FREE THOUGHT · FREE SOFTWARE · FREE WORLD

Home  »  Htaccess  »  Apache SSL in htaccess examples

by 27 comments

Contents [hide]

Misc SSL Tricks

Fixing double-login

Fixes the double-login problem and making sure authorization usernames/passwords are not sent in cleartext unencrypted when using basic/digest authentication. This code is really, really nice because it fixes multiple issues with almost every other SSL redirect technique in htaccess files. (I discovered this one on my own). See also: Additional https/ssl information

Duplicate Login Prompt Htaccess Code

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "google.com"
ErrorDocument 403 https://google.com

The problem with most techniques is REWRITING the URL.. so if you check the request to see if its being sent on port 443... guess what? in the interim it got sent! Most of the times the double login prompt error happens because users type in http://secureurl.com instead of https://secureurl.com. Most modern browsers automatically request the /favicon.ico file from the resource. In this case the resource is http instead of https like it should be.

Now with some of the other techniques below you can solve this problem, but you will still face a potential ssl security issue. What if a user types in https://secureurl.com:80 There are a lot of these types of weird ways to bypass security so I recommend using the SSLRequireSSL option always.

This will check to make sure that the connection IS using SSL, or it will fail. This works regardless of if your serving SSL on port 443, 80, 81, etc. This is the most secure setting for SSL logins. This also fixes having to type in the username and password twice by requiring the HTTP_HOST to match the HTTP_HOST that your SSL certificate is set-up for, in the case above, the SSL is for https://google.com not https://www.google.com. If any of the required conditions are not met the server returns a 403 Forbidden Status Code (before mod_rewrite starts) and the ErrorDocument directive catches the 403 to send the visitor a Redirect to https://google.com

Using SetEnvIf with SSL

SetEnvIf can be used to set/unset various variables that control apache via .htaccess or httpd.conf.

Disable keep-alive

SetEnvIf User-Agent ".*MSIE.*" nokeepalive

SSL Unclean Shutdown

SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown

Combined keep-alive, ssl-unclean-shutdown

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

CGI Environment Vars for SSL

This can be necessary for some cgi scripts served over SSL.

<directory "/www/askapache.com/cgi-bin/">
SSLOptions +StdEnvVars
</directory>

Htaccess Rewrites

Any htaccess rewrite examples should begin with the following Options and the rewriterules at the top.

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

Rewrite non-HTTPS requests to HTTPS without mod_ssl

Here are several methods to rewrite ssl requests

Depending upon the HTTPS variable

The HTTPS variable is always present, even if mod_ssl isn't loaded!

RewriteCond %{HTTPS} !=on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Based upon the SERVER_PORT

The SERVER_PORT variable is always present, and generally SSL runs on certain ports like 443.

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Redirect everything on port 80 to SSL

RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

Redirect to HTTPS with SEO 301 Rewrite

RewriteRule ^/normal/secure(/.*) https://%{HTTP_HOST}$1 [R=301,L]

Check if the HTTPS variable is set

RewriteCond %{HTTPS} !=on
RewriteRule ^(/secure/.*) https://%{HTTP_HOST}$1 [R=301,L]

Switch to SSL/NON-SSL with relative urls

This lets you use hyperlinks of the form:
/document.html:SSL --> https://google.com/document.html
and
/document.html:NOSSL --> http://google.com/document.html

RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]

SSL Redirects with the Redirect Directive

Don't forget about the mod_alias redirect directives!

Redirect URL to HTTPS

See also: Redirect with redirectmatch

302 Redirect (Temporary)

Redirect / https://google.com/

SEO friendly 301 Redirect

Redirect 301 / https://google.com/

Redirect URL to HTTPS

See also: Redirect with redirectmatch

Politely requiring SSL client authentication

Source: Requiring SSL client authentication in a user friendly way in Apache. I'm using "require" somewhat loosely here, as that's the first thing we are going to change in our configuration. When you use the SSLVerifyClient directive with the require value, it really means require. So, how do we get around this?We change the SSLVerifyClient directive to the optional value. The key is making optional still mean require. Our goal is to redirect users to help documentation when SSL client authentication fails. We can do this by using mod_rewrite and environment variables from mod_ssl. Here's how to configure this in Apache:

SSLOptions +StdEnvVars
SSLVerifyClient optional
SSLVerifyDepth 3
RewriteEngine On
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule .* /help/ssl-client-auth-required.html [L]

In this configuration, any request that doesn't have a valid client certificate will be redirected to a help file. Optional, yet required politely. Don't forget to be polite internationally, if that is a requirement! You should configure Apache to serve the help document based on the user's language. I'm going to avoid this portion of the topic for now. I'll go into this in a future article.

SSL Environment Variables

The mod_ssl module provides a lot of SSL information as additional environment variables to the SSI and CGI namespace. The generated variables are listed in the table below.

For a full list including sample values, view the Apache Variable Cheatsheet.

Variable Name:Value Type:Description:
HTTPSflagHTTPS is being used.
SSL_PROTOCOLstringThe SSL protocol version (SSLv2, SSLv3, TLSv1)
SSL_SESSION_IDstringThe hex-encoded SSL session id
SSL_CIPHERstringThe cipher specification name
SSL_CIPHER_EXPORTstringtrue if cipher is an export cipher
SSL_CIPHER_USEKEYSIZEnumberNumber of cipher bits (actually used)
SSL_CIPHER_ALGKEYSIZEnumberNumber of cipher bits (possible)
SSL_VERSION_INTERFACEstringThe mod_ssl program version
SSL_VERSION_LIBRARYstringThe OpenSSL program version
SSL_CLIENT_M_VERSIONstringThe version of the client certificate
SSL_CLIENT_M_SERIALstringThe serial of the client certificate
SSL_CLIENT_S_DNstringSubject DN in client's certificate
SSL_CLIENT_S_DN_x509stringComponent of client's Subject DN
SSL_CLIENT_I_DNstringIssuer DN of client's certificate
SSL_CLIENT_I_DN_x509stringComponent of client's Issuer DN
SSL_CLIENT_V_STARTstringValidity of client's certificate (start time)
SSL_CLIENT_V_ENDstringValidity of client's certificate (end time)
SSL_CLIENT_A_SIGstringAlgorithm used for the signature of client's certificate
SSL_CLIENT_A_KEYstringAlgorithm used for the public key of client's certificate
SSL_CLIENT_CERTstringPEM-encoded client certificate
SSL_CLIENT_CERT_CHAINnstringPEM-encoded certificates in client certificate chain
SSL_CLIENT_VERIFYstringNONE, SUCCESS, GENEROUS or FAILED:reason
SSL_SERVER_M_VERSIONstringThe version of the server certificate
SSL_SERVER_M_SERIALstringThe serial of the server certificate
SSL_SERVER_S_DNstringSubject DN in server's certificate
SSL_SERVER_S_DN_x509stringComponent of server's Subject DN
SSL_SERVER_I_DNstringIssuer DN of server's certificate
SSL_SERVER_I_DN_x509stringComponent of server's Issuer DN
SSL_SERVER_V_STARTstringValidity of server's certificate (start time)
SSL_SERVER_V_ENDstringValidity of server's certificate (end time)
SSL_SERVER_A_SIGstringAlgorithm used for the signature of server's certificate
SSL_SERVER_A_KEYstringAlgorithm used for the public key of server's certificate
SSL_SERVER_CERTstringPEM-encoded server certificate

[ where x509 is a component of a X.509 DN: C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email ]

Apache SSL Logging

There are several ways to get the ssl logs setup the way you like.

Custom Log Formats

When mod_ssl is built into Apache or at least loaded (under DSO situation) additional functions exist for the Custom Log Format of mod_log_config. First there is an additional %{varname} extension format function which can be used to expand any variables provided by any module.

Note these can only go in the httpd.conf file, not in .htaccess.

CustomLog Example

CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

CustomLog Example

CustomLog logs/ssl_access_log commonvhostssl

Custom LogFormat for SSL

These create 2 new log formats you can then use with the CustomLog directive.

LogFormat "%h %l %{SSL_CLIENT_S_DN_Email}x %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"" commonssl
LogFormat "%v %h %l %{SSL_CLIENT_S_DN_Email}x %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"" commonvhostssl

Conditional Logging with SetEnvIf

Based on the request you can choose to log or not to log.

Set dontlog variable for images

This will set the dontlog variable for requests ending in common image extensions.

SetEnvIfNoCase Request_URI .(?:gif|jpe?g|flv|swf|ico)$ dontlog

CustomLog for non-images

This will only log requests when the dontlog variable is not set.

CustomLog logs/ssl_access_log commonvhostssl env=!dontlog

mod_ssl Directives Reference

Extensive information on mod_ssl is provided at: modssl.org: SSL Reference, including information about SSLPassPhraseDialog, SSLMutex, SSLRandomSeed, SSLSessionCache, SSLSessionCacheTimeout, SSLEngine, SSLProtocol, SSLCipherSuite, SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile, SSLCACertificatePath, SSLCACertificateFile, SSLCARevocationPath, SSLCARevocationFile, SSLVerifyClient, SSLVerifyDepth, SSLLog, SSLLogLevel, SSLOptions, SSLRequireSSL, SSLRequire, among other valuable info.

SSLEngine Directive

  • Description : SSL Engine Operation Switch
  • Syntax : SSLEngine on|off
  • Default : SSLEngine off
  • server config, virtual host

This directive toggles the usage of the SSL/TLS Protocol Engine. This is usually used inside a section to enable SSL/TLS for a particular virtual host. By default the SSL/TLS Protocol Engine is disabled for both the main server and all configured virtual hosts.

SSLEngine Example

SSLEngine on

SSLOptions Directive

  • Description : Configure various SSL engine run-time options
  • Syntax : SSLOptions [+|-]option ...
  • server config, virtual host, directory, .htaccess

This directive can be used to control various run-time options on a per-directory basis. Normally, if multiple SSLOptions could apply to a directory, then the most specific one is taken completely; the options are not merged. However if all the options on the SSLOptions directive are preceded by a plus (+) or minus (-) symbol, the options are merged. Any options preceded by a + are added to the options currently in force, and any options preceded by a - are removed from the options currently in force.

Available options

  • StdEnvVars When this option is enabled, the standard set of SSL related CGI/SSI environment variables are created. This per default is disabled for performance reasons, because the information extraction step is a rather expensive operation. So one usually enables this option for CGI and SSI requests only.
  • CompatEnvVars When this option is enabled, additional CGI/SSI environment variables are created for backward compatibility to other Apache SSL solutions. Look in the Compatibility chapter for details on the particular variables generated.
  • ExportCertData When this option is enabled, additional CGI/SSI environment variables are created: SSL_SERVER_CERT, SSL_CLIENT_CERT and SSL_CLIENT_CERT_CHAINn (with n = 0,1,2,..). These contain the PEM-encoded X.509 Certificates of server and client for the current HTTPS connection and can be used by CGI scripts for deeper Certificate checking. Additionally all other certificates of the client certificate chain are provided, too. This bloats up the environment a little bit which is why you have to use this option to enable it on demand.
  • FakeBasicAuth When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from the user. Every entry in the user file needs this password: xxj31ZMTZzkVA, which is the DES-encrypted version of the word `password''. Those who live under MD5-based encryption (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5 hash of the same word: $1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/.
  • StrictRequire This forces forbidden access when SSLRequireSSL or SSLRequire successfully decided that access should be forbidden. Usually the default is that in the case where a Satisfy any directive is used, and other access restrictions are passed, denial of access due to SSLRequireSSL or SSLRequire is overridden (because that's how the Apache Satisfy mechanism should work.) But for strict access restriction you can use SSLRequireSSL and/or SSLRequire in combination with an SSLOptions +StrictRequire. Then an additional Satisfy Any has no chance once mod_ssl has decided to deny access.
  • OptRenegotiate This enables optimized SSL connection renegotiation handling when SSL directives are used in per-directory context. By default a strict scheme is enabled where every per-directory reconfiguration of SSL parameters causes a full SSL renegotiation handshake. When this option is used mod_ssl tries to avoid unnecessary handshakes by doing more granular (but still safe) parameter checks. Nevertheless these granular checks sometimes maybe not what the user expects, so enable this on a per-directory basis only, please.

SSLOptions Example

SSLOptions +FakeBasicAuth -StrictRequire +StdEnvVars +CompatEnvVars -ExportCertData

SSLRequire Directive

  • Description : Allow access only when an arbitrarily complex boolean expression is true
  • Syntax : SSLRequire expression
  • directory, .htaccess

This directive specifies a general access requirement which has to be fulfilled in order to allow access. It's a very powerful directive because the requirement specification is an arbitrarily complex boolean expression containing any number of access checks.

This function takes one string argument and expands to the contents of the file. This is especially useful for matching this contents against a regular expression, etc. Notice that expression is first parsed into an internal machine representation and then evaluated in a second step. Actually, in Global and Per-Server Class context expression is parsed at startup time and at runtime only the machine representation is executed. For Per-Directory context this is different: here expression has to be parsed and immediately executed for every request.

SSLRequire htaccess example

SSLRequire %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

SSLRequire multi-line htaccess example

SSLRequire (  %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." 
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 
and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20   ) or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

SSLRequireSSL Directive

  • Description : Deny access when SSL is not used for the HTTP request
  • Syntax : SSLRequireSSL
  • directory, .htaccess

This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL. Example SSLRequireSSL

SSLUserName Directive

  • Description : Variable name to determine user name
  • Syntax : SSLUserName varname
  • server config, directory, .htaccess

This directive sets the "user" field in the Apache request object. This is used by lower modules to identify the user with a character string. In particular, this may cause the environment variable REMOTE_USER to be set. The varname can be any of the SSL environment variables.

SSLUserName usage example

SSLUserName SSL_CLIENT_S_DN_CN

SSLVerifyClient Directive

  • Description : Type of Client Certificate verification
  • Syntax : SSLVerifyClient level
  • Default : SSLVerifyClient none
  • server config, virtual host, directory, .htaccess

This directive sets the Certificate verification level for the Client Authentication. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.

The following levels are available for level:

  • none : no client Certificate is required at all
  • optional : the client may present a valid Certificate
  • require : the client has to present a valid Certificate
  • optional_no_ca : the client may present a valid Certificate but it need not to be (successfully) verifiable.

In practice only levels none and require are really interesting, because level optional doesn't work with all browsers and level optional_no_ca is actually against the idea of authentication (but can be used to establish SSL test pages, etc.)

SSLVerifyClient example

SSLVerifyClient require

SSLVerifyDepth Directive

  • Description : Maximum depth of CA Certificates in Client Certificate verification
  • Syntax : SSLVerifyDepth number
  • Default : SSLVerifyDepth 1
  • server config, virtual host, directory, .htaccess

This directive sets how deeply mod_ssl should verify before deciding that the clients don't have a valid certificate. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotation with the reconfigured client verification depth after the HTTP request was read but before the HTTP response is sent. The depth actually is the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are max allowed to be followed while verifying the client certificate. A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under SSLCACertificatePath), etc.

SSLVerifyDepth example

SSLVerifyDepth 10

SSLCipherSuite Directive

  • Description: Cipher Suite available for negotiation in SSL handshake
  • Syntax : SSLCipherSuite cipher-spec
  • Default : SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  • server config, virtual host, directory, .htaccess
  • Override: AuthConfig
  • Status: Extension

This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.

SSLCipherSuite Algorithms

An SSL cipher specification in cipher-spec is composed of 4 major attributes plus a few extra minor ones
  • Key Exchange Algorithm: RSA or Diffie-Hellman variants.
  • Authentication Algorithm: RSA, Diffie-Hellman, DSS or none.
  • Cipher/Encryption Algorithm: DES, Triple-DES, RC4, RC2, IDEA or none.
  • MAC Digest Algorithm: MD5, SHA or SHA1.

An SSL cipher can also be an export cipher and is either a SSLv2 or SSLv3/TLSv1 cipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use, one can either specify all the Ciphers, one at a time, or use aliases to specify the preference and order for the ciphers.

Key Exchange Algorithm
  • kRSA: RSA key exchange
  • kDHr: Diffie-Hellman key exchange with RSA key
  • kDHd: Diffie-Hellman key exchange with DSA key
  • kEDH: Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)
Authentication Algorithm
  • aNULL: No authentication
  • aRSA: RSA authentication
  • aDSS: DSS authentication
  • aDH: Diffie-Hellman authentication
Cipher Encoding Algorithm
  • eNULL: No encoding
  • DES: DES encoding
  • 3DES: Triple-DES encoding
  • RC4: RC4 encoding
  • RC2: RC2 encoding
  • IDEA: IDEA encoding
MAC Digest Algorithm
  • MD5: MD5 hash function
  • SHA1: SHA1 hash function
  • SHA: SHA hash function
Aliases
  • SSLv2: all SSL version 2.0 ciphers
  • SSLv3: all SSL version 3.0 ciphers
  • TLSv1: all TLS version 1.0 ciphers
  • EXP: all export ciphers
  • EXPORT40: all 40-bit export ciphers only
  • EXPORT56: all 56-bit export ciphers only
  • LOW: all low strength ciphers (no export, single DES)
  • MEDIUM: all ciphers with 128 bit encryption
  • HIGH: all ciphers using Triple-DES
  • RSA: all ciphers using RSA key exchange
  • DH: all ciphers using Diffie-Hellman key exchange
  • EDH: all ciphers using Ephemeral Diffie-Hellman key exchange
  • ADH: all ciphers using Anonymous Diffie-Hellman key exchange
  • DSS: all ciphers using DSS authentication
  • NULL: all ciphers using no encryption

Now where this becomes interesting is that these can be put together to specify the order and ciphers you wish to use. To speed this up there are also aliases (SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM, HIGH) for certain groups of ciphers. These tags can be joined together with prefixes to form the cipher-spec.

Available prefixes
  • none: add cipher to list
  • +: add ciphers to list and pull them to current location in list
  • -: remove cipher from list (can be added later again)
  • !: kill cipher from list completely (can not be added later again)
A simpler way to look at all of this is to use the openssl ciphers -v command which provides a nice way to successively create the correct cipher-spec string. The default cipher-spec string is ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP which means the following: first, remove from consideration any ciphers that do not authenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers.Next, use ciphers using RC4 and RSA. Next include the high, medium and then the low security ciphers.Finally pull all SSLv2 and export ciphers to the end of the list.
$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
NULL-SHA   SSLv3 Kx=RSA  Au=RSA  Enc=None  Mac=SHA1
NULL-MD5   SSLv3 Kx=RSA  Au=RSA  Enc=None  Mac=MD5
EDH-RSA-DES-CBC3-SHA  SSLv3 Kx=DH   Au=RSA  Enc=3DES(168) Mac=SHA1
EXP-RC4-MD5  SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40) Mac=MD5  export
EXP-RC2-CBC-MD5   SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40) Mac=MD5  export
EXP-RC4-MD5  SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40) Mac=MD5  export

SSLCipherSuite Example

SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW

Tags

March 29th, 2008

Comments Welcome

  • Pete

    On an Apache 1.3x system, "and" & "or" isn't valid inside an .htaccess file. The use of "&&" and "||" are required instead.

    So where you list:

    SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/
                and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd."
                and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
                and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5
                and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       )
               or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

    It would have to be written as:

    SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ &&
         %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." &&
         %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} &&
         %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 &&
         %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20) ||
         %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/
  • George Payne

    I was trying to do something I thought was simple,but have so far been unable to figure out.

    I wanted set up a temp server just to host a "we are down for the moment" web page. It's pretty easy to set it up so it responds to all http requests with a single page. But I can't figure out how to set it up to answer all HTTPS requests with the same page without actually setting up SSL with a valid cert on my temporary server, which I don't want to do.

    Any suggestions? A wiser way of going about this?

  • http://josiahritchie.com Josiah

    Thanks, this article provided some great info and helped me to get where I wanted to be. I really appreciate it.

  • http://www.pepr.com Gert

    We are setting up an SSL area for our website and face this issue that the link is accessable through various methos causing SSL by passes. I like to gracefully solve this. But the complexity is that the SSL link is not the same as the HTTP links. The certificate is from our website provider.

    The good link:
    https://pepr-com.ssl.eatserver.nl/

    The alternative way that does not compute to the SSL environment:
    http://buydirect.pepr.com

    The browsing method that does nto compute to the SSL environment:
    http://www.pepr.com/buydirect

    How do I combine the standard recommendation with the SEO version of it?

    SSLOptions +StrictRequire
    SSLRequireSSL
    SSLRequire %{HTTP_HOST} eq "google.com"
    ErrorDocument 403 https://google.com
    and
    RewriteRule ^/normal/secure(/.*) https://%{HTTP_HOST}$1 [R=301,L]

    I am a bit lost in this area and would ask the proper htaccess content to fix it. The complexity also sits in the fact that SSL is on a different link.

  • http://www.askapache.com/ AskApache

    Two possible scenarios for X509 authentication follow:

    A fairly strict authentication setup for one or two administrators

    <Directory [absolute path to directory for service, in quotes]>
    SSLOptions  +StdEnvVars +ExportCertData +FakeBasicAuth +OptRenegotiate +CompatEnvVars
    SSLVerifyClient   require
    SSLVerifyDepth    5
    SSLRequireSSL
    SSLRequire %{SSL_CLIENT_I_DN_CN} eq "the CN of the Issuer DN of client's certificate in quotes"
    and %{SSL_CLIENT_S_DN_O} eq "the O of the Subject DN in client's certificate in quotes"
    and %{SSL_CLIENT_S_DN_CN} in {"the CN of one or more", "comma delimited Subject DNs in quotes"}
    </Directory>

    An authentication setup for many users with certs from a given CA

    <Directory [path to directory where the application lives, in quotes]>
    SSLOptions  +StdEnvVars +ExportCertData +OptRenegotiate +FakeBasicAuth
    SSLVerifyClient   require
    SSLVerifyDepth    5
    SSLRequireSSL
    SSLRequire %{SSL_CLIENT_I_DN_CN} eq "the CN of Issuer DN of client's certificate in quotes"
    and %{SSL_CLIENT_S_DN_O} eq "the O of Subject DN in client's certificate in quotes"
    and %{SSL_CLIENT_S_DN_OU} eq ""the OU of Subject DN in client's certificate in quotes"
    </Directory>

    From: HordeSSLAuthHowTo

  • john

    Wow! This is the best site on Apache redirects and rewrites on the Internet! I have looked everywhere

    I just have a quick question.. you know when a request is made to a secure area, and for that directory there is a SSLRequire directive. If the user has the digital certificate installed it's all fine. However, if they don't have the certificate installed you get a big Apache error:

    (Error code: ssl_error_handshake_failure_alert)

    Is it possible to do a rewrite so that if they don't have the certificate installed it redirects them to a page informing them of this?

    /John

  • Nick

    Very comprehensive. Thank you.

  • Ajay

    Hi,
    We are using Apache 2 for secure mode and using MOD jk to redirect our request to tomcat 6.0.
    We are using client certificate created with ca-authority application. We have following entries in our ssl.conf like...

    DocumentRoot "/var/apache2/public_html"
    ServerName sun1111.abc.com:443
    ServerAdmin Ab@abc.com
    LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i""
    ErrorLog logs/myprodcheck_error_log
    TransferLog logs/myprodcheck_access_log
     
    AddType text/html .asp
     
    #   SSL Engine Switch:
    SSLEngine on
     
    #   SSL Cipher Suite:
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
     
    #   Server Certificate:
    SSLCertificateFile /var/apache2/conf/ssl.crt/abc.crt
     
    #   Server Private Key:
    SSLCertificateKeyFile /var/apache2/conf/ssl.key/abc.key
     
    #   Server Certificate Chain:
    #SSLCertificateChainFile /var/apache2/conf/ssl.crt/ca.crt
     
    #   Certificate Authority (CA):
    SSLCACertificateFile /var/apache2/conf/ssl.crt/ca-bundle.crt
     
    #   Client Authentication (Type):
    SSLVerifyClient optional
    SSLVerifyDepth  3
     
    #   Access Control:
    #
    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/
    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd."
    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} = 8 and %{TIME_HOUR} <= 20       )
    #           or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/
    #
    SSLOptions +StdEnvVars
     
    #   SSL Engine Options:
    #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
    SSLOptions +StdEnvVars

    And it's working fine and it's showing the server certification when we'll access our site with HTTPS.
    But issue is that now we need the values from client certificate from client machine. So how we can read these variable from request with java api.

    Thanks in advanced,
    Ajay

  • Jeff
    SSLOptions +StrictRequire
    SSLRequireSSL
    SSLRequire %{HTTP_HOST} eq "google.com"
    ErrorDocument 403 https://google.com

    Thanks! This works great but I want to use this for a folder that is shared by every vhost. It's actually my awstats directory. If I access awstats via any of my websites (e.g, /awstats), I get the stats for that paticular website. The server was preconfigured so I guess there is a rewrite rule somewhere in one of the many config files.

    Line SSLRequire %{HTTP_HOST} eq "google.com" only lists one host name (google.com). Is there a way to set this up so SSL is required no matter the host name?

  • Joe

    A simple question for the experts....

    I would like to have specific pages on my site served by HTTPS, regardless of how they were requested - but all other pages should be served by plain HTTP, also regardless of how they were requested.

    Reason: if the user goes into the checkout process, which is HTTPS, and then for some reason clicks back to "Home", or any category / product page / content page, there's a "Secure/Nonsecure items" issue with Internet Explorer, since the site tries to serve up the page via HTTPS.

    So, I would like to have all pages (i.e. home, category, product, FAQ, etc.) served as HTTP - even if the user came from an HTTPS page. But the checkout/cart/account pages should remain HTTPS.

    I've tried the code below, but it doesn't seem to work... Well, the first half (forcing the checkout & account pages to be HTTPS) works, but "rest of site = http" doesn't.

    What am I doing wrong?

    # Redirect secure pages to httpS if requested with http
    RewriteCond %{SERVER_PORT}!^443$
    RewriteRule "^customer/account(/.*)|wishlist(/.*)|onestepcheckout(/.*)" "https://%{HTTP_HOST}$1" [R=301]
     
    RewriteCond %{SERVER_PORT} !^(80|8080)$
    RewriteCond %{REQUEST_URI} !^(customer/account(/.*)|wishlist(/.*)|onestepcheckout(/.*)$
    RewriteRule ^(.*)$         http://%{HTTP_HOST}$1

    ------------------

    Pages that need to be secure:

    www.site.com/customer/account/
    www.site.com/wishlist/
    www.site.com/onestepcheckout/

    ...and all their subsidiaries ( "customer/account/login, customer/account/dashboard/, etc.)

    Any advice would be MUCH appreciated!

  • http://theappraisaliq.com Alison Shuman

    I have what is probably a simple problem but have very limited apache skills.

    I have just a few pages on my website that need https, and I thought I had my .htaccess set up properly.

    The problem is that after visiting one of the https pages, and then navigating to another area of the website, the user's browser retains the https, even for pages that shouldn't be (or don't need to be) encrypted.

    The sections of my .htaccess file that pertain:

    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} customer-orders
    RewriteRule ^(.*)$ https://site.com/$1 [R,L]
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} secure-area
    RewriteRule ^(.*)$ https://site.com/$1 [R,L]

    In addition to the pages under the customer-orders area, I set up another directory called "secure-area" to drop images and other page elements that were triggering browser's to ask about delivering only secure content.

    What is my problem?

    Thanks!

    Alison

  • matt

    @ joe

    did you get a solution to your problem? i have the same issue.

  • http://nothing Bipin

    Hi,

    I am just looking for redirection with https://www.abc.com to https://abc.com
    My problem is this i have only abc.com ssl cert.
    when i am redirecting it with abc.com in initials stage browser showing error

    www.abc.com uses an invalid security certificate.

    The certificate is not trusted because the issuer certificate is unknown.
    The certificate is only valid for abc.com

    After Click on I understand......
    its redirecting but i just want to remove this error.
    is it possible let me know.

    Thanks,
    Bipin

  • noobish

    Is it possible to force via .htaccess that mod_ssl is enabled? Since I cannot find a way I'm using https rewriting after SSLRequireSSL to cover this hole.

  • http://technologist.com Bipin Bahuguna

    Hi Guys,
    I have ssl certificate for abc.com
    but client hits are coming from www.abc.com
    Its Redirecting successfully https://abc.com to https://www.abc.com
    but browser showing error cert valid only for abc.com
    is there any idea to bypass this error via redirect rules or any ?????

    Thanks

  • http://technologist.com Bipin Bahuguna

    Hi Guys,
    i have setup a ssl site with the vhostname abc.com and www.abc.com
    but issue is, certificate is only valid for abc.com
    redirected successfully https://abc.com to https://www.abc.com
    but browser showing cert is only valid for abc.com
    is there any idea to resolve this error without buying new ssl cert or wild card.
    can we do it via rewrite mod or any ????????

    Thanks,
    Bipin

  • stefan

    i think many users want know this:

    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^www.DOMAIN.de$ [NC]
    RewriteRule ^(.*)$ http://www.DOMAIN.de/$1 [R=301,L]

    -----------
    How or what i have to do or to ADD? I need SSL like:

    httpS://www.Domain.de or https://domain.de

    thx a lot :)

  • Matthew

    @Bipin

    Where you able to solve the issue with the redirect you are looking for, I have exactly the same issue, and have tried many variants but this is still giving me the issue.

  • http://none Bipin Bahuguna

    @Matthew

    : we can not do it via redirect mode or any bypass method.
    at last have to buy wild cards for domains.
    Thanks Matthew keep in touch and share your problems .
    i will do the same . it will boost our knowledge.
    Can directly contact "technologist.com@gmail.com"

    Thanks,
    Bipin Bahuguna

  • Kyle H

    What does SSL_CLIENT_VERIFY GENEROUS mean?

  • RV

    Let's try again: "What does SSL_CLIENT_VERIFY GENEROUS mean?"

  • http://www.askapache.com/ AskApache

    @RV, @Kyle H

    SSL_CLIENT_VERIFY is used to test whether certificate verification was successful. GENEROUS only says that some kind of certificate was sent at all, SUCCESS is what you should look for.

  • http://www.facebook.com/ruben.benayon Ruben Benayon

    Have in my site the following .htaccess rules:

    RewriteEngine on
    RewriteRule ^Home home.php [NC]
    RewriteRule ^([0-9]+)- interior.php?id=$1 [L]

    and in the main form do a post to https://mydomain.com/checkout.php, and the page say 500 internal error.. and the log say /web/mydomain/.htaccess: Invalid command 'RewriteEngine', perhaps mis-spelled or defined by a module not included in the server configuration

    any idea?

  • http://www.facebook.com/ruben.benayon Ruben Benayon

    Have in my site the following .htaccess rules:

    RewriteEngine on
    RewriteRule ^Home home.php [NC]
    RewriteRule ^([0-9]+)- interior.php?id=$1 [L]

    and in the main form do a post to https://mydomain.com/checkout.php, and the page say 500 internal error.. and the log say /home/mydomain/.htaccess: Invalid command 'RewriteEngine', perhaps mis-spelled or defined by a module not included in the server configuration

    any idea?

  • Pingback: problem in hosting apache based https server on centos 6.3!!

  • Pingback: بهترین تنظیماتhtaccess - robots.txt

  • Pingback: Aktiver HTTPS på nettsiden (og gi NSA litt merarbeid)? Gratis tips! – SINTEF Infosec

My Online Tools
WordPress Sites

My Picks

Related Articles
Newest Posts
Twitter

  • @askapache · Apr 22
    Within our small sphere of the universe we can look at our past, but only our future is within our control
  • @askapache · Apr 16
    RT @commandlinefu:  t.co/htRbYF8SFf  - Print ASCII Character Chart (AskApache) #echo #column #ascii #for #octal #askapache #chart
  • @askapache · Apr 11
    Angel headed hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of the night - Ginsberg
  • @askapache · Apr 11
    If you haven't experienced a hacker war on a free shell network like SDF, you haven't lived!
  • @askapache · Apr 10
    @kovshenin @wpekadotcom @CloudFlare Maybe it's an April fools joke that finally propagated
  • @askapache · Apr 10
    @kovshenin @wpekadotcom @CloudFlare wait this is a joke right?
  • ZERO DAY - read before Trojan horse  t.co/pPMLGDJv8P 
  • Trojan Horse, a novel!  t.co/Hf8EtYaZVa 
  • The Hacker Playbook - very nice high level overview of attacks  t.co/lHwNVWi61u 
  • Clean Code - A Handbook of Agile Software Craftsmanship  t.co/hnJX0x1qIc 
  • Secrets of the JavaScript Ninja - By my absolute favorite JS hacker John Resig!  t.co/tZ42ljmcCl 
  • Hacking Exposed 7: Network Security Secrets & SolutionsMy all time favorite, basic but thorough and accurate.  t.co/jycW0RDVtZ 
  • Empty words will be no surrogate for cold resolve. Pain is nothing.  t.co/qXjpRxbjCw 
  • REVERSING: Secrets of Reverse Engineering  t.co/GaWo29lWWG 
  • NEUROMANCER  t.co/3OoknUcb5Z 
  • "The Shockwave Rider", by John Brunner (1975 hacker sci-fi)  t.co/ZW56HVUefW 
  • The Rootkit ARSENAL - Escape and Evasion in the Dark Corners of the System  t.co/1FzX6bHgsQ 
  • "We Are Anonymous - Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency" better be good!  t.co/GL0cFNiUOq 
  • THE IDEA FACTORY Bell Labs  t.co/FyVhgNwwT5 
  • The Datacenter as a Computer -- Urs Holzle  t.co/M5WIYs1OVg 

Friends and Recommends
Hacking and Hackers

The use of "hacker" to mean "security breaker" is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean someone who loves to program, someone who enjoys playful cleverness, or the combination of the two. See my article, On Hacking.
-- Richard M. Stallman






[hide]

It's very simple - you read the protocol and write the code. -Bill Joy

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.

| Google+ | askapache

Site Map | Contact Webmaster | License and Disclaimer | Terms of Service

↑ TOPMain