Late last week, a colleague asked me for some assistance in configuring IBM HTTP Server to "redirect" user requests from HTTP to HTTPS, but using the mod_rewrite directive.
Now I have blogged about this before: -
so this post adds to what I earlier described.
Here's the relevant entries in my httpd.conf file: -
…
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
LoadModule rewrite_module modules/mod_rewrite.so
Listen 8080
<IfModule mod_ibm_ssl.c>
Listen 8443
<VirtualHost *:8443>
SSLEnable
</VirtualHost>
KeyFile /opt/IBM/HTTPServer/ssl/BPMPCEXT.kdb
SSLCachePortFilename /opt/IBM/HTTPServer/logsext/siddport
ScriptSock logsext/cgisock
SSLCachePortFilename /opt/IBM/HTTPServer/logsext/siddport
ScriptSock logsext/cgisock
</IfModule>
<ifModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{SERVER_PORT} ^8080$
RewriteRule ^(.*)$ https://%{SERVER_NAME}:8443/BusinessSpace/ [R=301,L]
RewriteLog logsext/rewrite.log
RewriteLogLevel 4
</ifModule>
…
Listen 8080
<IfModule mod_ibm_ssl.c>
Listen 8443
<VirtualHost *:8443>
SSLEnable
</VirtualHost>
KeyFile /opt/IBM/HTTPServer/ssl/BPMPCEXT.kdb
SSLCachePortFilename /opt/IBM/HTTPServer/logsext/siddport
ScriptSock logsext/cgisock
SSLCachePortFilename /opt/IBM/HTTPServer/logsext/siddport
ScriptSock logsext/cgisock
</IfModule>
<ifModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{SERVER_PORT} ^8080$
RewriteRule ^(.*)$ https://%{SERVER_NAME}:8443/BusinessSpace/ [R=301,L]
RewriteLog logsext/rewrite.log
RewriteLogLevel 4
</ifModule>
…
In essence, IHS will listen on port 8080 for non-SSL traffic ( I'm running IHS as a non-root user so cannot use port 80 - all non-root ports need to be >1024 ): -
Listen 8080
In addition, IHS will listen on port 8443 for SSL traffic: -
In addition, IHS will listen on port 8443 for SSL traffic: -
Listen 8443
<VirtualHost *:8443>
The rewrite rules are as follows: -
<VirtualHost *:8443>
The rewrite rules are as follows: -
RewriteCond %{SERVER_PORT} ^8080$
RewriteRule ^(.*)$ https://%{SERVER_NAME}:8443/BusinessSpace/ [R=301,L]
In other words, for any request coming in on port 8080 is automatically written to go to the URI of /BusinessSpace/ on port 8443.
RewriteRule ^(.*)$ https://%{SERVER_NAME}:8443/BusinessSpace/ [R=301,L]
In other words, for any request coming in on port 8080 is automatically written to go to the URI of /BusinessSpace/ on port 8443.
If I enter the URL of: -
http://bam8011.uk.ibm.com:8080
the URL gets rewritten and I get immediately redirected to: -
https://bam8011.uk.ibm.com:8443/mum/resources/bootstrap/login.jsp
If I was running IHS as root, then I could choose to use port 80 ( HTTP ) and port 443 ( HTTPS ). However, as we know, non-root processes cannot use ports <1024, which is why I'm using 8080 and 8443.
http://bam8011.uk.ibm.com:8080
the URL gets rewritten and I get immediately redirected to: -
https://bam8011.uk.ibm.com:8443/mum/resources/bootstrap/login.jsp
If I was running IHS as root, then I could choose to use port 80 ( HTTP ) and port 443 ( HTTPS ). However, as we know, non-root processes cannot use ports <1024, which is why I'm using 8080 and 8443.
Note that SERVER_PORT and SERVER_NAME are internal variables - in some installations, they may not be available.
I've not yet fully dug into this, but it appears to relate to the directive: -
UseCanonicalName Off
Therefore, I'm assuming that IHS merely uses what the user entered in their browser, via the host HTTP header: -
Host: bam8011.uk.ibm.com:8443
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31
DNT: 1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
I'm currently reading Chris Shiflett's blog post on this very subject: -
No comments:
Post a Comment