[Bug 69760] New: In Apache HTTP Server 2.4.59, mod_rewrite fails to correctly match HTTPS conditions using RewriteCond %{HTTPS} on. The condition appears to evaluate to false even when the request is clearly served over HTTPS, causing unexpected 404s or skipped rewrites.

Tue, 29 Jul 2025 00:28:55 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69760

            Bug ID: 69760
           Summary: In Apache HTTP Server 2.4.59, mod_rewrite fails to
                    correctly match HTTPS conditions using RewriteCond
                    %{HTTPS} on. The condition appears to evaluate to
                    false even when the request is clearly served over
                    HTTPS, causing unexpected 404s or skipped rewrites.
           Product: Apache httpd-2
           Version: 2.4.59
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_rewrite
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

After upgrading to Apache 2.4.59, we noticed mod_rewrite rules relying on
RewriteCond %{HTTPS} on no longer behave as expected. In previous versions
(e.g., 2.4.54), the same configuration worked fine.

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    RewriteEngine On
    RewriteCond %{HTTPS} on
    RewriteRule ^secure/ /secure/index.html [L]
</VirtualHost>

Observed Behavior:

Requests to https://example.com/secure/ do not trigger the rule.

The %{HTTPS} variable does not evaluate to "on" even though the request is
secure.

Expected Behavior:

The RewriteCond %{HTTPS} on should match when SSL is enabled and the request is
made via HTTPS.

Workaround Attempted:

Switching to RewriteCond %{SERVER_PORT} 443 works, indicating that HTTPS is in
fact enabled.

Tried multiple browsers, cleared caches, and tested on clean installations.

Steps to Reproduce:

Set up a clean Apache 2.4.59 server with SSL.

Enable mod_rewrite.

Apply the above RewriteCond logic.

Make an HTTPS request to a matching path.

Actual Result:
Rewrite condition fails, and the rewrite rule is skipped.

Expected Result:
Rewrite condition matches and the rule executes as expected.

Additional Info:

Verified with OpenSSL and curl that the connection is HTTPS.

This issue does not appear on Apache 2.4.54.

Affects both Linux and Windows environments.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to