Apache-SSL 2.0.45: redirect changes URL from https:... to http://server...:443/.. which fails

Hello,

we're experiencing a strange problem with apache. I know this at the
first glance looks almost like "FAQ", but it isn't, we've spend days
looking through all docu, FAQ's, googled groups and the web... to no
avail.

We've successfully setup the server to listen both on 80 and an SSL
version on 443. At some time later we will have some pages served via
80 (non-secure) and some pages only after certificate based
authentication via SSL. At the moment everything works both on
http://... and https://...

We first had everything working via normal prot 80. Then we configured
SSL and set up a VirtualHost for that. So far so fine. Everything
seemed to work, including the certificate based authentication.

However if any of the Web-pages issues a "redirect" on the secure
server side, e.g. after a login on
https://host.sub.domain.com/umufasel/login.jsp, the web-browser is
redirected to http://host.sub.domain.com:443/umufasel/index.jsp
instead of https://host.sub.domain.com/umufasel/index.jsp
This of course then fails as the browser tries to speak http while on
443 https is waiting and SSL can't decrypt.

It can't be obvious stuff like missing "-D SSL" when starting apache
or missing certificate. Not tripple, but 100 times checked. https
protocol really works. It's just the redirect that somehow generates a
wrong URL and sends it to the brower.
Also be assured, that the JSP pages where this happens DO use relative
URL. They do not specify the crappy URL hardcoded.
(e.g.: response.sendRedirect(response.encodeRedirectURL(" ../index.jsp")
)

I've already browsed/search both on apache and the rest of the web
with google. However I've not been able to solve the problem. All the
hints I get describing exactly this problem are related to
Tomcat/Jakarta. Well, I followed their hints, but most of the Tomcat
cases are relevant when using Tomcat standalone, but in our case we
use Tomcat via Apache, so those solution do not apply.

I have no clue where the new, redirected, URL is generated and how it
can get so strangely wrong. I've but debugging in Tomcat and apache on
debug, but I can't find a clue in the logfile.

We thought of workaround using redirect or rewrite. Unfortunately
rewrite doesn't help, as the browser tries to speak HTTP to the server
via port 443, but the SSL handshake fails of course on such a low
level, that apache does not even get the request, so that rewrite does
not fire.

Any ideas? I stripped the comment from httpd.conf and ssl.conf (which
is included by httpd.conf) and included both below. I also included
mod_jk.conf, which is also included by httpd.conf.

What did we overlook? We're lost!

Thanks in advance for any hint!

Herbert


httpd.conf: (almost complete, just removed definitely unrelated
stuff)
-----------
ServerRoot "/opt/hpws/apache"

PidFile logs/httpd.pid

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

Listen 80

LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule echo_module modules/mod_echo.so
LoadModule charset_lite_module modules/mod_charset_lite.so
LoadModule cache_module modules/mod_cache.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule case_filter_module modules/mod_case_filter.so
LoadModule case_filter_in_module modules/mod_case_filter_in.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
<IfDefine SSL>
LoadModule ssl_module modules/mod_ssl.so
</IfDefine>
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule cgid_module modules/mod_cgid.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule php4_module modules/libphp4.so

User www
Group other

ServerAdmin www@host.sub.domain.com

ServerName host.sub.domain.com

UseCanonicalName Off

DocumentRoot "/web/prod"

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

<Directory "/web/prod">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

DirectoryIndex index.html index.html.var index.php index.cgi

AccessFileName .htaccess

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

TypesConfig conf/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>

HostnameLookups Off

ErrorLog logs/error_log

LogLevel info

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog logs/access_log common

ServerTokens Full

ServerSignature On

Alias /icons/ "/opt/hpws/apache/icons/"

<Directory "/opt/hpws/apache/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>

Alias /licsign/ /web/prod/licsign/

<Directory "/web/prod/licsign">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>

Alias /manual "/opt/hpws/apache/manual"

<Directory "/opt/hpws/apache/manual">
Options Indexes FollowSymLinks MultiViews IncludesNoExec
AddOutputFilter Includes html
AllowOverride None
Order allow,deny
Allow from all
</Directory>

ScriptAlias /cgi-bin/ "/web/prod/cgi-bin/"

<IfModule mod_cgid.c>
Scriptsock logs/cgisock
</IfModule>

<Directory "/web/prod/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>

IndexOptions FancyIndexing VersionSort

<Files *.php>
SetOutputFilter PHP
SetInputFilter PHP
</Files>

<IfModule mod_alias.c>
# Allows access to hp_docs from a browser
# use http://yourserver.com/hp_docs
# To prevent access, comment the following lines out.
Alias /hp_docs "/opt/hpws/hp_docs"
<Directory "/opt/hpws/hp_docs">
AddHandler cgi-script .cgi
Options ExecCGI FollowSymLinks MultiViews Indexes
Order allow,deny
Allow from all
</Directory>
</IfModule>

<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>

Include /opt/hpws/tomcat/jk/apache2/mod_jk.conf




ssl.conf:
---------
<IfModule mod_ssl.c>
<IfDefine SSL>

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300

SSLMutex file:logs/ssl_mutex

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>

DocumentRoot "/web/prod"
ServerName host.sub.domain.com
ServerAdmin www@host.sub.domain.com
ErrorLog logs/https-error_log
TransferLog logs/https-access_log

SSLEngine on
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+ EXP:+eNULL
SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/host.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/host.key
SSLCACertificatePath /opt/hpws/apache/conf/ssl.crt
SSLCACertificateFile /opt/hpws/apache/conf/ssl.crt/ca-bundle.crt

SSLVerifyClient require
SSLVerifyDepth 10

SSLOptions +ExportCertData +StdEnvVars
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars +ExportCertData
</Files>

<Directory "/opt/hpws/apache/cgi-bin">
SSLOptions +StdEnvVars +ExportCertData
</Directory>

<Directory "/web/prod">
SSLOptions +ExportCertData +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

</VirtualHost>

</IfDefine>
</IfModule>


mod_jk.conf.
------------
<IfModule !mod_jk.c>
LoadModule jk_module /opt/hpws/tomcat/jk/apache2/mod_jk.so
</IfModule>

JkWorkersFile /opt/hpws/tomcat/jk/apache2/workers.properties
JkLogFile /opt/hpws/tomcat/logs/jk.log
JkLogLevel emerg

JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT

JkMount /licsign ajp13
JkMount /licsign/* ajp13

hnbw1@veces.bb.bawue.de (Herbert Neugebauer) writes:
> However if any of the Web-pages issues a "redirect" on the secure
> server side, e.g. after a login on

If you put together a redirect in httpd.conf or .htaccess does the
same thing happen? If not I suspect a JSP bug/miscoding.

> Also be assured, that the JSP pages where this happens DO use relative
> URL. They do not specify the crappy URL hardcoded.
> (e.g.: response.sendRedirect(response.encodeRedirectURL(" ../index.jsp")
> )

If you specify an absolute URL here (probably with some sort of if
statement needed to get the protocol right) does it work? Unless JSP
does some sort of filtering, you should use absolute URLs for
redirects anyway.

--
Chris

Hi.

This might come from an incorrect SCRIPT_URI. Here is a workaround.

RewriteRule .* - [E=SCRIPT_URI:https://%{SERVER_NAME}%{ENV:SCRIPT_URL}]

Hth,
Joachim

--
"Geld ist ein Zeichen von Armut." - Iain Banks - Ein Geschenk der Kultur