tags:

views:

36

answers:

1
Q: 

redirect an internal IP from HTTP to HTTPS with Apache

Hey all- I have looked this up on here and Google but none of the suggestions seem to be working for me. I'm working on an internal site at this point so the endpoints are IPs vs URLs. Accessing the site via HTTPS works, but HTTP just says "Cannot establish a connection". I can't seem to find anything in the logs that explains why. I have warnings about my cert since it is self signed but I don't think that is causing it. I have tried a rewrite and a redirect both separately with no luck. I have them both commented out below, but I have tried one or the other on.

#<VirtualHost *:80>
#    RewriteEngine On
#    RewriteCond %{HTTPS} off
#    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
#</VirtualHost>
<VirtualHost *:443>
    ServerName 192.168.xxx.xxx
    ProxyRequests Off
    ProxyPreserveHost On
    SSLEngine On
    SSLCertificateFile /etc/httpd/ssl/server.crt
    SSLCertificateKeyFile /etc/httpd/ssl/server.key
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
</VirtualHost>
#Redirect permanent http://192.168.xxx.xxx https://192.168.xxx.xxx

This is the error_log of a request. The rewrite_log remains empty.

[Wed Sep 29 17:22:17 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Sep 29 17:22:17 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Sep 29 17:22:17 2010] [info] Init: Seeding PRNG with 256 bytes of entropy
[Wed Sep 29 17:22:17 2010] [notice] SSL FIPS mode disabled
[Wed Sep 29 17:22:17 2010] [info] Loading certificate & private key of SSL-aware server
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Wed Sep 29 17:22:17 2010] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Sep 29 17:22:17 2010] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Sep 29 17:22:17 2010] [info] Init: Initializing (virtual) servers for SSL
[Wed Sep 29 17:22:17 2010] [info] Configuring server for SSL protocol
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(792): Configuring RSA server certificate
[Wed Sep 29 17:22:17 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Sep 29 17:22:17 2010] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(831): Configuring RSA server private key
[Wed Sep 29 17:22:17 2010] [info] mod_ssl/2.2.16 compiled against Server: Apache/2.2.16, Library: OpenSSL/1.0.0a-fips
[Wed Sep 29 17:22:17 2010] [notice] Digest: generating secret for digest authentication ...
[Wed Sep 29 17:22:17 2010] [notice] Digest: done
[Wed Sep 29 17:22:17 2010] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x1df29a8 rmm=0x1df29d8 for VHOST: 192.168.xxx.xxx
[Wed Sep 29 17:22:17 2010] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x1df29a8 rmm=0x1df29d8 for VHOST: jira.test.com
[Wed Sep 29 17:22:17 2010] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x1df29a8 rmm=0x1df29d8 for VHOST: jira.test.com
[Wed Sep 29 17:22:17 2010] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Wed Sep 29 17:22:17 2010] [info] LDAP: SSL support available
[Wed Sep 29 17:22:17 2010] [info] Init: Seeding PRNG with 256 bytes of entropy
[Wed Sep 29 17:22:17 2010] [notice] SSL FIPS mode disabled
[Wed Sep 29 17:22:17 2010] [info] Loading certificate & private key of SSL-aware server
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Wed Sep 29 17:22:17 2010] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Sep 29 17:22:17 2010] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(272): for 511952 bytes (512000 including header), recommending 32 subcaches, 133 indexes each
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(310): subcache_size = 15996
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 2144
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13852
[Wed Sep 29 17:22:17 2010] [debug] ssl_scache_shmcb.c(316): index_num = 133
[Wed Sep 29 17:22:17 2010] [info] Shared memory session cache initialised
[Wed Sep 29 17:22:17 2010] [info] Init: Initializing (virtual) servers for SSL
[Wed Sep 29 17:22:17 2010] [info] Configuring server for SSL protocol
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(792): Configuring RSA server certificate
[Wed Sep 29 17:22:17 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Sep 29 17:22:17 2010] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Wed Sep 29 17:22:17 2010] [debug] ssl_engine_init.c(831): Configuring RSA server private key
[Wed Sep 29 17:22:17 2010] [info] mod_ssl/2.2.16 compiled against Server: Apache/2.2.16, Library: OpenSSL/1.0.0a-fips
[Wed Sep 29 17:22:17 2010] [error] avahi_entry_group_add_service_strlst("192.168.xxx.xxx") failed: Invalid host name
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6661 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6660 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6660 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6660 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6660 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6662 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6661 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6663 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6661 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6663 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6663 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6661 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6663 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6662 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6662 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6662 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6664 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6664 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6664 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6664 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6665 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [notice] Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/1.0.0a-fips configured -- resuming normal operations
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [info] Server built: Jul 27 2010 15:58:08
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6665 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6665 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] prefork.c(1013): AcceptMutex: sysvsem (default: sysvsem)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6665 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6666 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6666 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6666 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 6667 for worker proxy:reverse
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 6667 for (*)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6666 for (localhost)
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 6667 for worker http://localhost:8080/
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1837): proxy: worker http://localhost:8080/ already initialized
[Wed Sep 29 17:22:17 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 6667 for (localhost)
A: 

If your first section of that file is commented out, Apache doesn't have any config telling it to listen on port 80 (http).

You need both sites running so that both will give you a response (even if the HTTP response is just "go to HTTPS")

Gareth  2010-09-29 23:01:38
Sorry, I see that you deliberately commented the code out above. What happens when you have both VirtualHost sections uncommented? Does the HTTP request fail, or does it redirect to the HTTPS page, which fails?
Gareth  2010-09-29 23:05:17
When both VirtualHost sections are uncommented HTTPS resolves fine; the HTTP address returns `Firefox can't establish a connection to the server`. Above these sections I have `NameVirtualHost *:80` and`NameVirtualHost *:443`.
Dustin  2010-09-29 23:37:39
Is there a log I can check to see if the request was recieved by Apache and if the rewrite took place? I don't see this in any of the files in the httpd/logs directory.
Dustin  2010-09-29 23:49:15
Here is a dump of error.log after one request to HTTP and loglevel set to `debug` .... hmmm ... i will have to put it below in an answer
Dustin  2010-09-30 00:27:21
Is the `Listen` directive also enabled on port 80 (possibly in a different configuration file)?
Bruno  2010-09-30 10:19:34
It was commented out. Now that I've uncommented `Listen *:80` it's working! Thank you. I though the `<VirtualHost *:80>` block would implicitly set up listening on port 80?? Is that not how it works? I'd like to mark your comment as the answer.
Dustin  2010-09-30 17:28:50

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP