I’ve tried different apache configurations but somehow couldn’t crack this.
I’m forcefully redirecting all URLs from http to https using Redirect permanent / https://jenkins.example.net/
However, there is a problem as one of the source URLs has /redirect
string appended in the end. I learnt that apache CANNOT redirect a redirect. Since, the source URL has redirect
string in the URL, it’s not redirecting again to https and resulting as a 404 page.
This is my virtualhost configuration.
<VirtualHost *:80>
ServerName jenkins.example.net
# Redirects traffic to https
RewriteEngine On
RewriteRule ^(.*)/redirect /$1 [L,NC]
Redirect permanent / https://jenkins.example.net/
</VirtualHost>
<VirtualHost *:443>
proxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
ProxyPass / http://127.0.0.1:8080/ nocanon
ProxyPassReverse / http://127.0.0.1:8080/
ServerName jenkins.example.net
ErrorLog /etc/ssl/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/fopjenkins.pem
SSLCertificateKeyFile /etc/ssl/certs/fopjenkins.key
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
I tried above RewriteRule to strip off /redirect
from the URL but it’s not working.
Any help would be highly appreciated..
Additional details (debug output of curl)::
[root@rhel-7 ~]# curl -v http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:52:00 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect">here</a>.</p>
</body></html>
* Connection #0 to host jenkins.example.net left intact
curl -vL debug output::
[root@rhel-7 ~]# curl -vL http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:58:15 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host jenkins.example.net left intact
* Issue another request to this URL: 'https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect'
* Found bundle for host jenkins.example.net: 0x986fd0
* About to connect() to jenkins.example.net port 443 (#1)
* Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 443 (#1)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:*
* start date: Jul 16 06:42:46 2019 GMT
* expire date: Jul 15 06:42:46 2021 GMT
* common name: jenkins.example.net
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 1
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@rhel-7 ~]# echo $?
60
2
Answers
I am assuming that your
https
redirect happening first and then onhttps
the/redirect
becomes a404
.Easiest fix would be to add
RewriteRule ^(.*)/redirect /$1 [L,NC]
to the<VirtualHost *:443>
block, just to make sure that such a url goes back to homeProbably your branch contains
/
, so your url isSTUFOP%2Fdeploy_toolchain
. Apache encode such url and the final isSTUFOP%252Fdeploy_toolchain
.try this configuration for non secure virtualhost:
This configuration should avoid encoding and, according to Redirect Request to SSL Apache wiki page, all request are redirected to secure virtualhost.
In secure virtualhost, try this configuration:
This configuration should avoid encoding and use
ProxyPassMatch
to manipulate url.Here is some useful link that I’ve used: %2F slash encoding issues, encode URL wihthin URL – apache mod-proxy (ProxyPass), %2F slash encoding issues #399, htaccess howto rewrite an encoded slash in url