Redirect https canonicals

Hi,

I have configured name-base virtual hosting with two domains.

1. DOMAIN.COM
2. DEV.DOMAIN.COM

I have configured the first host in ‘httpd-vhosts.conf’ exactly as follows (read the comments):

<VirtualHost *:80>
    #  ServerName is absent to default to the "main" server configuration
    #  in ‘httpd.conf’ for requests that do not match any particular virtual
    #  host listed below.
</VirtualHost>

This way ANYCRAP.DOMAIN.COM goes to a common “why are you here page.”  The domains in 1 -4 below are directed (and function) appropriately for:
[LIST=1]
[*]HTTP://DOMAIN.COM
[*]HTTP://WWW.DOMAIN.COM
[*]HTTP://DEV.DOMAIN.COM
[*]HTTP://WWW.DEV.DOMAIN.COM
[/LIST]

The problem is with HTTPS://ANYCRAP.DOMAIN.COM.  I have configured ‘httpd-ssl.conf’ for DOMAIN.COM, which works fine.  

What I would like to do is have:
[LIST=1]
[*]HTTPS://DOMAIN.COM
[*]HTTPS://WWW.DOMAIN.COM
[/LIST]

resolve to the secure pages and 

[INDENT]HTTPS://ANYANDALLCRAP.DOMAIN.COM[/INDENT]

redirect to the same aforementioned “why are you here page.”

I tried using the Apache Module mod_rewrite module, but without success.  Here is what I tried:

[INDENT]# if port 443 (https)
RewriteCond %{SERVER_PORT} ^443$

# if it doesn’t start with domain.com doesn’t start with www
RewriteCond %{HTTP_HOST}   !^www\\.domain\\.com [NC]

# and if its not the main domain
RewriteCond %{HTTP_HOST}   !^domain\\.com [NC]

# use port 80 (http)
RewriteRule %{SERVER_PORT} ^80$

# resolve requests to this file
RewriteRule (.*) /usr/local/www/vhosts/default/htdocs/index.html[/INDENT]
Ideas?

FreeBSD 8.0-RELEASE
Apache-2.2.15_9

[LIST]
[*]Files used in Apache configuration:
[*]/usr/local/etc/apache22/httpd.conf
[*]/usr/local/etc/apache22/extra/httpd-default.conf
[*]/usr/local/etc/apache22/extra/httpd-vhosts.conf
[*]/usr/local/etc/apache22/extra/httpd-ssl.conf
[/LIST]

David,

Thanks for your help, but I think my boat is sinking and it time to abandon ship.

No matter what rewrite code I put in any of the .conf’s, Apache always checks for the valid SSL before doing the redirect. Consequently, I always get an invalid site certificate warning. Hmmmm.

If it becomes an issue for users I may bite the bullet and buy another SSL for www.

Thanks for your time.

David,

Thanks for your reply.

Per your suggestion I chaned the first vhost configuration in ‘httpd-vhosts.conf’ to read:

<VirtualHost *:80>                                    
    # ServerName is is absent to default to the "main" server configuration
    # for requests that do not match any particular virtual host
    ServerAdmin [email]admin@jwnetsource.com[/email]                 
    DocumentRoot "/usr/local/www/vhosts/default/htdocs/"
    ErrorLog "/usr/local/www/vhosts/avsms.com/logs/httpd-error.log"
    CustomLog "/usr/local/www/vhosts/avsms.com/logs/httpd-access.log" combined
</VirtualHost>

According to Apache documentation leaving the ServerName out of the first definition will default to the configuration defined in ‘httpd.conf’.

FYI: ‘/usr/local/www/vhosts/default/htdocs/’ contains one file; ‘index.html’ for the “Why are you here page.”

Are you suggestioning a different course of action?

Also, I had previously configured ‘httpd-vhosts.conf’ with the both virtual hosts, but left that information out for the sake of brevity. Ssee sample below:

<VirtualHost *:80>
    ServerAdmin [email]admin@jwnetsource.com[/email]
    DocumentRoot "/usr/local/www/vhosts/DOMAIN.COM/htdocs/"
    ServerName DOMAIN.COM
    ServerAlias WWW.DOMAIN.COM
    ErrorLog "/usr/local/www/vhosts/DOMAIN.COM/logs/httpd-error.log"
    CustomLog "/usr/local/www/vhosts/DOMAIN.COM/logs/httpd-access.log" combined
</VirtualHost>

# By default Apache is configured as restrictive server.
# It will not allow end users (client) to do anything on default
# DocumentRoot.
#
# To fix this issue you need to add following lines to your
# VirtualHost configuration directives

<Directory "/usr/local/www/vhosts/DOMAIN.COM/htdocs/">
    Options -Indexes FollowSymLinks
    AllowOverride AuthConfig FileInfo
    Order allow,deny
    Allow from all
</Directory>

Sometimes what I articulate is clear as mud. I also leave the last letter of a lot of my words. Forgive me for that.

What I would like to do is have:

1. HTTPS://DOMAIN.COM
2. HTTPS://WWW.DOMAIN.COM

That will require TWO secure server certificates - if you’re doing this on a production server.

Oops, your correct, lets exclude HTTPS://WWW.DOMAIN.COM

resolve to the secure pages and

HTTPS://ANYANDALLCRAP.DOMAIN.COM

That would likely NOT resolve at all so that SHOULD be a dead link.

[COLOR=“Red”]Nope. If the user accepts the risk issued by the invalid security certificate warning it resolves to whatever page is in the URL, such as HTTPS://ANYOLECRAP.DOMAIN.COM/anyrequestedpage.html[/COLOR]

The certificate flags HTTPS://ANYCRAP.DOMAIN.COM just fine, but if the web site visitor accepts the warning, the url will resolve to HTTPS://ANYCRAP.DOMAIN.COM,which is the same files as HTTPS://DOMAIN.COM and not the desired result.

See comments on DNS at the end.

So, if I want everything but HTTPS://DOMAIN.COM to go to the “Why are you hear page” I would use the following???:

RewriteCond %{SERVER_PORT} ^443$ 
RewriteCond %{HTTP_HOST} !^domain\\.com [NC] 
RewriteRule (.*) http://DOMAIN.COM/whyareyouhear.html

Then maybe this to redirect the HTTPS://WWW.DOMAIN.COM to HTTPS://DOMAIN.COM:

RewriteCond %{SERVER_PORT} ^443$ 
RewriteCond %{HTTP_HOST} ^www\\.domain\\.com [NC] 
RewriteRule (.*) https://DOMAIN.COM/

Is (.*) correct?

Which config file would you put the rewites:

• /usr/local/etc/apache22/httpd.conf;
• /usr/local/etc/apache22/extra/httpd-default.conf;
• /usr/local/etc/apache22/extra/httpd-vhosts.conf; or
• /usr/local/etc/apache22/extra/httpd-ssl.conf

And where in the config file would you put it?

Or, have I missed your point and you believe there is a better strategy to accomplish my objective.

Regarding DNS; I am not running named on this server. The server has only one IP and my DNS settings for DOMAIN.COM are:

Host Name     Record Type     Address 
  www              A          0.0.0.0
  @ (none)         A          0.0.0.0 
  * (other)        A          0.0.0.0 

[COLOR="Red"][I]0.0.0.0 substituted for the real IP[/I][/COLOR]

Everything for DOMAIN.COM resolves to the same IP.

Now, to thinkin’ the stew a bit HTTP://DOMAIN.COM and HTTPS://DOMAIN.COM both resolve to “/usr/local/www/vhosts/DOMAIN.COM/htdocs/”

This is only temporary during development, but I don’t see this as the problem here??? Then again, I don’t see the problem at all, so that mostly invalidates the aforementioned sentence. (:

If you got all the way to the end of this post. Wow, I’m impressed.

More ideas please.

jw,

OMG! You wrote a @#$%&* book!

If Apache says to omit the ServerName (and ServerAlias), who am I to argue?

As for the “Why are you here page,” the physical path does NO GOOD to a web browser if it’s not in any “web space.” In other words, it MUST be part of some domain/path/file set for a browser to access it (that’s why configuration files MUST be outside the webspace - for security!). That’s WHY you canNOT use a physical path in a mod_rewrite redirection.

As for secure server certificates, they are assigned to a specific (sub)domain, i.e., example.com IS DIFFERENT than www.example.com. I know that it doesn’t make (much) sense but that’s the way that certificate authorities work (unless you pay for the wildly expensive “wildcard” certificate which is good for any and all SUBdomains, too).

1. Your English is far better than my (fill in the blank).

2. MOST times, when asked for the time, I tend to explain how a watch is made.

In other words, no worries, mate!

Okay, that’s something useful!

Test the {HTTP_HOST} for ANYCRAP, test the {SERVER_PORT} (rather than {HTTPS} because it’s either on or null) for 443, then redirect if necessary (TO AN http:// ADDRESS) like:

RewriteCond %{SERVER_PORT} ^443$ 
RewriteCond %{HTTP_HOST} !^[COLOR="Blue"](www\\.)?[/COLOR]domain\\.com [NC]
# (www\\.)? allows the www subdomain to be accepted by https, too
RewriteRule [COLOR="Blue"].?[/COLOR] http://DOMAIN.COM/whyareyouhear.html [COLOR="Blue"][R=301,L][/COLOR]
# WHY capture the {REQUEST_URI} string if you're not going to use it?
# NEVER forget the Last flag!
# R=301 will flag the ANYCRAP subdomain as unacceptable
# i.e., permanently redirect to DOMAIN.COM

If possible, put it in the httpd-vhosts.conf file. If not, put it in the DocumentRoot (see why specifying that is important?) of ANYCRAP.DOMAIN.COM (because that’s the domain you want to direct away from).

DNS: That’s normally handled by a daemon but, on your machine, I’d say that you MUST modify your hosts file to be able to access your VirtualName hosts - at least that’s my experience on my WinDoze box (test server - I will only use Linux boxes in the production environment).

VirtualHost: Remember, you’ll need one entry for http ( :80) and one entry for https ( :443). It makes no difference that the DocumentRoots are identical EXCEPT that you’ll need to check that {SERVER_PORT} IS 443 when you want to insist on a secure server connection (I also include that check in the secure scripts).

Regards,

DK

Actually, there are 3 domains, the default (ANYCRAP.DOMAIN.COM), and those listed in 1 & 2 in the original post.

Hi jw!

First, WELCOME to SitePoint’s Apache forum!

Second, ideas? Yes, several (embedded as follows):

Just a suggestion but you should try using the vhosts configuration to setup virtual hosts so you can put your files in a directory where they’re obviously part of a website, i.e., define their physical path in the VirtualHost setup then reference them in the redirection. If you don’t have a DNS daemon, modify your hosts file with the IP address and VirtualHost name.

Regards,

DK

jw,

Yes, if you redirect an https, that’s like waving a RED flag in front of a bull - during mating season!

Regards,

DK