skip to Main Content

I’ve tried different apache configurations but somehow couldn’t crack this.
I’m forcefully redirecting all URLs from http to https using Redirect permanent / https://jenkins.example.net/

However, there is a problem as one of the source URLs has /redirect string appended in the end. I learnt that apache CANNOT redirect a redirect. Since, the source URL has redirect string in the URL, it’s not redirecting again to https and resulting as a 404 page.

This is my virtualhost configuration.

<VirtualHost *:80>

   ServerName jenkins.example.net

   # Redirects traffic to https
   RewriteEngine On

   RewriteRule ^(.*)/redirect /$1 [L,NC]

   Redirect permanent / https://jenkins.example.net/

</VirtualHost>

<VirtualHost *:443>

   proxyRequests                 Off

   ProxyPreserveHost             On

   AllowEncodedSlashes NoDecode

   ProxyPass        / http://127.0.0.1:8080/ nocanon

   ProxyPassReverse / http://127.0.0.1:8080/

   ServerName jenkins.example.net

   ErrorLog /etc/ssl/error_log

   SSLEngine on

   SSLCertificateFile /etc/ssl/certs/fopjenkins.pem

   SSLCertificateKeyFile /etc/ssl/certs/fopjenkins.key

   RequestHeader set X-Forwarded-Proto "https"

   RequestHeader set X-Forwarded-Port "443"

</VirtualHost>

I tried above RewriteRule to strip off /redirect from the URL but it’s not working.

Any help would be highly appreciated..

Additional details (debug output of curl)::

[root@rhel-7 ~]# curl -v http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
*   Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:52:00 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect">here</a>.</p>
</body></html>
* Connection #0 to host jenkins.example.net left intact

curl -vL debug output::

[root@rhel-7 ~]# curl -vL http://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
* About to connect() to jenkins.example.net port 80 (#0)
*   Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 80 (#0)
> GET /job/STUFOP/job/deploy_os/job/master/5/display/redirect HTTP/1.1
> User-Agent: curl/7.29.0
> Host: jenkins.example.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 13 Aug 2019 07:58:15 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Location: https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect
< Content-Length: 298
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host jenkins.example.net left intact
* Issue another request to this URL: 'https://jenkins.example.net/job/STUFOP/job/deploy_os/job/master/5/display/redirect'
* Found bundle for host jenkins.example.net: 0x986fd0
* About to connect() to jenkins.example.net port 443 (#1)
*   Trying 10.10.11.210...
* Connected to jenkins.example.net (10.10.11.210) port 443 (#1)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:*       
*       start date: Jul 16 06:42:46 2019 GMT
*       expire date: Jul 15 06:42:46 2021 GMT
*       common name: jenkins.example.net
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 1
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[root@rhel-7 ~]# echo $?
60

2

Answers


  1. I am assuming that your https redirect happening first and then on https the /redirect becomes a 404.

    Easiest fix would be to add RewriteRule ^(.*)/redirect /$1 [L,NC] to the <VirtualHost *:443> block, just to make sure that such a url goes back to home

    Login or Signup to reply.
  2. Probably your branch contains /, so your url is STUFOP%2Fdeploy_toolchain. Apache encode such url and the final is STUFOP%252Fdeploy_toolchain.

    try this configuration for non secure virtualhost:

    <VirtualHost *:80>
       ServerName jenkins.example.net
       # this prevent encoding
       AllowEncodedSlashes on
       Redirect permanent / https://jenkins.example.net/
    </VirtualHost>
    

    This configuration should avoid encoding and, according to Redirect Request to SSL Apache wiki page, all request are redirected to secure virtualhost.

    In secure virtualhost, try this configuration:

    <VirtualHost *:443>
    
       ServerName jenkins.example.net
    
       AllowEncodedSlashes on
    
       proxyRequests                 Off
       ProxyPreserveHost             On
       ProxyPassMatch "^/(.*)/redirect$" "http://127.0.0.1:8080/$1"
       ProxyPass        / http://127.0.0.1:8080/ nocanon 
       ProxyPassReverse / http://127.0.0.1:8080/
    
       ErrorLog /etc/ssl/error_log
    
       SSLEngine on 
       SSLCertificateFile /etc/ssl/certs/fopjenkins.pem 
       SSLCertificateKeyFile /etc/ssl/certs/fopjenkins.key 
       RequestHeader set X-Forwarded-Proto "https" 
       RequestHeader set X-Forwarded-Port "443"
    
    </VirtualHost> 
    

    This configuration should avoid encoding and use ProxyPassMatch to manipulate url.

    Here is some useful link that I’ve used: %2F slash encoding issues, encode URL wihthin URL – apache mod-proxy (ProxyPass), %2F slash encoding issues #399, htaccess howto rewrite an encoded slash in url

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search