I've configured apache2 to redirect a virtual host (munin) from http to https, I've something like this:
cat /etc/apache2/site-enabled/default
[...]
# 20140619 - munin redirect http to https
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/munin/.*
RewriteRule ^(.*)$ https://server1.example.com/$1 [R,L]
[...]
munin has its default config
cat /etc/apache2/site-enabled/munin
Alias /munin /var/cache/munin/www
<Directory /var/cache/munin/www>
Order allow,deny
Allow from all ::1
Options None
AuthUserFile /etc/munin/munin-pass
AuthName "server1.example.com"
AuthType Digest
require valid-user
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault M310
</IfModule>
</Directory>
So, when I try to connect (using chrome) to http://server1.example.com, browser immediately ask me username and password (I'm connected using http). After inserted mine credentials (browser warn me about not trusted certificate, it's ok: I don't have a trusted certficate). When I force it to connect using https I need re-insert username and password and only now I can see the munin page.
Now, when I insert user and password (the first time), does that credentials can intercepts? or I'm inside SSL tunnel?
If credentials go over HTTP, they can be intercepted. If credentials go over HTTPS with an untrusted certificate, they can be intercepted (if users are in the habbit of just clicking 'ok' on the warning, a bad guy can insert their own cert and defeat the whole purpose of SSL). You're only shot at being safe is HTTPS with a trusted cert.
Related
I want the site to be redirected to https when I request the site with http and always be redirected to https
Typically, redirecting http to https is done at the server configuration level. For a quick and dirty redirect, you can use a .htaccess file.
Quick and dirty: .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]
The right way on apache:
Redirect on apache
I have my Rest Framework API's up and running on an AWS EC2 instance. I have set up Apache and added SSL certificate.
I'm using my own custom token authentication.
Passing Authorization as header - On doing post request from both Postman and React, the header is not received in request.headers("Authorization") and request.META["HTTP_AUTHORIZATION"].
Passing Authorization2 or x-api-key as header -
Works fine from Postman
On React, browser throws error Access to fetch at 'https://www.myapi.live/api/project/add/8/' from origin 'http://localhost:3000' has been blocked by CORS policy: Request header field authorization2 is not allowed by Access-Control-Allow-Headers in preflight response.
I have already tried including Access-control-origin Header in React and setting django-cors-headers at backend. But it doesn't help.
Passing Authorization as header but exposing runserver at 0.0.0.0:8000 instead of apache https url-
Works in Postman
Works in React too
Here's my 000-default.conf in both sites-enabled and sites-available
<VirtualHost *:80>
ServerName www.myapi.live
ServerAdmin webmaster#localhost
DocumentRoot /home/ubuntu/django/project
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /static /home/ubuntu/django/project/static
<Directory /home/ubuntu/django/project/static>
Require all granted
</Directory>
<Directory /home/ubuntu/django/project/project>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess project python-path=/home/ubuntu/django/project python-home=/home/ubuntu/django/myenv
WSGIProcessGroup project
WSGIScriptAlias / /home/ubuntu/django/project/project/wsgi.py
WSGIPassAuthorization On
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.myapi.live
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</VirtualHost>
So I added WSGIPassAuthorization On to my apache.conf file which resides in the parent directory just outside of sites-enabled. Doing these changes made it work like a charm and apache no longer strips the Authorization header.
Just in case this can be of help to someone else in future! Thanks!
my website hosted on ec2 - AWS. I want to add www in my website. Also my website has ssl. I am not able to add www in my website. I want my website full domain should be start with https://www.
I installed ubantu.
First, connect to your ec2 instance using ssh
After connect successfully go to your root directory using sudo su -
After that run sudo nano /etc/apache2/sites-available/000-default.conf to open your config file.
then in your vi editor you have to write below code
ServerName yourdomain.com
ServerAlias www.yourdomain.com
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
save the file.
And restart your apache server using
service apache2 restart.
Hope this will help you.
Good evening,
I am trying to set up my apache2 reverse proxy
(following https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy)
for etherpad lite
(following https://www.howtoforge.com/tutorial/ubuntu-etherpad-editor-server-installation/, except for the nginx part).
I use http->ssl redirection. Since I use letsencrypt I can only access domain.com and not etherpad.domain.com (at least firefox won't let me and I want to avoid changing that certificate each time I add a new site). So I would like to access my etherpad just as I do access my other sites: domain.com/etherpad. However I always get a 404 trying to get to the site. Looking at a working example, in my nextcloud.conf file I have a line saying:
Alias /nextcloud /local/path/to/nextcloud
However the etherpad reverse proxy virtual host file looks entirely different, the key difference is etherpad not having a local folder but only a mysql database. (Please correct me if this is wrong)
So I tried changing the ssl example from the second link to the following, but it does not work. Please understand that I changed domain name and some internal paths, but "apache2ctl configtest" succeeds and the service is running without error.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName randomisedDomain.com/etherpad
# SSL configuration
SSLEngine on
# If you hold wildcard certificates for your domain the next two lines are not necessary.
SSLCertificateFile "/working/path/to/fullchain.pem"
SSLCertificateKeyFile "/working/path/to/privkey.pem"
ProxyVia On
ProxyRequests Off
ProxyPreserveHost on
<Location />
AuthType Basic
AuthName "Welcome to the randomisedDomain.com Etherpad"
AuthUserFile /working/path/to/etherpad.passwd
#AuthGroupFile /path/to/svn.group
Require user etherpad
ProxyPass http://localhost:9001/ retry=0 timeout=30
ProxyPassReverse http://localhost:9001/
</Location>
<Location /socket.io>
# This is needed to handle the websocket transport through the proxy, since
# etherpad does not use a specific sub-folder, such as /ws/ to handle this kind of traffic.
# Taken from https://github.com/ether/etherpad-lite/issues/2318#issuecomment-63548542
# Thanks to beaugunderson for the semantics
RewriteEngine On
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) ws://localhost:9001/socket.io/$1 [P,L]
ProxyPass http://localhost:9001/socket.io retry=0 timeout=30
ProxyPassReverse http://localhost:9001/socket.io
</Location>
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>
</VirtualHost>
Any help for rerouting the localhost domain to randomisedDomain.com/etherpad is greatly appreciated !
Best regards
MAPster
When we access the server directly through port 8080 (without proxy settings) we are not getting the randomly corrupted response and when we configured Apache and Tomcat with proxy settings using mod-proxy-ajp and mod-proxy to run on port 80 instead of 8080 we are getting the randomly corrupted response.
We tried using http instead of ajp but it didn't worked.
We also have Websocket in our application
My server configuration :
Apache Tomcat/7.0.56
Apache Web Server/2.4.10
Java version 1.8.0_161
Following is my setting of apache web server to tomcat redirection :
File: /etc/apache2/sites-available/domainname.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName domainname
Redirect / https://domainname/
ProxyRequests Off
ProxyPreserveHost On
</VirtualHost>
<VirtualHost *:443>
ServerName domainname
Redirect / https://domainname/myapp/login.html
SSLEngine on
SSLProtocol -all +TLSv1.2
SSLCertificateFile /etc/apache2/ssl/certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl/certificate.key
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /myapp/ ajp://localhost:8009/myapp/ retry=0 timeout=385
ProxyPassReverse /myapp/ ajp://localhost:8009/myapp/
ProxyPass /myapp/busy-details ajp://localhost:8009/myapp/busy-details/ retry=0 timeout=385
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/myapp/order/$
RewriteCond %{QUERY_STRING} ^OrderID=([0-9999999]*)$
RewriteRule ^(.*)$ https://domainname/myapp/#/orders/edit/%1 [L,R=301,NE]
RewriteCond %{REQUEST_URI} ^/myapp/dentist/$
RewriteCond %{QUERY_STRING} ^DentID=([0-9999999]*)$
RewriteRule ^(.*)$ https://domainname/myapp/#/dentist/edit/%1 [L,R=301,NE]
</VirtualHost>
And tomcat server.xml setting
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
URIEncoding="UTF-8" redirectPort="8443" maxPostSize="-1" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />
please see below response we are getting in browser. Here you can see whenever we load our page some part of HTML response is missing this is also happening with normal ajax get request.
In response 1 you can see Response header of one of the HTML page request.
In response 2 you can see we are getting incomplete response with Red dot in chrome network tab.
Server response 1
Server response 2