Apache Force Re-Direct to HTTPS

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache Force Re-Direct to HTTPS

Carter Sema

So, guac is configured to use Lets Encrypt for a SSL cert and it works great. But, my unsecured version is still open. My Apache configuration is set to redirect to HTTPs, but guac doesn’t seem to be listening, or my apache rules are incorrect.

 

My current apache config is listed below.

 

<VirtualHost *:80>

      # redirect to https

      Redirect permanent / https://myURL

</VirtualHost>

 

<VirtualHost *:443

      # LogLevel info ssl:warn

      ErrorLog ${APACHE_LOG_DIR}/error.log

      CustomLog ${APACHE_LOG_DIR}/access.log combined

 

      # Enable SSL for this virtual host.

      SSLEngine on

      SSLCertificateKeyFile /etc/letsencrypt/live/myurl.org/privkey.pem

      SSLCertificateFile /etc/letsencrypt/live/myurl.org/cert.pem

      SSLCertificateChainFile /etc/letsencrypt/live/myurl.org/chain.pem

 

      # Configure proxy with tomcat

      ProxyPreserveHost On

      ProxyRequests Off

      ProxyPass / http://localhost:8080/

      ProxyPassReverse / http://localhost:8080/

</VirtualHost>

 

After doing some searching I found that I needed to add this, to my configuration. But it didn’t seem to work and my rewrite module has been enable.

      RewriteEngine On

      RewriteCond %{HTTPS} On

      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

I know this is a simple question, but would anyone have advice or a suggestion?

 

Thanks!

 

Carter Sema

Network Support Specialist

[hidden email]

CertBadge_Administrator_web

 

Reply | Threaded
Open this post in threaded view
|

Re: Apache Force Re-Direct to HTTPS

vnick
On Mon, Oct 16, 2017 at 3:42 PM, Carter Sema <[hidden email]> wrote:

So, guac is configured to use Lets Encrypt for a SSL cert and it works great. But, my unsecured version is still open. My Apache configuration is set to redirect to HTTPs, but guac doesn’t seem to be listening, or my apache rules are incorrect.

 

My current apache config is listed below.

 

<VirtualHost *:80>

      # redirect to https

      Redirect permanent / https://myURL

</VirtualHost>


Is there another VirtualHost directive elsewhere in your Apache config that might be overwriting this?  Are you able to access Guacamole via HTTP, or does it just go to some other generic HTML content?

If you are able to access Guacamole via HTTP (vs. static content), make sure you don't have any other ProxyPass/ProxyPassReverse directives in any other Apache config files, as those might be take precedence over the Rewrite conditions.  You should only need those ProxyPass directives in your <VirtualHost *:443> directive.

Finally, you always have the option of firewalling port 80 on your Apache host - it isn't as user-friendly, but it keeps people from using HTTP :-).

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Apache Force Re-Direct to HTTPS

Carter Sema
In reply to this post by Carter Sema

I checked my Apache folders and my only site-enabled is my tomcat one, and just to be safe, I deleted the default ones in sites-available, rebooted apache2 and reloaded, still no luck. I can actually access HTTP content such as Guac(not static default tomcat sites) and it works. Any other tricks or ideas?  

Do I need to enable Rewrite? The only reason I ask, is because on my other ubuntu-apache2-tomcat8 box, I don't have Rewrite enabled, and it works. 



I ended up doing what you suggested and blocking my traffic to port 80. As a fix for right now, eventually I will go back and investigate more. As you said, it's not pretty, but it restricts unwanted access on unsecured ports. I'm pretty new to linux in general but quickly learning, is blocking the port 80/8080 just as secure as forcing a redirect to https?





Carter Sema
Network Support Specialist


From: Carter Sema <[hidden email]>
Sent: Monday, October 16, 2017 3:42:06 PM
To: [hidden email]
Subject: Apache Force Re-Direct to HTTPS
 

So, guac is configured to use Lets Encrypt for a SSL cert and it works great. But, my unsecured version is still open. My Apache configuration is set to redirect to HTTPs, but guac doesn’t seem to be listening, or my apache rules are incorrect.

 

My current apache config is listed below.

 

<VirtualHost *:80>

      # redirect to https

      Redirect permanent / https://myURL

</VirtualHost>

 

<VirtualHost *:443

      # LogLevel info ssl:warn

      ErrorLog ${APACHE_LOG_DIR}/error.log

      CustomLog ${APACHE_LOG_DIR}/access.log combined

 

      # Enable SSL for this virtual host.

      SSLEngine on

      SSLCertificateKeyFile /etc/letsencrypt/live/myurl.org/privkey.pem

      SSLCertificateFile /etc/letsencrypt/live/myurl.org/cert.pem

      SSLCertificateChainFile /etc/letsencrypt/live/myurl.org/chain.pem

 

      # Configure proxy with tomcat

      ProxyPreserveHost On

      ProxyRequests Off

      ProxyPass / http://localhost:8080/

      ProxyPassReverse / http://localhost:8080/

</VirtualHost>

 

After doing some searching I found that I needed to add this, to my configuration. But it didn’t seem to work and my rewrite module has been enable.

      RewriteEngine On

      RewriteCond %{HTTPS} On

      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 

I know this is a simple question, but would anyone have advice or a suggestion?

 

Thanks!

 

Carter Sema

Network Support Specialist

[hidden email]

CertBadge_Administrator_web

 

Reply | Threaded
Open this post in threaded view
|

Re: Apache Force Re-Direct to HTTPS

Nick Couchman
On Mon, Oct 16, 2017 at 10:25 PM, Carter Sema <[hidden email]> wrote:

I checked my Apache folders and my only site-enabled is my tomcat one, and just to be safe, I deleted the default ones in sites-available, rebooted apache2 and reloaded, still no luck. I can actually access HTTP content such as Guac(not static default tomcat sites) and it works. Any other tricks or ideas?  

Nothing off the top of my head - clearly something else there is still servicing the traffic on port 80, but I'm not able to spot what it is in the configs you've posted.
 

Do I need to enable Rewrite? The only reason I ask, is because on my other ubuntu-apache2-tomcat8 box, I don't have Rewrite enabled, and it works. 

I think you should be able to do it without rewrite and with alias, using the Redirect permanent line you have.  According to docs, the Redirect directive is part of mod_alias, so you should only need to enable mod_alias and then put that Redirect permanent / https://<host>/ line in there.
 

I ended up doing what you suggested and blocking my traffic to port 80. As a fix for right now, eventually I will go back and investigate more. As you said, it's not pretty, but it restricts unwanted access on unsecured ports. I'm pretty new to linux in general but quickly learning, is blocking the port 80/8080 just as secure as forcing a redirect to https?

It's certainly no less secure that forcing a redirect - it might be slightly more secure than allowing port 80 through and forcing the redirect, since it's truly blocking all non-SSL/TLS traffic, so there's not anything unencrypted that will get by.  Based on your setup, proxying through Apache httpd, I would *definitely* block port 8080 and 8009 from the outside world - my usual practice is to reconfigure Tomcat to only listen on 127.0.0.1 so that the 8080/8009 traffic remains internal to the host, and httpd (or nginx when I use that) is handling all of the requests coming in from the network.

-Nick