I have a nightmare setting up apache of opensuse 11.2 to correctly redirect http to https.
I need to access my mysql databases (via phpmyadmin) from the Internet. Thus:
I opened port 31028 in my firewall.
Modified Apache’s listen.conf file to listen to that:
The problem is that the redirection is not working!
When I access the site from the Internet (http://myhostname.dyndns.com:31028) I see the following error:
Bad request!
Your browser (or proxy) sent a request that
this server could not understand.
If you think this is a server error, please contact
the webmaster.
Error 400
mysql.home
Mon Apr 12 13:20:36 2010
Apache/2.2.13 (Linux/SUSE)
HI, thank you for your quick answer. I believe that it is not a solution. Because the HTTP and HTTPS have a common port. So, the solution would be to have the redirection before the SSL introduction. I try to find out if that’s possible.
Your setup is, per my understanding of SSL, invalid. You cannot do what
you want to do if you set your non-SSL port to accept SSL and I’ll try to
explain why. If you are familiar with the ISO OSI (seven-layer) model or
the TCP (five-layer) model that may help with the understanding.
In the OSI model layer four is for TCP things (ports), and layer seven is
for application things (HTTP in your case). Between these layers you have
(as I recall) two other layers… Session and Presentation (layers five
and six, respectively) and it is in here (Presentation) that SSL
technically lives. With this in mind if you tell your web service
(Apache’s httpd) to require SSL on a certain port then once the TCP
connection is established and the browser explicitly has ‘http’ at the
beginning of the URL (which it does by default even if you do not put it
there) then the next step the browser has (as it is assuming non-SSL) is
to send an application-layer (HTTP) ‘GET’ command (see the LAN trace, HTTP
headers, or httpd’s access_log for that). This reaches the web service
which is expecting some kind of handshake for the SSL/TLS side of things.
As what is expected is not what is received the web service throws an
HTTP 400 and closes the connection.
The nature of SSL/TlS is that its operation below the application layer
makes its existence completely transparent to the application layer; it
does not matter if you put one type of traffic or another over SSL/TLS,
making it completely secure, because by the time the data are sent to the
application layer they are in the application’s native format. The SSL
connection is not started with the same command as the application layer
GET command so you are bound to have an error here.
Considering this is something you are not setting up for an audience of
the entire world (or you’d be using default ports) it is probably best
that you treat this HTTP 400 as your notice that you need to remember to
type ‘https’ at the beginning of your URL. Your browser treats that as
its sign to use SSL/TLS before sending the HTTP requests and without that
it will never work properly.
Good luck.
On 04/12/2010 05:36 AM, tpe wrote:
>
> HI, thank you for your quick answer. I believe that it is not a
> solution. Because the HTTP and HTTPS have a common port. So, the
> solution would be to have the redirection before the SSL introduction. I
> try to find out if that’s possible.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
Dear ab, thank you for your answer.
I totally agree with your notes. However, the fact that the issue exists in the application layer, it means that:
Apache should take note of the SSL handshake error, and then, since the SSL IS configured AND the redirection is in place should sent a redirect response to the client which in return will send an HTTPS request.
I will search again on the internet. I saw in some responses that apache is actually capable to use HTTP and HTTPS on the same port. If I found the answer, I will write the How-To.
I hope you find it, but the issue is not within the application layer.
SSL takes place below the Application layer and above the Transport layer
(a weird place which doesn’t exist in the TCP/IP model, but oh well)
though the issue is with the application and the protocol themselves. For
that reason you may find Apache will do this, but I’ve never seen it done.
If you have somebody going through the work of typing :31028 and then
forgetting the ‘s’ in ‘https’ then it’s likely they’ll know what they’re
doing enough to fix it. If they are not technical users but are just
following a link then there shouldn’t be a problem at all since the link
will just work. If you really want to use high ports and have it work
with 31028 on non-SSL ports why not put SSL on 31029 and have the 31028
port forward there?
Anyway, please post back what you end up doing either way.
Good luck.
On 04/12/2010 01:46 PM, tpe wrote:
>
> Dear ab, thank you for your answer.
> I totally agree with your notes. However, the fact that the issue
> exists in the application layer, it means that:
> Apache should take note of the SSL handshake error, and then, since the
> SSL IS configured AND the redirection is in place should sent a redirect
> response to the client which in return will send an HTTPS request.
>
> I will search again on the internet. I saw in some responses that
> apache is actually capable to use HTTP and HTTPS on the same port. If I
> found the answer, I will write the How-To.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
You cannot use a common port for the two protocols because the participants do not do STARTTLS like some other protocols. Both sides have to agree that it is a HTTPS connection at the beginning.