Wednesday, January 28, 2009

https redirect

My colleagues ran into minor issues when configuring mod_ssl. I helped out and wrote them some tips that I want to {b}log.

On a vanilla RHEL5 install with httpd already running all you need to do is:

yum install mod_ssl
/etc/init.d/httpd restart
yum creates an ssl.conf.rpmnew file so as to not touch an existing ssl.conf but it won't restart the service the way apt does.

If you wish to redirect all traffic to https add the following to your configuration file [0]:

    # note that Options FollowSymLinks had to be added above
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
I found the above directives from a Google search. When I added just the above I got "permission denied". So I ran a tail -f error_log and saw something like the following:
[Wed Jan 28 05:19:27 2009] [error] [client 123.456.7.89] Options
FollowSymLinks or SymLinksIfOwnerMatch is off which implies that
RewriteRule directive is forbidden: /usr/lib/mailman/cgi-bin/listinfo
I then looked up FollowSymLinks in Apache's manual. I then went back and changed Options ExecCGI to Options ExecCGI FollowSymLinks and read the documentation on what this does. Since this seemed OK (the only accounts on this server are good ones) I left it.

If I hadn't looked at the logs there would have been little hope of figuring it out. I also find it's good to take the time to set up three terminals (edit conf, restart apache, tail logs) and a browser with three tabs (page being tested, manual, Google) when doing this.

Footnotes:
[0]
On RedHat the configuration file should be /etc/httpd/conf/httpd.conf. If you originally did a "yum install mailman" then it installs httpd as a dependency. If you're now securing that httpd after installing mailman the RedHat way, then add the rewrite directives to /etc/httpd/conf.d/mailman.conf.

No comments: