My httpd.conf:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
successfully redirects http://www.example.com to https://example.com but failed to redirect https://www.example.com (to https://example.com). What is the problem?
Related
I am in a project in which we have decided to have several web servers in Docker, so we make use of a Reverse Proxy Multidomain (all requests to the same machine, and this with the proxy is already responsible for redirecting to the web container that indicates the request). All this works correctly, but when it comes to securing it with HTTPS (using our own certificates), it is not able to make the redirection (I've not created a DNS server yet, so I'm using the /etc/hosts file to do the translation).
As to work this with our structure is something complex, I have mounted a simple example which also fails to make the redirection to HTTPS.
Here is the structure:
And here are the files:
reverse-proxy_simple/docker-compose.yml
version: "3.2"
services:
proxy:
image: nginx
container_name: proxy_examples
ports:
- 80:80
- 443:443
volumes:
- ./confProxy/default.conf:/etc/nginx/conf.d/default.conf
- ./confProxy/ssl:/etc/nginx/certs/
- ./confProxy/includes:/etc/nginx/includes/
- /var/run/docker.sock:/tmp/docker.sock:ro
networks:
- examples
example1.com:
image: php:7-apache
container_name: example1.com
ports:
- 8081:443
volumes:
- ./example1/sites-available:/etc/apache2/sites-available/
- ./example1/example1.com:/var/www/html/
- ./example1/certs:/etc/ssl/certs/
networks:
examples:
ipv4_address: 192.168.1.10
example2.com:
image: php:7-apache
container_name: example2.com
ports:
- 8082:443
volumes:
- ./example2/sites-available:/etc/apache2/sites-available/
- ./example2/example2.com:/var/www/html/
- ./example2/certs:/etc/ssl/certs/
networks:
examples:
ipv4_address: 192.168.1.20
networks:
examples:
ipam:
config:
- subnet: 192.168.1.0/24
reverse-proxy_simple/confProxy (directory):
reverse-proxy_simple/confProxy/default.conf
# web example1 config.
server {
listen 80;
listen 443 ssl http2;
server_name example1.com;
# Path for SSL
ssl_certificate /etc/nginx/certs/certificate.crt;
ssl_certificate_key /etc/nginx/certs/certificate.key;
ssl_trusted_certificate /etc/nginx/certs/certificate.ca.crt;
include /etc/nginx/includes/ssl.conf;
location / {
include /etc/nginx/includes/proxy.conf;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwared-Proto $scheme;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
proxy_pass https://example1.com/;
proxy_read_timeout 600;
proxy_redirect http://example1.com https://example1.com;
}
access_log off;
error_log /var/log/nginx/error.log error;
}
# web example2 config.
server {
listen 80;
listen 443 ssl http2;
server_name example2.com;
# Path for SSL
ssl_certificate /etc/nginx/certs/certificate.crt;
ssl_certificate_key /etc/nginx/certs/certificate.key;
ssl_trusted_certificate /etc/nginx/certs/certificate.ca.crt;
include /etc/nginx/includes/ssl.conf;
location / {
include /etc/nginx/includes/proxy.conf;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwared-Proto $scheme;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
proxy_pass https://example2.com/;
proxy_read_timeout 600;
proxy_redirect http://example2.com https://example2.com;
}
access_log off;
error_log /var/log/nginx/error.log error;
}
reverse-proxy_simple/confProxy/includes (directory):
reverse-proxy_simple/confProxy/includes/proxy.conf
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_intercept_errors on;
reverse-proxy_simple/confProxy/includes/ssl.conf
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHAECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3- SHA:!DSS';
ssl_prefer_server_ciphers on;
reverse-proxy_simple/confProxy/ssl (directory)
certificate.crt
certificate.key
certificate.ca.crt
reverse-proxy_simple/example1 (directory)
reverse-proxy_simple/example1/certs (directory)
certificate.crt
certificate.key
certificate.ca.crt
reverse-proxy_simple/example1.com (directory)
error.log
requests.log
public_html (directory)
index.html
reverse-proxy_simple/sites-available (directory)
000-default.conf
<VirtualHost *:80>
ServerName example1.com
DocumentRoot /var/www/html/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/public_html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example1.com
DocumentRoot /var/www/html/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/public_html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/certs/certificate.key
SSLEngine on
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
reverse-proxy_simple/example2 (directory)
reverse-proxy_simple/example2/certs (directory)
certificate.crt
certificate.key
certificate.ca.crt
reverse-proxy_simple/example2.com (directory)
error.log
requests.log
public_html (directory)
index.html
reverse-proxy_simple/sites-available (directory)
000-default.conf
<VirtualHost *:80>
ServerName example2.com
DocumentRoot /var/www/html/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/public_html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example2.com
DocumentRoot /var/www/html/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/public_html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/certs/certificate.key
SSLEngine on
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
/etc/hosts
192.168.1.10 example1.com
192.168.1.20 example2.com
Let me know if you know whats wrong here!
Thanks ;)
My service superset is configured to redirect HTTP to HTTPS
superset:
image: superset:base
container_name: superset_app
ports:
- '8080'
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.http-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.superset-http.middlewares=http-to-https"
- traefik.http.routers.superset-http.rule=Host("superset-lab.domain.com")
- "traefik.http.routers.superset-http.entrypoints=web"
- traefik.http.routers.superset.rule=Host("superset-lab.domain.com")
- "traefik.http.routers.superset.entrypoints=web-secure"
- "traefik.http.routers.superset.tls=true"
- "traefik.http.services.superset.loadbalancer.server.port=8080"
This config works as expected.
curl -Ik http://superset-lab.domain.com/login/?username=9999999&redirect=/superset/dashboard/
[1] 85007
HTTP/1.1 307 Temporary Redirect
Location: https://superset-lab.domain.com/login/?username=999999
Content-Length: 18
Content-Type: text/plain; charset=utf-8
But when I try to access direct by HTTPS, the request is redirected to http.
curl -Ik https://superset-lab.domain.com/login/?username=999999&redirect=/superset/dashboard/
[1] 85096
HTTP/1.1 302 Found
Content-Length: 209
Content-Type: text/html; charset=utf-8
Date: Mon, 26 Apr 2021 16:09:11 GMT
Location: http://superset-lab.domain.com/
Server: Werkzeug/1.0.1 Python/3.6.9
HttpOnly; Path=/; SameSite=Lax
Vary: Cookie
Is there a problem with my traefik labels or is something in the application (superset)?
The problem isn't in traefik.
Apache superset use flask and X-Fowarded headers needed to be set in flask.
Here some explanation.
https://stackoverflow.com/a/23504684/4175515
In the specific case of Apache superset, just set up ENABLE PROXY_FIX=True in config.py to solve the problem.
this is
http to https
non www to www
#http -> https
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#add www.
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I dont know reverse code ^^;;
https to http
www to non www
how is the rule in htaccess?
thanks
To redirect https to http and www to non-www you can modify your rules like the following :
RewriteEngine on
#https -> http
RewriteCond %{HTTPS} on
RewriteCond %{HTTP:X-Forwarded-Proto} !http$
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#add non-www.
RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [L,R=301]
I need redirect www.foo.com and foo.com to www.bar.com in haproxy, this is my configuration:
frontend http-in
bind *:80
acl bar.com hdr(host) -i www.bar.com
...
use_backend bar.com_cluster if bar.com
...
redirect prefix http://foo.com code 301 if { hdr(host) -i www.bar.com }
redirect prefix http://www.foo.com code 301 if { hdr(host) -i www.bar.com }
...
backend bar.com_cluster
balance roundrobin
option httpclose
option forwardfor
server bar 10.0.0.1:80 check
I have tried with redirect prefix but don't work, any idea?
Change order of the hostname:
redirect prefix http://www.bar.com code 301 if { hdr(host) -i foo.com }
redirect prefix http://www.bar.com code 301 if { hdr(host) -i www.foo.com }
instead of
redirect prefix http://foo.com code 301 if { hdr(host) -i www.bar.com }
redirect prefix http://www.foo.com code 301 if { hdr(host) -i www.bar.com }
I'm trying to make atomic deploys with Nginx and PHP5.5-FPM with Opcache.
The idea is just to change the webroot in nginx.conf and then just run
nginx reload
What I'm expecting is that Nginx will wait for the current requests to end and then reload itself passing the new webroot path to PHP FPM, but it's not working: PHP FPM is still loading the PHP files from the old directory.
I'm using the (undocumented) $realpath_root in Ngnix in order not to get the symlink (/prod/current) but the real path.
The technique is documented here: http://codeascraft.com/2013/07/01/atomic-deploys-at-etsy/
Debugging Nginx I can clearly see that it is passing the new(real) path.
2014/09/23 17:13:22 [debug] 26234#0: *1742 http script var: "/www/htdocs/current/web"
2014/09/23 17:13:22 [debug] 26234#0: *1742 posix_memalign: 00000000010517A0:4096 #16
2014/09/23 17:13:22 [debug] 26234#0: *1742 http script copy: "SCRIPT_FILENAME"
2014/09/23 17:13:22 [debug] 26234#0: *1742 http script var: "/www/htdocs/prod/releases/20140923124417/web"
2014/09/23 17:13:22 [debug] 26234#0: *1742 http script var: "/index.php"
2014/09/23 17:13:22 [debug] 26234#0: *1742 fastcgi param: "SCRIPT_FILENAME: /www/htdocs/prod/releases/20140923124417/web/app.php"
2014/09/23 17:13:22 [debug] 26234#0: *1742 http script copy: "DOCUMENT_ROOT"
2014/09/23 17:13:22 [debug] 26234#0: *1742 http script var: "/www/htdocs/prod/releases/20140923124417/web"
2014/09/23 17:13:22 [debug] 26234#0: *1742 fastcgi param: "DOCUMENT_ROOT: /www/htdocs/prod/releases/20140923124417/web"
2014/09/23 17:13:22 [debug] 26234#0: *1742 http script copy: "APPLICATION_ENV"
To make it work I have to run a
php-fpm reload
but I'm loosing some requests.
'recv() failed (104: Connection reset by peer) while reading response header from upstream'
This is the nginx file I'm using:
server {
listen 26023;
server_name prod.example.com;
client_max_body_size 20m;
client_header_timeout 1200;
client_body_timeout 1200;
send_timeout 1200;
keepalive_timeout 1200;
access_log /var/logs/prod/nginx/prod.access.log main;
error_log /var/logs/prod/nginx/prod.error.log;
set $root_location /var/www/htdocs/prod/current/web;
root $root_location;
try_files $uri $uri/ /index.php?$args;
index index.php;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm/prod.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_connect_timeout 1200;
fastcgi_send_timeout 1200;
fastcgi_read_timeout 1200;
fastcgi_ignore_client_abort on;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_param APPLICATION_ENV live;
fastcgi_param HTTPS $thttps;
}
}
this is the pool conf:
:~$ curl http://127.0.0.1/fpm_status_prod
pool: prod
process manager: dynamic
start time: 23/Sep/2014:22:42:34 +0400
start since: 1672
accepted conn: 446
listen queue: 0
max listen queue: 0
listen queue len: 0
idle processes: 49
active processes: 1
total processes: 50
max active processes: 2
max children reached: 0
slow requests: 0
Any suggestion?
I fixed the issue, I was also using APC for the classloader and it wasn't cleared.