1

I've got a website that I want to always be served in https. The site is load balanced using Apache.

The Apache load balancer is configured basically like so:

<Proxy balancer://mycluster>
   BalancerMember http://server1 route=server1
   BalancerMember http://server2 route=server2
</Proxy>

Note that all http requests are being rewritten to https requests fine using mod rewrite as well.

The thing I'd like to do is ensure that any http 302 Location headers from server 1 or server 2 are rewritten and sent as https 302 redirect headers.

e.g.

If a response from server 1 had the following as a header:

Location: http://server1/test

I'd like it to be rewritten securely as 

Location: https://server1/test

This would avoid the request being sent to the client, and the client then sending the http request, which gets rewritten to https, and would also avoid any security issues of responses being sent over http.

How can I do this?

Brad Parks
  • 713
  • 13
  • 20

2 Answers2

3

You can't do this with mod_rewrite, as that is only for requests.

Further, operating on Location is not a 100% solution (that it would be pretty high), as it won't capture things like HTTP meta-refresh (not very common these days...), or instances where the URL is generated using client-side solutions (eg. Javascript, embedded content).

Thus, the desire you propose, while useful, must be treated as an optimisation only.

There could also be sensitivities at the application-end of things. Without knowing anything your application, here are some potential things-to-consider:

  • cookie generation and the use of things like the 'secure' attribute
  • the application might have generated the URL and done some sort of crypto-signing (perhaps for SSO or authentication purposes, and rewriting it to https may invalidate the URL).... unlikely in practice, but certainly possible.

You could perhaps do this with mod_header though, which can manipulate response headers. See http://httpd.apache.org/docs/2.2/mod/mod_headers.html

Header edit Location ^http: https:

I haven't tested that at all, note that a condition can be specified before the edit keyword.

Hope it helps, Cameron

Cameron Kerr
  • 4,069
  • 19
  • 25
  • I think you're probably right in that it can be done with `mod_headers`... I'll look into it... That led me to [ProxyPassReverse](http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypassreverse) which *might* be built specifically for doing this. – Brad Parks Sep 05 '14 at 11:54
  • 1
    No, ProxyPassReverse is not meant for that. It's used as a compliment for ProxyPass, and in my experience, is generally used whenever you use ProxyPass – Cameron Kerr Sep 06 '14 at 00:35
0

While not directly an answer to this question, the following Apache configuration change is what I used to solve the problem:

RequestHeader set X-Forwarded-Proto "https" env=HTTPS

Using this made it so the nodes in the load balancer understood to rewrite their absolute http urls to https urls when the above header was passed in.

This was implied by this ServerFault post, which ultimately led to this in the Jetty docs, which solved the problem!

Community
  • 1
Brad Parks
  • 713
  • 13
  • 20