[SOLVED] Forcing SSL over https

Support for security such as Firewalls and securing linux

[SOLVED] Forcing SSL over https

Postby DarkSnake-Kobra » 2012/01/20 07:45:32

[Moderator edit: Fix two typos in Subject. Was: "Forrcing SSL over httpq"]
I'm trying to redirect users so that when they visit my site over http they are redirected to https. However, I got SSL working I just can't get it to force it. I'll get a bad request error.

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Hint: https://cyberstealthlabs.org/
Apache/2.2.15 (CentOS) Server at cyberstealthlabs.org Port 443


Information for general problems.
Code: Select all
== BEGIN uname -rmi ==
2.6.32-220.2.1.el6.i686 i686 i386
== END   uname -rmi ==

== BEGIN rpm -qa \*-release\* ==
centos-release-6-2.el6.centos.7.i686
rpmforge-release-0.5.2-2.el6.rf.i686
epel-release-6-5.noarch
== END   rpm -qa \*-release\* ==

== BEGIN cat /etc/redhat-release ==
CentOS release 6.2 (Final)
== END   cat /etc/redhat-release ==

== BEGIN getenforce ==
Disabled
== END   getenforce ==

== BEGIN free -m ==
             total       used       free     shared    buffers     cached
Mem:          1250        391        858          0         60        231
-/+ buffers/cache:         99       1150
Swap:         9999          0       9999
== END   free -m ==

== BEGIN rpm -qa yum\* rpm-\* python | sort ==
python-2.6.6-29.el6.i686
rpm-build-4.8.0-19.el6.i686
rpm-libs-4.8.0-19.el6.i686
rpm-python-4.8.0-19.el6.i686
yum-3.2.29-22.el6.centos.noarch
yum-metadata-parser-1.1.2-16.el6.i686
yum-plugin-fastestmirror-1.1.30-10.el6.noarch
yum-plugin-priorities-1.1.30-10.el6.noarch
yum-plugin-security-1.1.30-10.el6.noarch
yum-utils-1.1.30-10.el6.noarch
== END   rpm -qa yum\* rpm-\* python | sort ==

== BEGIN ls /etc/yum.repos.d ==
CentOS-Base.repo
CentOS-Debuginfo.repo
CentOS-Media.repo
epel.repo
epel-testing.repo
mirrors-rpmforge
mirrors-rpmforge-extras
mirrors-rpmforge-testing
rpmforge.repo
== END   ls /etc/yum.repos.d ==

== BEGIN cat /etc/yum.conf ==
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release

#  This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
# download the new metadata and "pay" for it by yum not having correct
# information.
#  It is esp. important, to have correct metadata, for distributions like
# Fedora which don't keep old packages around. If you don't like this checking
# interupting your command line usage, it's much better to have something
# manually check the metadata once an hour (yum-updatesd will do this).
# metadata_expire=90m

# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
== END   cat /etc/yum.conf ==

== BEGIN yum repolist all ==
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
 * base: mirror.ubiquityservers.com
 * epel: mirrors.servercentral.net
 * extras: mirror.spro.net
 * rpmforge: apt.sw.be
 * updates: mirror.team-cymru.org
repo id                repo name                                  status
base                   CentOS-6 - Base                            enabled: 4,764
c6-media               CentOS-6 - Media                           disabled
centosplus             CentOS-6 - Plus                            disabled
contrib                CentOS-6 - Contrib                         disabled
debug                  CentOS-6 - Debuginfo                       disabled
epel                   Extra Packages for Enterprise Linux 6 - i3 enabled: 5,613
epel-debuginfo         Extra Packages for Enterprise Linux 6 - i3 disabled
epel-source            Extra Packages for Enterprise Linux 6 - i3 disabled
epel-testing           Extra Packages for Enterprise Linux 6 - Te disabled
epel-testing-debuginfo Extra Packages for Enterprise Linux 6 - Te disabled
epel-testing-source    Extra Packages for Enterprise Linux 6 - Te disabled
extras                 CentOS-6 - Extras                          enabled:     3
rpmforge               RHEL 6 - RPMforge.net - dag                enabled: 4,142
rpmforge-extras        RHEL 6 - RPMforge.net - extras             disabled
rpmforge-testing       RHEL 6 - RPMforge.net - testing            disabled
updates                CentOS-6 - Updates                         enabled:   162
repolist: 14,684
== END   yum repolist all ==

== BEGIN egrep 'include|exclude' /etc/yum.repos.d/*.repo ==
== END   egrep 'include|exclude' /etc/yum.repos.d/*.repo ==

== BEGIN sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n ==
== END   sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n ==

== BEGIN cat /etc/fstab ==

#
# /etc/fstab
# Created by anaconda on Thu Jan 19 13:35:59 2012
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=f7c81bdd-96ec-4f33-8e63-9b813d66b887 /                       ext4    defaults        1 1
UUID=084a3928-f588-4a8c-bb93-58b0674cc074 /boot                   ext4    defaults        1 2
UUID=ce3d4b12-37b0-4bba-a3ee-1ccdd7e0f943 swap                    swap    defaults        0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
== END   cat /etc/fstab ==

== BEGIN df -h ==
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3              27G  2.3G   24G   9% /
tmpfs                 626M     0  626M   0% /dev/shm
/dev/sda1             194M   45M  139M  25% /boot
== END   df -h ==

== BEGIN fdisk -l ==

Disk /dev/sda: 40.0 GB, 40000000000 bytes
255 heads, 63 sectors/track, 4863 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0003a68d

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          26      204800   83  Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2              26        1301    10240000   82  Linux swap / Solaris
/dev/sda3            1301        4863    28615680   83  Linux
== END   fdisk -l ==

== BEGIN blkid ==
/dev/sda1: UUID="084a3928-f588-4a8c-bb93-58b0674cc074" TYPE="ext4"
/dev/sda2: UUID="ce3d4b12-37b0-4bba-a3ee-1ccdd7e0f943" TYPE="swap"
/dev/sda3: UUID="f7c81bdd-96ec-4f33-8e63-9b813d66b887" TYPE="ext4"
== END   blkid ==

== BEGIN cat /proc/mdstat ==
Personalities :
unused devices: <none>
== END   cat /proc/mdstat ==

== BEGIN pvs ==
== END   pvs ==

== BEGIN vgs ==
  No volume groups found
== END   vgs ==

== BEGIN lvs ==
  No volume groups found
== END   lvs ==

== BEGIN rpm -qa kernel\* | sort ==
kernel-2.6.32-220.2.1.el6.i686
kernel-2.6.32-220.el6.i686
kernel-devel-2.6.32-220.2.1.el6.i686
kernel-firmware-2.6.32-220.2.1.el6.noarch
kernel-headers-2.6.32-220.2.1.el6.i686
== END   rpm -qa kernel\* | sort ==

== BEGIN lspci -nn ==
00:00.0 Host bridge [0600]: Intel Corporation 82845G/GL[Brookdale-G]/GE/PE DRAM Controller/Host-Hub Interface [8086:2560] (rev 01)
00:02.0 VGA compatible controller [0300]: Intel Corporation 82845G/GL[Brookdale-G]/GE Chipset Integrated Graphics Device [8086:2562] (rev 01)
00:1d.0 USB controller [0c03]: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #1 [8086:24c2] (rev 01)
00:1d.1 USB controller [0c03]: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #2 [8086:24c4] (rev 01)
00:1d.2 USB controller [0c03]: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #3 [8086:24c7] (rev 01)
00:1d.7 USB controller [0c03]: Intel Corporation 82801DB/DBM (ICH4/ICH4-M) USB2 EHCI Controller [8086:24cd] (rev 01)
00:1e.0 PCI bridge [0604]: Intel Corporation 82801 PCI Bridge [8086:244e] (rev 81)
00:1f.0 ISA bridge [0601]: Intel Corporation 82801DB/DBL (ICH4/ICH4-L) LPC Interface Bridge [8086:24c0] (rev 01)
00:1f.1 IDE interface [0101]: Intel Corporation 82801DB (ICH4) IDE Controller [8086:24cb] (rev 01)
00:1f.3 SMBus [0c05]: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) SMBus Controller [8086:24c3] (rev 01)
00:1f.5 Multimedia audio controller [0401]: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller [8086:24c5] (rev 01)
01:05.0 Modem [0703]: Intel Corporation FA82537EP 56K V.92 Data/Fax Modem PCI [8086:1080] (rev 04)
01:09.0 Ethernet controller [0200]: Broadcom Corporation BCM4401 100Base-T [14e4:4401] (rev 01)
== END   lspci -nn ==

== BEGIN lsusb ==
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
== END   lsusb ==

== BEGIN rpm -qa kmod\* kmdl\* ==
== END   rpm -qa kmod\* kmdl\* ==

== BEGIN ifconfig -a ==
eth0      Link encap:Ethernet  HWaddr 00:0F:1F:5B:EE:A9 
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20f:1fff:fe5b:eea9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:78621 errors:0 dropped:0 overruns:0 frame:0
          TX packets:82209 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22641297 (21.5 MiB)  TX bytes:36888563 (35.1 MiB)
          Interrupt:17

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2028 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2028 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:85424 (83.4 KiB)  TX bytes:85424 (83.4 KiB)

== END   ifconfig -a ==

== BEGIN brctl show ==
bridge name   bridge id      STP enabled   interfaces
== END   brctl show ==

== BEGIN route -n ==
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
0.0.0.0         192.168.1.44    0.0.0.0         UG    0      0        0 eth0
== END   route -n ==

== BEGIN cat /etc/resolv.conf ==
; generated by /sbin/dhclient-script
nameserver 192.168.1.44
== END   cat /etc/resolv.conf ==

== BEGIN grep net /etc/nsswitch.conf ==
#networks:   nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     
netmasks:   files
networks:   files
netgroup:   nisplus
== END   grep net /etc/nsswitch.conf ==

== BEGIN chkconfig --list | grep -Ei 'network|wpa' ==
matahari-network   0:off   1:off   2:off   3:off   4:off   5:off   6:off
network           0:off   1:off   2:on   3:on   4:on   5:on   6:off
== END   chkconfig --list | grep -Ei 'network|wpa' ==

DarkSnake-Kobra
 
Posts: 27
Joined: 2011/08/06 18:23:49

Re: Forcing SSL over https

Postby TrevorH » 2012/01/20 09:40:01

You don't say what you have tried to make this work? From the error it looks like you've just put in a redirect of port 80 to 443 using something like iptables and this will not work. The way that I've done this in the past is with a mod_rewrite rule that sends a redirect back to the client.
User avatar
TrevorH
Forum Moderator
 
Posts: 9147
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Forcing SSL over https

Postby DarkSnake-Kobra » 2012/01/21 00:13:54

Sorry this was early in the morning I posted this and I was frustrated. Let me see if I can explain this right. I don't know much about SSL and tried following this guide and selecting the self created cert\keys with webmin under a new virtualhost which didn't work. I then followed this guide for running genkey and which Apache was able to detect it and loaded it upon start.

This is the guide I got off how to forge for a perfect webserver(only followed for a lamp server which is all I need)

In a nutshell this is what I did. I'm lost and confused by what I read. I read about the mod_rewrite, but I don't know anything about it or how to even use it.
DarkSnake-Kobra
 
Posts: 27
Joined: 2011/08/06 18:23:49

[SOLVED] Forcing SSL over https

Postby pschaff » 2012/01/21 00:43:31

DarkSnake-Kobra wrote:
Sorry this was early in the morning I posted this and I was frustrated. Let me see if I can explain this right. I don't know much about SSL and tried following this guide and selecting the self created cert\keys with webmin under a new virtualhost which didn't work.

That Wiki page was created in 2008 and has not had a serious revision since.

I then followed this guide for running genkey and which Apache was able to detect it and loaded it upon start.

You followed the RHEL5 guide. Perhaps the RHEL6 Deployment Guide or other current upstream docs would be more appropriate.

This is the guide I got off how to forge for a perfect webserver(only followed for a lamp server which is all I need)

Those "Perfect" guides are generally abominations that recommend disabling SELinux and doing source installs.

In a nutshell this is what I did. I'm lost and confused by what I read. I read about the mod_rewrite, but I don't know anything about it or how to even use it.

Too many disparate, outdated, and/or non-standard guides. We have no idea of the current state of your system may be after all that, but a if you followed the [im]perfect guide, a fresh install would be where I would go next. Then take care what guides you follow, and if in doubt ask questions first.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: Forcing SSL over https

Postby TrevorH » 2012/01/21 01:02:15

So your site works if you go to the https version of it directly?
User avatar
TrevorH
Forum Moderator
 
Posts: 9147
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Forcing SSL over https

Postby DarkSnake-Kobra » 2012/01/22 07:33:59

I did a clean install this time with the web server package without the how to forge customizations etc. What do I need to do so that when someone types http it automatically goes to https? Want to do it the right way this time so I haven't done anything other then updates, installing the development tools group and elreop/rpmforge with phpmyadmin.


@Trevor

Yes.
DarkSnake-Kobra
 
Posts: 27
Joined: 2011/08/06 18:23:49

Re: Forcing SSL over https

Postby TrevorH » 2012/01/22 14:02:59

First thing to check is that both http and https are working correctly on their own before you start. Can you reach http://your.server.name and https://your.server.name at the moment?
User avatar
TrevorH
Forum Moderator
 
Posts: 9147
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Forcing SSL over https

Postby DarkSnake-Kobra » 2012/01/23 07:03:35

HTTP appears to be working fine, but HTTPS does not load. system-config-firewall-tui is configured to allow https.
DarkSnake-Kobra
 
Posts: 27
Joined: 2011/08/06 18:23:49

Re: Forcing SSL over https

Postby TrevorH » 2012/01/23 09:35:23

You will not be able to redirect http to https until you first fix https! And "HTTPS does not load" is not a meaningful error message to allow for remote debugging.
User avatar
TrevorH
Forum Moderator
 
Posts: 9147
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Forcing SSL over https

Postby DarkSnake-Kobra » 2012/01/24 02:58:01

OK sorry I'm not sure what to provide. I'm not new to Linux, but just a casual user and only know some of the basic commands. I just have the standard apache configuration set.
DarkSnake-Kobra
 
Posts: 27
Joined: 2011/08/06 18:23:49

Next

Return to CentOS 6 - Security Support

Who is online

Users browsing this forum: No registered users and 1 guest