subject:"Listen 443 https \(SSLEngine Optional \- dual host\)"

Re: Listen 443 https (SSLEngine Optional - dual host)

2017-09-17 Thread Yann Ylavic

Come on, let's keep technical once again. Personal grudges ended!

On Sun, Sep 17, 2017 at 3:20 AM, Reindl Harald  wrote:
>
>
> Am 17.09.2017 um 03:07 schrieb Nick Edwards:
>>
>> phpmyadmin 4.4.15  is YEARS old
>
>
> and how does that change the fact that
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61519#c1 "SERVER_PORT 80" in
> case of a https-connection is plain wrong?
>
>> we using 4.7 for nearly a year, 4.7.2 is current
>
>
> nice for you when you don't have to support older PHP (sync the package to a
> RHEL 7 host with PHP 5.4 - my whole own software is PHP 7.1 only with
> strict-types but that's not related to the topic at all)
>
>> this from a troll who verbally abuses the hell out of people on other
>> lists for posting similar comments using very outdated softwares   HAH, this
>> ones in google for life.
>
>
> the only troll in this thread is you and nobody asked you, just because i
> have never seen anything useful on any list since you only post if you face
> something from me and otherwise you are a silent lurker everywhere!
>
>> On Sun, Sep 17, 2017 at 10:24 AM, Reindl Harald > > wrote:
>>
>>
>> that's even more worse - phpMyAdmin 4.4.15.10 seems to handle
>> something wrong because $_SERVER['SERVER_PORT'] is wrong - and i had
>> myself some bad code using that var instead of $_SERVER['HTTPS']
>> which again leaded in a endless loop
>>
>> in case of phpMyAdmin it redirects to https://hostname:80/path/
>> after enter username/password - the workaround below in the config
>> file seems to solve that for now, but all in all that leaves a very
>> bad taste
>>
>> if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
>> {
>>   $cfg['ForceSSL'] = false;
>> }
>> else
>> {
>>   $cfg['ForceSSL'] = true;
>> }
>>
>>
>> Am 14.09.2017 um 18:16 schrieb Reindl Harald:
>>
>> Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
>>
>> Ok, as I read the code a bit more, there is a tangle of
>> things that can influence port/scheme selection. But what I
>> can see, the version in *trunk* should do the right thing
>> *iff*
>>
>> a) you use "SSLEngine *:443" instead of "Optional"
>> b) you use "ServerName xxx.yyy" *without* a port name
>>
>> the a
>> 
>> ServerName xxx.yyy
>> SSLEngine *:443
>>  ...
>> 
>>
>> should do the right thing here. Internal methods used to
>> generator Redirect Location headers, namely
>> ap_construct_url()
>> ap_get_server_port()
>> ap_http_scheme()
>> should give back the correct values for each connection and
>> als fill the Env Variables with the correct values.
>>
>>
>> what means "trunk" here?
>> a future 2.5/2.6/3.0 or a 2.4.x in the near future?
>>
>> within 2 weeks you need TLS on each and every host since Chrome
>> starts to warn about every page with a form tag and no TLS
>>
>> [root@srv-rhsoft:~]$ apachectl -t
>> AH00526: Syntax error on line 29 of
>> /etc/httpd/conf/sites_enabled/contentlounge.conf:
>> Argument must be On, Off, or Optional
>>
>> Am 14.09.2017 um 15:46 schrieb Reindl Harald
>> >:
>>
>>
>>
>> Am 14.09.2017 um 15:40 schrieb Stefan Eissing:
>>
>> Harald,
>> could you check if a configuration like:
>> UseCanonicalPhysicalPort on
>> in the server or vhost mitigates the problem?
>>
>>
>> it makes it even more terrible and the resulting http://
>> protocol instead https// on port 443 here even tiggers
>> mod_security
>>
>> even if it would mitigate that issue - having ports in
>> redirect urls easily leads to a lot of other problems
>> when proxy-servers are part of the game
>>
>> [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head
>> --insecure https://contentlounge/cms
>> HTTP/1.1 301 Moved Permanently
>> Date: Thu, 14 Sep 2017 13:43:06 GMT
>> X-DNS-Prefetch-Control: off
>> X-Content-Type-Options: nosniff
>> X-Response-Time: D=1561 us
>> Location: http://contentlounge:443/cms/
>> Cache-Control: max-age=0
>> Expires: Thu, 14 Sep 2017 13:43:06 GMT
>> Content-Type: text/html; charset=iso-8859-1
>>
>> Am 14.09.2017 um 12:00 schrieb Reindl Harald
>> >

Re: Listen 443 https (SSLEngine Optional - dual host)

2017-09-16 Thread Reindl Harald

Am 17.09.2017 um 03:07 schrieb Nick Edwards:

phpmyadmin 4.4.15  is YEARS old

and how does that change the fact that 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519#c1 "SERVER_PORT 80" 
in case of a https-connection is plain wrong?

we using 4.7 for nearly a year, 4.7.2 is current

nice for you when you don't have to support older PHP (sync the package 
to a RHEL 7 host with PHP 5.4 - my whole own software is PHP 7.1 only 
with strict-types but that's not related to the topic at all)

this from a troll who verbally abuses the hell out of people on other 
lists for posting similar comments using very outdated softwares   HAH, 
this ones in google for life.

the only troll in this thread is you and nobody asked you, just because 
i have never seen anything useful on any list since you only post if you 
face something from me and otherwise you are a silent lurker everywhere!

On Sun, Sep 17, 2017 at 10:24 AM, Reindl Harald > wrote:

that's even more worse - phpMyAdmin 4.4.15.10 seems to handle
something wrong because $_SERVER['SERVER_PORT'] is wrong - and i had
myself some bad code using that var instead of $_SERVER['HTTPS']
which again leaded in a endless loop

in case of phpMyAdmin it redirects to https://hostname:80/path/
after enter username/password - the workaround below in the config
file seems to solve that for now, but all in all that leaves a very
bad taste

if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
{
  $cfg['ForceSSL'] = false;
}
else
{
  $cfg['ForceSSL'] = true;
}

Am 14.09.2017 um 18:16 schrieb Reindl Harald:

Am 14.09.2017 um 16:08 schrieb Stefan Eissing:

Ok, as I read the code a bit more, there is a tangle of
things that can influence port/scheme selection. But what I
can see, the version in *trunk* should do the right thing *iff*

a) you use "SSLEngine *:443" instead of "Optional"
b) you use "ServerName xxx.yyy" *without* a port name

the a

    ServerName xxx.yyy
    SSLEngine *:443
     ...

should do the right thing here. Internal methods used to
generator Redirect Location headers, namely
ap_construct_url()
ap_get_server_port()
ap_http_scheme()
should give back the correct values for each connection and
als fill the Env Variables with the correct values.

what means "trunk" here?
a future 2.5/2.6/3.0 or a 2.4.x in the near future?

within 2 weeks you need TLS on each and every host since Chrome
starts to warn about every page with a form tag and no TLS

[root@srv-rhsoft:~]$ apachectl -t
AH00526: Syntax error on line 29 of
/etc/httpd/conf/sites_enabled/contentlounge.conf:
Argument must be On, Off, or Optional

Am 14.09.2017 um 15:46 schrieb Reindl Harald
>:

Am 14.09.2017 um 15:40 schrieb Stefan Eissing:

Harald,
could you check if a configuration like:
    UseCanonicalPhysicalPort on
in the server or vhost mitigates the problem?

it makes it even more terrible and the resulting http://
protocol instead https// on port 443 here even tiggers
mod_security

even if it would mitigate that issue - having ports in
redirect urls easily leads to a lot of other problems
when proxy-servers are part of the game

[harry@srv-rhsoft:/mnt/data/downloads]$ curl --head
--insecure https://contentlounge/cms
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Sep 2017 13:43:06 GMT
X-DNS-Prefetch-Control: off
X-Content-Type-Options: nosniff
X-Response-Time: D=1561 us
Location: http://contentlounge:443/cms/
Cache-Control: max-age=0
Expires: Thu, 14 Sep 2017 13:43:06 GMT
Content-Type: text/html; charset=iso-8859-1

Am 14.09.2017 um 12:00 schrieb Reindl Harald
>:

Am 10.08.2017 um 18:22 schrieb Reindl Harald:

If you want to experiment...

is already recognized

but with "SSLEngine On" and
"SSLCertificateFile" configured non-https no
longer would work

OK, figured it out

Re: Listen 443 https (SSLEngine Optional - dual host)

2017-09-16 Thread Nick Edwards

phpmyadmin 4.4.15  is YEARS old

we using 4.7 for nearly a year, 4.7.2 is current

this from a troll who verbally abuses the hell out of people on other lists
for posting similar comments using very outdated softwares   HAH, this ones
in google for life.


On Sun, Sep 17, 2017 at 10:24 AM, Reindl Harald 
wrote:

>
> that's even more worse - phpMyAdmin 4.4.15.10 seems to handle something
> wrong because $_SERVER['SERVER_PORT'] is wrong - and i had myself some bad
> code using that var instead of $_SERVER['HTTPS'] which again leaded in a
> endless loop
>
> in case of phpMyAdmin it redirects to https://hostname:80/path/ after
> enter username/password - the workaround below in the config file seems to
> solve that for now, but all in all that leaves a very bad taste
>
> if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
> {
>  $cfg['ForceSSL'] = false;
> }
> else
> {
>  $cfg['ForceSSL'] = true;
> }
>
>
> Am 14.09.2017 um 18:16 schrieb Reindl Harald:
>
>> Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
>>
>>> Ok, as I read the code a bit more, there is a tangle of things that can
>>> influence port/scheme selection. But what I can see, the version in *trunk*
>>> should do the right thing *iff*
>>>
>>> a) you use "SSLEngine *:443" instead of "Optional"
>>> b) you use "ServerName xxx.yyy" *without* a port name
>>>
>>> the a
>>> 
>>>ServerName xxx.yyy
>>>SSLEngine *:443
>>> ...
>>> 
>>>
>>> should do the right thing here. Internal methods used to generator
>>> Redirect Location headers, namely
>>> ap_construct_url()
>>> ap_get_server_port()
>>> ap_http_scheme()
>>> should give back the correct values for each connection and als fill the
>>> Env Variables with the correct values.
>>>
>>
>> what means "trunk" here?
>> a future 2.5/2.6/3.0 or a 2.4.x in the near future?
>>
>> within 2 weeks you need TLS on each and every host since Chrome starts to
>> warn about every page with a form tag and no TLS
>>
>> [root@srv-rhsoft:~]$ apachectl -t
>> AH00526: Syntax error on line 29 of /etc/httpd/conf/sites_enabled/
>> contentlounge.conf:
>> Argument must be On, Off, or Optional
>>
>>> Am 14.09.2017 um 15:46 schrieb Reindl Harald :



 Am 14.09.2017 um 15:40 schrieb Stefan Eissing:

> Harald,
> could you check if a configuration like:
>UseCanonicalPhysicalPort on
> in the server or vhost mitigates the problem?
>

 it makes it even more terrible and the resulting http:// protocol
 instead https// on port 443 here even tiggers mod_security

 even if it would mitigate that issue - having ports in redirect urls
 easily leads to a lot of other problems when proxy-servers are part of the
 game

 [harry@srv-rhsoft:/mnt/data/downloads]$ curl --head --insecure
 https://contentlounge/cms
 HTTP/1.1 301 Moved Permanently
 Date: Thu, 14 Sep 2017 13:43:06 GMT
 X-DNS-Prefetch-Control: off
 X-Content-Type-Options: nosniff
 X-Response-Time: D=1561 us
 Location: http://contentlounge:443/cms/
 Cache-Control: max-age=0
 Expires: Thu, 14 Sep 2017 13:43:06 GMT
 Content-Type: text/html; charset=iso-8859-1

 Am 14.09.2017 um 12:00 schrieb Reindl Harald :
>>
>>
>>
>> Am 10.08.2017 um 18:22 schrieb Reindl Harald:
>>
>>> If you want to experiment...
 
 is already recognized

>>> but with "SSLEngine On" and "SSLCertificateFile" configured
>>> non-https no longer would work
>>>
>>
>> OK, figured it out
>>
>> * you need the *first* vhost with "SSLEngine On"
>> * others can have "SSLEngine optional" and listen to 80 and 443
>>
>> but there is a bug: https://bz.apache.org/bugzilla
>> /show_bug.cgi?id=61519
>>
>> if the trailing slash is missing in the url the automatic redirect to
>> the full qualified folder-path points to http:// instead https://
>> and that does not happen within a vhost dedicated to :443 and "SSLEngine 
>> On"
>>
>> i was trapped in a endless loop because the php script making a
>> redirect to https:// had a bug and missed the traling / too
>>
>> 
>> DocumentRoot "/www/contentlounge"
>> ServerName contentlounge.rhsoft.net
>> SSLEngine optional
>> SSLCertificateFile "conf/ssl/rhsoft.net.pem"
>> 
>>
>> [harry@srv-rhsoft:~]$ curl --head --insecure
>> https://contentlounge/cms
>> HTTP/1.1 301 Moved Permanently
>> Date: Thu, 14 Sep 2017 09:40:27 GMT
>> X-DNS-Prefetch-Control: off
>> X-Content-Type-Options: nosniff
>> X-Response-Time: D=1311 us
>> Location: http://contentlounge/cms/
>> Cache-Control: max-age=0
>> Expires: Thu, 14 Sep 2017 09:40:27 GMT
>> Content-Type: text/html; charset=iso-8859-1
>>
>

Re: Listen 443 https (SSLEngine Optional - dual host)

2017-09-16 Thread Reindl Harald

assumption confirmed - and my connection is for sure https:// because of 
the mod_rewrite and finally HSTS


https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 updated too

phpinfo():
SERVER_PORT 80


 ServerName www.rhsoft.net
 SSLEngine Optional
 SSLUseStapling On
 SSLCertificateFile "certs/rhsoft-www.conf_rsa.pem"
 SSLCertificateFile "certs/rhsoft-www.conf_ecdsa.pem"
 
  RewriteEngine on
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
 
 
  Header always set "Strict-Transport-Security" "max-age=31536000"
 


Am 17.09.2017 um 02:24 schrieb Reindl Harald:


that's even more worse - phpMyAdmin 4.4.15.10 seems to handle something 
wrong because $_SERVER['SERVER_PORT'] is wrong - and i had myself some 
bad code using that var instead of $_SERVER['HTTPS'] which again leaded 
in a endless loop


in case of phpMyAdmin it redirects to https://hostname:80/path/ after 
enter username/password - the workaround below in the config file seems 
to solve that for now, but all in all that leaves a very bad taste


if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
{
  $cfg['ForceSSL'] = false;
}
else
{
  $cfg['ForceSSL'] = true;
}


Am 14.09.2017 um 18:16 schrieb Reindl Harald:

Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
Ok, as I read the code a bit more, there is a tangle of things that 
can influence port/scheme selection. But what I can see, the version 
in *trunk* should do the right thing *iff*


a) you use "SSLEngine *:443" instead of "Optional"
b) you use "ServerName xxx.yyy" *without* a port name

the a

   ServerName xxx.yyy
   SSLEngine *:443
    ...


should do the right thing here. Internal methods used to generator 
Redirect Location headers, namely

ap_construct_url()
ap_get_server_port()
ap_http_scheme()
should give back the correct values for each connection and als fill 
the Env Variables with the correct values.


what means "trunk" here?
a future 2.5/2.6/3.0 or a 2.4.x in the near future?

within 2 weeks you need TLS on each and every host since Chrome starts 
to warn about every page with a form tag and no TLS


[root@srv-rhsoft:~]$ apachectl -t
AH00526: Syntax error on line 29 of 
/etc/httpd/conf/sites_enabled/contentlounge.conf:

Argument must be On, Off, or Optional

Am 14.09.2017 um 15:46 schrieb Reindl Harald :



Am 14.09.2017 um 15:40 schrieb Stefan Eissing:

Harald,
could you check if a configuration like:
   UseCanonicalPhysicalPort on
in the server or vhost mitigates the problem?


it makes it even more terrible and the resulting http:// protocol 
instead https// on port 443 here even tiggers mod_security


even if it would mitigate that issue - having ports in redirect urls 
easily leads to a lot of other problems when proxy-servers are part 
of the game


[harry@srv-rhsoft:/mnt/data/downloads]$ curl --head --insecure 
https://contentlounge/cms

HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Sep 2017 13:43:06 GMT
X-DNS-Prefetch-Control: off
X-Content-Type-Options: nosniff
X-Response-Time: D=1561 us
Location: http://contentlounge:443/cms/
Cache-Control: max-age=0
Expires: Thu, 14 Sep 2017 13:43:06 GMT
Content-Type: text/html; charset=iso-8859-1

Am 14.09.2017 um 12:00 schrieb Reindl Harald 
:




Am 10.08.2017 um 18:22 schrieb Reindl Harald:

If you want to experiment...

is already recognized
but with "SSLEngine On" and "SSLCertificateFile" configured 
non-https no longer would work


OK, figured it out

* you need the *first* vhost with "SSLEngine On"
* others can have "SSLEngine optional" and listen to 80 and 443

but there is a bug: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519


if the trailing slash is missing in the url the automatic redirect 
to the full qualified folder-path points to http:// instead 
https:// and that does not happen within a vhost dedicated to :443 
and "SSLEngine On"


i was trapped in a endless loop because the php script making a 
redirect to https:// had a bug and missed the traling / too



DocumentRoot "/www/contentlounge"
ServerName contentlounge.rhsoft.net
SSLEngine optional
SSLCertificateFile "conf/ssl/rhsoft.net.pem"


[harry@srv-rhsoft:~]$ curl --head --insecure 
https://contentlounge/cms

HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Sep 2017 09:40:27 GMT
X-DNS-Prefetch-Control: off
X-Content-Type-Options: nosniff
X-Response-Time: D=1311 us
Location: http://contentlounge/cms/
Cache-Control: max-age=0
Expires: Thu, 14 Sep 2017 09:40:27 GMT
Content-Type: text/html; charset=iso-8859-1

Re: Listen 443 https (SSLEngine Optional - dual host)

2017-09-16 Thread Reindl Harald



that's even more worse - phpMyAdmin 4.4.15.10 seems to handle something 
wrong because $_SERVER['SERVER_PORT'] is wrong - and i had myself some 
bad code using that var instead of $_SERVER['HTTPS'] which again leaded 
in a endless loop


in case of phpMyAdmin it redirects to https://hostname:80/path/ after 
enter username/password - the workaround below in the config file seems 
to solve that for now, but all in all that leaves a very bad taste


if(empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')
{
 $cfg['ForceSSL'] = false;
}
else
{
 $cfg['ForceSSL'] = true;
}


Am 14.09.2017 um 18:16 schrieb Reindl Harald:

Am 14.09.2017 um 16:08 schrieb Stefan Eissing:
Ok, as I read the code a bit more, there is a tangle of things that 
can influence port/scheme selection. But what I can see, the version 
in *trunk* should do the right thing *iff*


a) you use "SSLEngine *:443" instead of "Optional"
b) you use "ServerName xxx.yyy" *without* a port name

the a

   ServerName xxx.yyy
   SSLEngine *:443
    ...


should do the right thing here. Internal methods used to generator 
Redirect Location headers, namely

ap_construct_url()
ap_get_server_port()
ap_http_scheme()
should give back the correct values for each connection and als fill 
the Env Variables with the correct values.


what means "trunk" here?
a future 2.5/2.6/3.0 or a 2.4.x in the near future?

within 2 weeks you need TLS on each and every host since Chrome starts 
to warn about every page with a form tag and no TLS


[root@srv-rhsoft:~]$ apachectl -t
AH00526: Syntax error on line 29 of 
/etc/httpd/conf/sites_enabled/contentlounge.conf:

Argument must be On, Off, or Optional

Am 14.09.2017 um 15:46 schrieb Reindl Harald :



Am 14.09.2017 um 15:40 schrieb Stefan Eissing:

Harald,
could you check if a configuration like:
   UseCanonicalPhysicalPort on
in the server or vhost mitigates the problem?


it makes it even more terrible and the resulting http:// protocol 
instead https// on port 443 here even tiggers mod_security


even if it would mitigate that issue - having ports in redirect urls 
easily leads to a lot of other problems when proxy-servers are part 
of the game


[harry@srv-rhsoft:/mnt/data/downloads]$ curl --head --insecure 
https://contentlounge/cms

HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Sep 2017 13:43:06 GMT
X-DNS-Prefetch-Control: off
X-Content-Type-Options: nosniff
X-Response-Time: D=1561 us
Location: http://contentlounge:443/cms/
Cache-Control: max-age=0
Expires: Thu, 14 Sep 2017 13:43:06 GMT
Content-Type: text/html; charset=iso-8859-1


Am 14.09.2017 um 12:00 schrieb Reindl Harald :



Am 10.08.2017 um 18:22 schrieb Reindl Harald:

If you want to experiment...

is already recognized
but with "SSLEngine On" and "SSLCertificateFile" configured 
non-https no longer would work


OK, figured it out

* you need the *first* vhost with "SSLEngine On"
* others can have "SSLEngine optional" and listen to 80 and 443

but there is a bug: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519


if the trailing slash is missing in the url the automatic redirect 
to the full qualified folder-path points to http:// instead 
https:// and that does not happen within a vhost dedicated to :443 
and "SSLEngine On"


i was trapped in a endless loop because the php script making a 
redirect to https:// had a bug and missed the traling / too



DocumentRoot "/www/contentlounge"
ServerName contentlounge.rhsoft.net
SSLEngine optional
SSLCertificateFile "conf/ssl/rhsoft.net.pem"


[harry@srv-rhsoft:~]$ curl --head --insecure https://contentlounge/cms
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Sep 2017 09:40:27 GMT
X-DNS-Prefetch-Control: off
X-Content-Type-Options: nosniff
X-Response-Time: D=1311 us
Location: http://contentlounge/cms/
Cache-Control: max-age=0
Expires: Thu, 14 Sep 2017 09:40:27 GMT
Content-Type: text/html; charset=iso-8859-1

Re: Listen 443 https (SSLEngine Optional - dual host)

Re: Listen 443 https (SSLEngine Optional - dual host)

Re: Listen 443 https (SSLEngine Optional - dual host)

Re: Listen 443 https (SSLEngine Optional - dual host)

Re: Listen 443 https (SSLEngine Optional - dual host)

5 matches

Site Navigation

Mail list logo

Footer information