Complex URL Redirects

TimeHorse

Where is the HTTPS Redirection Option configured?

sean

TimeHorse Thank you! If I turned off HTTPS then it would allow both HTTP and HTTPS redirects?

No, I'm not saying that setting is causing the problem. I'm saying it lets you circumvent the problem.

I'll let you know when I've sorted out the actual problem, ie why HTTPS doesn't seems to work as a rewrite condition. In the meantime I recommend leaving the setting configured (since you are already using it) and use the rewrite example I provided.

TimeHorse Also, I was looking into cloaked forwarding and saw that most people have the forwards go through a proxy via mod_proxy. Do we have a proxy on the Apache service? Is mod_proxy installed and will this work for cloaked forwards?

You can do cloaked forwarding to HTTP URLs, but not to HTTPS URLs. Here's an example for a HTTP URL:

RewriteRule ^(.*)$ http://domain.com/$1 [P,L]

You might be able to do this for HTTPS URLs via a private stack with whatever httpd configuration it requires.

TimeHorse Where is the HTTPS Redirection Option configured?

Go to https://my.opalstack.com/domains/.
Click the Edit icon for your site in the lower section of the page.
Enable the "Encrypt All Traffic?" option.
Click "Update Site" to save the changes.

Again, I recommend leaving it enabled for now.

TimeHorse

If I leave it on, does that mean I can’t use cloaked forwarding? I will be using this for dozens of sites in the end, these are just proof of concept which I’m working on now.

sean

TimeHorse the "Encrypt All Traffic" setting is unrelated to cloaked forwarding via mod_proxy.

You cannot use cloaked forwarding via mod_proxy on our platform if the destination website (ie the other site that you are proxying to) is using HTTPS.

If the destination website is not using HTTPS, then you can use cloaked forwarding via mod_proxy.

TimeHorse

Don’t worry, I checked and my cloaks are only going to http

sean

@TimeHorse here are the correct rewrites for our platform:

RewriteEngine on

RewriteCond %{HTTP:X-Forwarded-SSL} on
RewriteCond %{HTTP_HOST} ^google\.jeffreycjacobs\.com
RewriteRule ^(.*)$ https://www.google.com/search?q=\%2b"TimeHorse" [R=302,L,NE,QSA]

RewriteCond %{HTTP:X-Forwarded-SSL} on
RewriteCond %{HTTP_HOST} ^timehorse\.jeffreycjacobs\.com
RewriteRule ^(.*)$ https://www.timehorse.com/$1 [R=302,L]

It's done this way because on our platform the SSL happens in Nginx upstream of Apache.

TimeHorse

Thank you but that's not quite what I was looking for. I want a test that allows both http and https originating via protocol traffic to google but only https traffic to go to timehorse. That is, http://timehorse.jeffreycjacobs.com/ should return an error as it's requesting an unsecured page and this rewrite rule only handles SSL traffic. The point is, I want HTTP requests to go to one page, and HTTPS to go to another. Is that possible?

Jeffrey

sean

TimeHorse I want HTTP requests to go to one page, and HTTPS to go to another. Is that possible?

Yes, the conditions to use are:

# HTTP
RewriteCond %{HTTP:X-Forwarded-SSL} !on

# HTTPS
RewriteCond %{HTTP:X-Forwarded-SSL} on

TimeHorse

I think you're missing my point. I have only on for timehorse.jeffreycjacobs.com, so that https should redirect, but http should not. However, both are currently redirecting. I add the on state but http is still allowed

sean

TimeHorse you still have the "Encrypt All Traffic?" option enabled for your site so the request is always HTTPS by the time it reaches Apache. This means it's matching "RewriteCond %{HTTP:X-Forwarded-SSL} on" and being forwarded.

If you want HTTP URLs to work then you'll need to disable the "Encrypt All Traffic?" option. That should be OK now since we've sorted out the earlier problem with the HTTPS rewrite condition.

TimeHorse

I just disabled the Encrypt all Traffic and htp://timehorse.jeffreycjacobs.com/ still went to https://www.timehorse.com/ despite the forward saying X-Forwarded-SSL on implying that !on is not allowed, and neither is off.

sean

TimeHorse I think you might have the redirect cached in your browser. When I check http://timehorse.jeffreycjacobs.com/ with curl there's no redirect:

$ curl -vL http://timehorse.jeffreycjacobs.com/
*   Trying 207.244.121.250:80...
* Connected to timehorse.jeffreycjacobs.com (207.244.121.250) port 80
> GET / HTTP/1.1
> Host: timehorse.jeffreycjacobs.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: nginx
< Date: Sat, 13 Jan 2024 22:02:19 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 280
< Connection: keep-alive
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
<hr>
<address>Apache Server at timehorse.jeffreycjacobs.com Port 80</address>
</body></html>
* Connection #0 to host timehorse.jeffreycjacobs.com left intact

The 403 is the expected result because directory indexes are disabled by default and there's no index.html in your app directory.

TimeHorse

I believe you may be right. I use In Private Browsing but of course that could still cache pages. I'll check again tomorrow but I think you may be right so thank you so much!

TimeHorse

I have another issue related to this if you don't mind. I have debated starting a new thread but I think as it all relates to the same issue of having everything set up before I transfer my domains and give you guys 100% DNS control, I can't seem to add sites to my forwarding site because "Unable to generate LetsEncrypt certificate. All site domains must either point to the site IP address (_ip_) or use Opalstack DNS servers."; thus, I have to move things and break my websites before I can set up my websites on OpalStack. Is that correct?

sean

TimeHorse I have to move things and break my websites before I can set up my websites on OpalStack. Is that correct?

No, that's not correct. If you have an existing SSL certificate for your site at your old host then:

Get the certificate, intermediate bundle, and key from your old host.
Add that as a new certificate in our system: https://docs.opalstack.com/user-guide/ssl-certificates/#adding-a-certificate (note the button is actually "Add Certificate", not "Upload Certificate").
Assign the certificate to your site: https://docs.opalstack.com/user-guide/sites/#editing-sites
If you'll be using our email services and/or DNS services then create your email addresses and/or DNS records.
Point your domain at us when you're ready.
Wait a couple of days for DNS propagation to complete.
After DNS propagation is complete then you can enable Let's Encrypt for the site.

TimeHorse

I decided to just turn off the let's encrypt certificate generation so I could get past that step

Thanks again, as I'll turn it on when the domains are transferred probably later today

« Previous Page Next Page »