mod_ssl, mod_rewrite, apache2 problem.

Hi,

I am running apache2, mod_ssl, on freebsd4.9 and I am using the mod_rewrite
engine to redirect requests for http -> https.
I have this working using:

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]

The nasty problem is that when I redirect a request for a page (e.g.
index.html) that contains an tag in the form of:



IE 6 continually complains that the page contains insecured items and
refuses to display the yellow padlock. However, an examination of my rewrite
logs indicates that the GET for the logos.gif is being redirected:


IPADDR - - [06/Apr/2004:15:26:05 --0400] init rewrite engine with requested
uri /logos.gif
IPADDR- - [06/Apr/2004:15:26:05 --0400] applying pattern '^/(.*)' to uri
'/logos.gif'
IPADDR - - [06/Apr/2004:15:26:05 --0400] RewriteCond: input=''
pattern='!=on' => matched
IPADDR - - [06/Apr/2004:15:26:05 --0400] rewrite /logos.gif ->
https://SERVER/logos.gif
IPADDR - - [06/Apr/2004:15:26:05 --0400] implicitly forcing redirect
(rc=302) with https://SERVER/logos.gif
IPADDR- - [06/Apr/2004:15:26:05 --0400] escaping https://SERVER/logos.gif
for redirect
IPADDR - - [06/Apr/2004:15:26:05 --0400] redirect to
https://SERVER/logos.gif [REDIRECT/302]

If I remove the tag from index.html, the complaints go away,
index.html is accessed using https, and the padlock appears. So it would
appear that there is an issue with the GET for the .gif

Thinking that browser might be getting confused by two redirects in a row
(the first for http://server/index.html, and the second for
http://server/logos.gif) I have tried to GET the logos.gif directly via
http://server/logos.gif. But again, even though the request is redirected to
https://server/logos.gif, the same warning message pops up and IE refuses to
display the padlock. But if I bypass mod_rewrite and GET the gif using the
URL: https://server/logos.gif, IE does not complain.

Finally, Mozilla does not complain at all!! Jeez! My inclination is to
modify the s so that they all point to a relative path name instead
of a URL but I inherited the code and this would prove onerous. Moreover, it
does not seem reasonable to me that my redirects should cause IE6 such
problems.

If anyone has some ideas on this I would be extremely grateful. I am doing
something totally stupid here?

Thanks

Aproto Simaki

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: mod_ssl, mod_rewrite, apache2 problem.

On Wed, Apr 07, 2004 at 11:36:23AM -0400, simontst wrote:
> Hi,
>
> I am running apache2, mod_ssl, on freebsd4.9 and I am using the mod_rewrite
> engine to redirect requests for http -> https.
> I have this working using:
>
> RewriteEngine on
> RewriteCond %{HTTPS} !=on

This doesn't work properly in 2.0: try %{LA-U:HTTPS} instead. Without
fixing that it's likely the rule is being applied to *all* requests, so
issuing a redirect for https://foo/bar to https://foo/bar which browsers
may do weird things for.

> RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]

Regards,

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: mod_ssl, mod_rewrite, apache2 problem.

simontst wrote:

> The nasty problem is that when I redirect a request for a page (e.g.
> index.html) that contains an tag in the form of:
>
>
>
> IE 6 continually complains that the page contains insecured items and
> refuses to display the yellow padlock. However, an examination of my=20
rewrite
> logs indicates that the GET for the logos.gif is being redirected:
[snip]
>
> If I remove the tag from index.html, the complaints go away,
> index.html is accessed using https, and the padlock appears. So it wou=
ld
> appear that there is an issue with the GET for the .gif
>
> Thinking that browser might be getting confused by two redirects in a =
row
> (the first for http://server/index.html, and the second for
> http://server/logos.gif) I have tried to GET the logos.gif directly vi=
a
> http://server/logos.gif. But again, even though the request is=20
redirected to
> https://server/logos.gif, the same warning message pops up and IE=20
refuses to
> display the padlock. But if I bypass mod_rewrite and GET the gif=20
using the
> URL: https://server/logos.gif, IE does not complain.
>
> Finally, Mozilla does not complain at all!! Jeez! My inclination is to
> modify the s so that they all point to a relative path name=20
instead
I cannot verify what I'm talking about, both because you have not
provided the URLs to test (than can be solved by local testest, but no
time at the moment) and because I do not use any for of windoze, I'm
just wild gessing IE's reasonig. In a wild gess, IE is right (I hate to
say so :), though you are redirecting the request, the source for the
page it is presenting has unsecure elements, the parser does not know in
advance that the objects it will have to present to the user (your
images with absolute references), are really server by secure means, it
is asked to retrieve unsecured URLs (src=3Dhttp:), though the page
contains mixed elements. This is another example why absolute URLs shall
be avoided when asking for contents from the same server :)

--=20
------------------------------------------------------------ -------------=
--
G & S Sistemas de Informacion, S.L. | Tel=E9fono: 9 02 01 44 43
Victoriano Giralt | Land line: +34-952-207-741
Torre de San Telmo, 8 | Mobile: +34-670-332-720
E-29018 Malaga (Spain) | http://www.gssi.es/
------------------------------------------------------------ -------------=
--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org