0

I have two Apache servers behind a load balancer. Both servers are identical and they are used as hosts for several customer's websites. They asked me to enable https access for all websites, together with unconditional redirect of http requests to https (so when someone selects http link returned by search engine, bookmark, etc gets https version of it).

Since there are multiple domains, I needed a multi-domain SSL certificate. I knew that there could be problems with SNI on older browsers, so I decided to instal the certificate on load balancer and let it does the termination. Given that SSL termination is performed on load balancer all traffic between load balancer and servers is unencrypted.

So, for both http and https traffic to any website, for example www.example.com, I have just one Virtual Host, because all traffic go via port 80:

<VirtualHost *:80>
    DocumentRoot "/var/www/html/website001"
    ServerName www.example.com
</VirtualHost>

Content of www.example.com website is physically located in /var/www/html/website001 folder:

Folder1
Folder2
file1.html
file2.html
index.html
.htaccess
...

Content of /var/www/html/website001/.htaccess is:

RewriteEngine on

#First block of rules
RequestHeader set X-Forwarded-Proto "http"
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

#Second block of rules
RewriteRule ^First-file$ /file1.html
RewriteRule ^Second-file$ /file2.html

First block of rules should do the unconditional redirect from http to https for every page, while second block should provide user friendly URLs for file1.html and file2.html. Hence, request for 

http://www.example.com/First-file

should be rewriten to 

https://www.example.com/First-file

and file1.html should be opened in browser. Unfortunately, second block of rules work only partially: it opens file1.html, but it doesn't rewrite the url which is displayed as 

https://www.example.com/file1.html

When first block of rules is removed or commented out, the second block of rules works properly.

Does anyone have any idea how this can be solved?

Aleksandar
  • 1
  • 1
  • What is the purpose of the `RequestHeader` directive in your `.htaccess` file? Why are you using `.htaccess` to perform this redirect when you have access to the server config and are wanting to _unconditionally_ redirect all websites? Why do you have a condition that checks for the host `www.example.com` - what about `example.com`? However, I don't see how you would be getting the result you are experiencing (ie. an _external redirect_ to `file1.html`) with the code provided. I would have said there must be _something else_ conflicting? – MrWhite Jan 19 '18 at 00:57
  • Possibly an aside, but you should probably include the `L` flag on the rewrite directives in the "second block of rules". – MrWhite Jan 19 '18 at 00:58
  • What happens when you request `https://www.example.com/First-file` directly? ie. no need for the HTTP to HTTPS redirect. "should be rewriten to" - incidentally, the initial HTTP to HTTPS rule is a "redirect", not a "rewrite". For you to see `file1.html` in the browser's address bar then something is triggering an external redirect earlier in the config, but processing is continuing to then get further rewritten. The `L` flag on the HTTP to HTTPS redirect should be preventing that from being the cause here. (?) – MrWhite Jan 19 '18 at 01:02
  • try reversing the order of the blocks. – Daniel Ferradal Jan 19 '18 at 13:40
  • Why don't you use the loadbalancer to do the redirect? What software do you use for load balancing? – Ondřej Xicht Světlík Jan 20 '18 at 14:46

1 Answers1

0

I have actually fixed the issue. As MrWhite indirectly suggested, I removed 

RequestHeader set X-Forwarded-Proto "http"

from the .htaccess file. However, it didn't work, but based on the great short article I've read on the internet (https://bharatikunal.wordpress.com/2010/12/03/howto-forcing-traffic-to-https/), I put

RequestHeader set X-Forwarded-Proto "https"

in the default VirtualHost of /etc/httpd/conf.d/ssl.conf file and everything started to work as expected.

Aleksandar
  • 1
  • 1