0

I have been forcing HTTPS upgrade through mod_rewrite for years on Ubuntu 18.04 LTS servers. I recently upgraded a few of these servers to Ubuntu 22.04.1 LTS to ensure the latest security and Apache versions could be used.

Everything seemed fine until I discovered that every one of the different Apache configurations that ensures http:// is always upgraded to https:// no longer works.

Here are my current configuration files. Certbot is even setting it up correctly but it doesn't work on the :80 configuration. All of the required modules are enabled.

I know mod_rewrite works because Laravel still functions. I'm completely baffled! I've tried RedirectMatch, Redirect, RewriteRule etc. Every result on Google says to do all these same things. Certbot even sets it up "correctly".

<VirtualHost *:80>
        ServerName mydomain.com.au
        ServerAdmin webmaster@mydomain.com.au

        DocumentRoot "/var/www/mydomain.com.au/public"

        ErrorLog "/var/log/apache2/mydomain.com.au-error.log"
        CustomLog "/var/log/apache2/mydomain.com.au-access.log" common

        # Not exactly needed...
        <Directory "/var/www/mydomain.com.au/public">
                DirectoryIndex index.php
                Options FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>

        RewriteEngine on
        RewriteCond %{SERVER_NAME} =mydomain.com.au
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

        # This actually works in browsers at least
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

</VirtualHost>

<VirtualHost *:443>
        ServerName mydomain.com.au
        ServerAdmin webmaster@mydomain.com.au

        DocumentRoot "/var/www/mydomain.com.au/public"

        Header unset Upgrade
        Protocols http/1.1 # AWS ELB runs HTTP/2

        ErrorLog "/var/log/apache2/mydomain.com.au-error.log"
        CustomLog "/var/log/apache2/mydomain.com.au-access.log" common

        <Directory "/var/www/mydomain.com.au/public">
                DirectoryIndex index.php
                Options FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>

        <FilesMatch "\.(php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>

        SSLEngine on
        Include /etc/letsencrypt/options-ssl-apache.conf

        SSLCertificateFile /etc/letsencrypt/live/mydomain.com.au/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com.au/privkey.pem

        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</VirtualHost>

Update

I've since forced HTTPS in the Laravel project and required cookies to be only sent over secure connections which prevents any sessions from logging in. Browsers prevent forms from being sent insecurely these days too.

I'm just surprised at why the Apache HTTPS upgrade just does not work in the slightest now.

Nick Bedford
  • 101
  • 3
  • What happens exactly? If literally nothing happens then it perhaps suggests you are connecting to a _different_ vHost? (But how then are you seemingly browsing your site?) (Using mod_rewrite for this is certainly unnecessary. A simple mod_alias `Redirect` directive is all that's required. No need to check the `SERVER_NAME` when already in the vHost for `SERVER_NAME`. But you say you've tried that as well?) – MrWhite Mar 06 '23 at 23:59
  • @MrWhite it's definitely the correct server (there's only one and I've confirmed it). The `RewriteCond` check is put in by certbot anyway. Not even the simple `Redirect` works (placed before the Rewrite lines). I've tried it all and none of it was working. – Nick Bedford Mar 07 '23 at 00:51

0 Answers0