apache redirecting a redirect from http to https

Question

I've tried different apache configurations but somehow couldn't crack this. I'm forcefully redirecting all URLs from http to https using Redirect permanent / https://jenkins.example.net/

However, there is a problem as one of the source URLs has /redirect string appended in the end. I learnt that apache CANNOT redirect a redirect. Since, the source URL has redirect string in the URL, it's not redirecting again to https and resulting as a 404 page.

This is my virtualhost configuration.



   ServerName jenkins.example.net

   # Redirects traffic to https
   RewriteEngine On

   RewriteRule ^(.*)/redirect /$1 [L,NC]

   Redirect permanent / https://jenkins.example.net/





   proxyRequests                 Off

   ProxyPreserveHost             On

   AllowEncodedSlashes NoDecode

   ProxyPass        / http://127.0.0.1:8080/ nocanon

   ProxyPassReverse / http://127.0.0.1:8080/

   ServerName jenkins.example.net

   ErrorLog /etc/ssl/error_log

   SSLEngine on

   SSLCertificateFile /etc/ssl/certs/fopjenkins.pem

   SSLCertificateKeyFile /etc/ssl/certs/fopjenkins.key

   RequestHeader set X-Forwarded-Proto "https"

   RequestHeader set X-Forwarded-Port "443"

I tried above RewriteRule to strip off /redirect from the URL but it's not working.

Any help would be highly appreciated..

Additional details (debug output of curl)::

[root@rhel-7 ~]# curl -v http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
*   Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:52:00 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<


301 Moved Permanently

Moved Permanently
The document has moved here.

* Connection #0 to host jenkins.example.net left intact

curl -vL debug output::

[root@rhel-7 ~]# curl -vL http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
*   Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:58:15 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host jenkins.example.net left intact
* Issue another request to this URL: 'https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect'
* Found bundle for host jenkins.example.net: 0x986fd0
* About to connect() to jenkins.example.net port 443 (#1)
*   Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 443 (#1)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:*       
*       start date: Jul 16 06:42:46 2019 GMT
*       expire date: Jul 15 06:42:46 2021 GMT
*       common name: jenkins.example.net
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 1
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[root@rhel-7 ~]# echo $?
60

Lety · Accepted Answer

Probably your branch contains /, so your url is STUFOP%2Fdeploy_toolchain. Apache encode such url and the final is STUFOP%252Fdeploy_toolchain.

try this configuration for non secure virtualhost:


   ServerName jenkins.example.net
   # this prevent encoding
   AllowEncodedSlashes on
   Redirect permanent / https://jenkins.example.net/

This configuration should avoid encoding and, according to Redirect Request to SSL Apache wiki page, all request are redirected to secure virtualhost.

In secure virtualhost, try this configuration:



   ServerName jenkins.example.net

   AllowEncodedSlashes on

   proxyRequests                 Off
   ProxyPreserveHost             On
   ProxyPassMatch "^/(.*)/redirect$" "http://127.0.0.1:8080/$1"
   ProxyPass        / http://127.0.0.1:8080/ nocanon 
   ProxyPassReverse / http://127.0.0.1:8080/

   ErrorLog /etc/ssl/error_log

   SSLEngine on 
   SSLCertificateFile /etc/ssl/certs/fopjenkins.pem 
   SSLCertificateKeyFile /etc/ssl/certs/fopjenkins.key 
   RequestHeader set X-Forwarded-Proto "https" 
   RequestHeader set X-Forwarded-Port "443"

This configuration should avoid encoding and use ProxyPassMatch to manipulate url.

Here is some useful link that I've used: %2F slash encoding issues, encode URL wihthin URL - apache mod-proxy (ProxyPass), %2F slash encoding issues #399, htaccess howto rewrite an encoded slash in url

apache redirecting a redirect from http to https

Answers (2)

Related Questions