default https site

7 posts / 0 new
Topic locked
Last post
#1 Sun, 01/04/2009 - 01:04
ronald
ronald's picture

default https site

hi i have one https site with certificate whenever someone types in the url of any other domain with https protocol (like https://globalsolidarity.eu), then he is redirected to that site (https://cvsite.info)

the https site is running on the same IP as all other sites, only on port 443 obviously.

I can understand it falls back to the default https site. However I want to change that behavior and show a standard message, something like: Please use http in the url, not https.

How can I do this?

thanks

Sun, 01/04/2009 - 04:58
andreychek

Howdy,

It sounds like you may have some mod_rewrite stuff going on in your ssl.conf.

I believe you use CentOS, correct?

What does this show:

grep -i rewrite /etc/httpd/conf,d/ssl.conf

If mod_rewrite is what's being used there, you should be able to tweak it to go to a custom page that has a message you want (or, if you preferred, to automatically redirect to the "http" URL).
-Eric

Sun, 01/04/2009 - 05:21 (Reply to #2)
ronald
ronald's picture

grep -i rewrite /etc/httpd/conf.d/ssl.conf doesnt show anything.
I am on Centos 5.2

There is only one ssl site so it may defer any other site to this one as per apache default. Is that correct?

In that case I should be able to create a dummy ssl site with a default page. Better would be to redirect to the http protocol for any site.

thanks

Sun, 01/04/2009 - 10:02 (Reply to #3)
andreychek

I'm not sure which setting is doing that (and my system doesn't redirect the way yours does).

Is there any rewrite code in /etc/httpd/conf/httpd.conf?

If not, would you consider posting your ssl.conf file? Feel free to hide any actual sites or ip addresses, but I'm curious what other settings are active in there.
-Eric

Sun, 01/04/2009 - 14:03 (Reply to #4)
ronald
ronald's picture

Im guessing its the Listen *:443 ?

<div class='quote'>#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see &lt;URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html&gt;
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#

LoadModule ssl_module modules/mod_ssl.so

#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen *:443

##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##

#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin

# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use &quot;SSLCryptoDevice&quot; to enable any supported hardware
# accelerators. Use &quot;openssl engine -v&quot; to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

</div>

Tue, 01/06/2009 - 06:22 (Reply to #5)
andreychek

I'm sorry Ronald, I guess I've been stalling on a reply as I'm not sure sure what's doing that redirect :-)

In theory, having a *:443 wouldn't generate an actual redirect; it would just attempt to listen on all interfaces (which is actually undesirable, but probably isn't what we're looking for here).

You don't happen to have a .htaccess file in the public_html dir that may be doing that, do you?
-Eric

Sun, 06/07/2009 - 07:34 (Reply to #6)
ronald
ronald's picture

i have the default joomla .htaccess in there, but the 'redirect' is taking place before one reaches the https site.
I have the idea that apache is simply delivering the first ssl site it sees. Would that be correct?

.htaccess
<div class='quote'>## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
# mod_rewrite in use

RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a &lt;script&gt; tag in URL
RewriteCond %{QUERY_STRING} (\&lt;|%3C).*script.*(\&gt;|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)

# RewriteBase /

########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section</div>

Topic locked