RewriteEngine     on
RewriteRule       ^(.*)$ https://www.example.net%{REQUEST_URI} [R=permanent,L,NE]
</VirtualHost>

## Send all traffic on port 443 which isn't the primary domain to the primary domain
## This implicitly picks up the IP for the host, the actual hostname OR the unqualified domain name example.com

<VirtualHost *:443>
  RewriteEngine     on
  RewriteRule       ^(.*)$ https://www.example.net/%{REQUEST_URI} [R,L,NE]
</VirtualHost>

<VirtualHost *:443>
  Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
  ServerAdmin root@localhost
  ServerName www.example.net
  ServerAlias www.example.net
 ## Do not use Server Alias here for alternative domains - only use for test/dev sites...
  DocumentRoot /var/www/wp
  <Directory "/var/www/wp">
    Options Indexes FollowSymLinks
    AllowOverride all
    Require all granted
  </Directory>
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.net [OR]
RewriteCond %{SERVER_NAME} =www.example.net [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Redirect permanent / https://www.example.net

TraceEnable off
ServerSignature Off

</VirtualHost>



But, when I restarted Apache service and visit my website then it show me an error about privacy and after it the Apache test page shown.
I have a SSL conf file too:


<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root@localhost
ServerName example.net
ServerAlias www.example.net
DocumentRoot /var/www/wp
<Directory "/var/www/wp">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/httpd/wordpress_error.log
CustomLog /var/log/httpd/wordpress_access.log common
SSLEngine On
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.net/privkey.pem
</VirtualHost>
</IfModule>


Need it any change too?


Thank you.






On Monday, October 12, 2020, 11:11:11 PM GMT+3:30, Frank <thumbs@xxxxxxxxxx> wrote: 





Yes, it does: Redirect 301 or RedirectPermanent.

Please review the docs before answering.

On 12/10/20 02:04 PM, James Smith wrote:
> Redirect doesn't allow you to distinguish between 301s and 302s which you can do with mod_rewrite {very useful feature tbh when it comes to bits like this} - the user is using WordPress so will almost certainly be using mod_rewrite to handle the nice URLs....
> 
> As for the issue without a server name - you don't need one in the 800 unless you are doing something clever - as for the redirects it doesn't break but you can put one in - just make sure that it is included first! 
> -----Original Message-----
> From: Frank <thumbs@xxxxxxxxxx> 
> Sent: 12 October 2020 18:10
> To: users@xxxxxxxxxxxxxxxx
> Subject: Re:  Forwarding IP to HTTPS. [EXT]
> 
> James,
> 
> Unless the user has many hosts, I would recommend against using mod_rewrite here. It isn't needed. And your vhost should include an explicity ServerName directive.
> 
> On 12/10/20 11:56 AM, James Smith wrote:
>> So I would do this for the virtual host sections – assuming you are 
>> only running ONE externally facing website – there are other things 
>> you would need to do if you were running multiple ones
>>
>> ## Send all traffic on port 80 to the primary domain over SSL…
>>
>>
>> <VirtualHost *:80>
>>
>>  RequestHeader unset X-is-ssl
>>
>>  RewriteEngine    on
>>
>>  RewriteRule      ^(.*)$ https://urldefense.proofpoint.com/v2/url?u=https-3A__www.example.com-25-257BREQUEST-5FURI-257D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=cugyNGRH0HsECtkleCMZbzrYIt0BcYfZk-Y6c00UdxE&e= 
>> [R=permanent,L,NE]
>>
>> </VirtualHost>
>>
>
>>
>> ## Send all traffic on port 443 which isn't the primary domain to the 
>> primary domain ## This implicitly picks up the IP for the host, the 
>> actual hostname OR the unqualified domain name example.com
>>
>
>>
>> <VirtualHost *:443>
>>
>>  RewriteEngine    on
>>
>>  RewriteRule      ^(.*)$ https://urldefense.proofpoint.com/v2/url?u=https-3A__www.example.com_-25-257BREQUEST-5FURI-257D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=m4O1DurIDDG4G-kw46brnnEEXNZ9c4pJi52RMgXto3Y&e=  [R,L,NE]
>>
>> </VirtualHost>
>>
>
>>
>> <VirtualHost *:443>
>>
>>  Header always set Strict-Transport-Security "max-age=63072000; 
>> includeSubdomains; preload"
>>
>>  ServerAdmin root@localhost
>>
>>  ServerName 
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.example.com&d=
>> DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oD
>> X0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=mw3MrVOeeCL66Y
>> rcxABO8NMrnnmzLmHQBeAdm0m8VYA&e=
>>
>>  ## Do not use Server Alias here for alternative domains - only use 
>> for test/dev sites...
>>
>>  DocumentRoot /var/www/wp
>>
>>  <Directory "/var/www/wp">
>>
>>    Options Indexes FollowSymLinks
>>
>>    AllowOverride all
>>
>>    Require all granted
>>
>>  </Directory>
>>
>
>>
>>  ## Put the rest of your wordpress stuff here...
>>
>> </VirtualHost>
>>
>
>>
>> *From:*Jason Long <hack3rcon@xxxxxxxxx.INVALID>
>> *Sent:* 12 October 2020 16:39
>> *To:* users@xxxxxxxxxxxxxxxx
>> *Subject:* Re:  Forwarding IP to HTTPS. [EXT]
>>
>
>>
>> Excuse me,
>>
>> Can you clean my configuration?
>>
>
>>
>> On Monday, October 12, 2020, 07:06:17 PM GMT+3:30, Frank 
>> <thumbs@xxxxxxxxxx <mailto:thumbs@xxxxxxxxxx>> wrote:
>>
>
>>
>
>>
>> James,
>>
>> Omitting an explicit ServerName in name-based vhosts is a bad idea as 
>> well. You can create conflicts or ambiguities.
>>
>>
>> On 12/10/20 11:22 AM, James Smith wrote:
>>> This would be my set-up in your case - note as someone said it was too complex I've removed the extra security bits I'd left in by accident...
>>>
>>> ## Port 80 && 443 default configs...
>>>
>>> <VirtualHost *:80>
>>>  RequestHeader unset X-is-ssl
>>>  RewriteEngine    on
>>>  RewriteRule      ^(.*)$ https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com-25&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=A8EKvfUUPo1cemy_DRQyzWH7n8UvFx5myg5M7r0b380&e=  [mydomain.com%]
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com
>> -25&d=DwMFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1
>> ecj4oDX0XM7vQ&m=aSXzAFTQK2MqTd4h8-yDESDKjJwJfq6x0sy97DB2Dlg&s=rP2yXysk
>> ai3avho4gNa3ivaQdP6NyvIGOONKga7UWLA&e=>{REQUEST_URI}
>> [R=permanent,L,NE]
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>>  RewriteEngine    on
>>>  RewriteRule      ^(.*)$ https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com_-25&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=ueoNZtVbLE1sHVM3T0rcs5Nc_sLHgqvUtNtezSaLZIo&e=  [mydomain.com]
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com
>> _-25&d=DwMFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge
>> 1ecj4oDX0XM7vQ&m=aSXzAFTQK2MqTd4h8-yDESDKjJwJfq6x0sy97DB2Dlg&s=0xY2vrA
>> mBv9NS93So6uL5BSAVrWQQPPc8fQe6cF_oHo&e=>{REQUEST_URI}
>> [R,L,NE]
>>> </VirtualHost>
>>>
>>> ## Port 443 default - this is our main server...... so your main apache config stuff should be in here with SSL configured correctly..
>>>
>>> <VirtualHost *:443>
>>>  ServerName 
>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mydomain.com&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=Pq870e0oOU5bb6s-jPfEyYU__hJUeQOHvv1AZX--fP0&e=  ;<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mydomain.com&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=Pq870e0oOU5bb6s-jPfEyYU__hJUeQOHvv1AZX--fP0&e= >  ...
>>>  ...
>>>  ...
>>>  ...
>>>  ...
>>> </VirtualHost>
>>>  
>>> If you have more than one domain then you will need to add rules on 
>>> port 80 to preserve the hostname & also blocks for each additional 
>>> domain
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx>
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
>> <mailto:users-help@xxxxxxxxxxxxxxxx>
>>
>> -- The Wellcome Sanger Institute is operated by Genome Research 
>> Limited, a charity registered in England with number 1021457 and a 
>> company registered in England with number 2742969, whose registered 
>> office is
>> 215 Euston Road, London, NW1 2BE.

> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux