Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
Ok, as I read the code a bit more, there is a tangle of things that can 
influence port/scheme selection. But what I can see, the version in *trunk* 
should do the right thing *iff*

a) you use "SSLEngine *:443" instead of "Optional"
b) you use "ServerName xxx.yyy" *without* a port name

the a
<VirtualHost *:80 *:443>
   ServerName xxx.yyy
   SSLEngine *:443
    ...
</VirtualHost>

should do the right thing here. Internal methods used to generator Redirect 
Location headers, namely
ap_construct_url()
ap_get_server_port()
ap_http_scheme()
should give back the correct values for each connection and als fill the Env 
Variables with the correct values.

what means "trunk" here?
a future 2.5/2.6/3.0 or a 2.4.x in the near future?

within 2 weeks you need TLS on each and every host since Chrome starts to warn about every page with a form tag and no TLS

[root@srv-rhsoft:~]$ apachectl -t
AH00526: Syntax error on line 29 of /etc/httpd/conf/sites_enabled/contentlounge.conf:
Argument must be On, Off, or Optional
Am 14.09.2017 um 15:46 schrieb Reindl Harald <h.rei...@thelounge.net>:



Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
Harald,
could you check if a configuration like:
   UseCanonicalPhysicalPort on
in the server or vhost mitigates the problem?

it makes it even more terrible and the resulting http:// protocol instead 
https// on port 443 here even tiggers mod_security

even if it would mitigate that issue - having ports in redirect urls easily 
leads to a lot of other problems when proxy-servers are part of the game

[harry@srv-rhsoft:/mnt/data/downloads]$ curl --head --insecure 
https://contentlounge/cms
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Sep 2017 13:43:06 GMT
X-DNS-Prefetch-Control: off
X-Content-Type-Options: nosniff
X-Response-Time: D=1561 us
Location: http://contentlounge:443/cms/
Cache-Control: max-age=0
Expires: Thu, 14 Sep 2017 13:43:06 GMT
Content-Type: text/html; charset=iso-8859-1

Am 14.09.2017 um 12:00 schrieb Reindl Harald <h.rei...@thelounge.net>:



Am 10.08.2017 um 18:22 schrieb Reindl Harald:
If you want to experiment...
<VirtualHost IP:80 IP:443>
is already recognized
but with "SSLEngine On" and "SSLCertificateFile" configured non-https no longer 
would work

OK, figured it out

* you need the *first* vhost with "SSLEngine On"
* others can have "SSLEngine optional" and listen to 80 and 443

but there is a bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

if the trailing slash is missing in the url the automatic redirect to the full qualified 
folder-path points to http:// instead https:// and that does not happen within a vhost 
dedicated to :443 and "SSLEngine On"

i was trapped in a endless loop because the php script making a redirect to 
https:// had a bug and missed the traling / too

<VirtualHost *:80 *:443>
DocumentRoot "/www/contentlounge"
ServerName contentlounge.rhsoft.net
SSLEngine optional
SSLCertificateFile "conf/ssl/rhsoft.net.pem"
</VirtualHost>

[harry@srv-rhsoft:~]$ curl --head --insecure https://contentlounge/cms
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Sep 2017 09:40:27 GMT
X-DNS-Prefetch-Control: off
X-Content-Type-Options: nosniff
X-Response-Time: D=1311 us
Location: http://contentlounge/cms/
Cache-Control: max-age=0
Expires: Thu, 14 Sep 2017 09:40:27 GMT
Content-Type: text/html; charset=iso-8859-1

Reply via email to