My problem:
I want to open an intranet wiki to the outside world, with Google login to even view anything beyond the fact of its existence. (I emailed the list about this before, and it's working great and everyone is very pleased.)
We have an external IP, which accepts SSL on 443 and http:// on 80, and passes both through to the back-end server as plaintext on port 80. So both https://example.wiki and http://example.wiki work, because we have legacy http:// URLs in documentation *everywhere* that need to keep working.
Trouble is: how do I get it, when it gets an http:// URL, to auto-redirect to https:// ?
Remember that the server sees *only* http:// connections, it isn't doing SSL at all - SSL is terminated at the external IP.
I had to make the GoogleLogin extension (0.3.1) accept both http:// and https:// versions of Special:GoogleLogin for login to work on http:// pages.
(Can Apache even see if the incoming request was originally https:// ?)
Ideas welcome!
- d.
On Wed, Feb 8, 2017 at 8:30 AM David Gerard dgerard@gmail.com wrote:
We have an external IP, which accepts SSL on 443 and http:// on 80, and passes both through to the back-end server as plaintext on port 80. So both https://example.wiki and http://example.wiki work, because we have legacy http:// URLs in documentation *everywhere* that need to keep working.
This seems a little complicated. Why can't you have them both on the same public Apache and define multiple Vhosts instead of passing through like a proxy?
Trouble is: how do I get it, when it gets an http:// URL, to auto-redirect to https:// ?
If you weren't doing the passthru stuff, I'd suggest something like this in your VirtualHost config for the :80:
RewriteEngine on RewriteRule ^/(.*)$ https://foo.wiki/$1 [L,R=301,NE]
Remember that the server sees *only* http:// connections, it isn't doing SSL at all - SSL is terminated at the external IP. (Can Apache even see if the incoming request was originally https:// ?)
Since you're using two layers of Apache and basically proxying, no, the second Apache can't know. What you *could* do is set a header at the termination Apache though that passes the data through. Something with SetEnv or SetEnvIf (name it something like X_WAS_HTTPS) and then check for that at your second layer.
-Chad
On 8 February 2017 at 17:03, Chad innocentkiller@gmail.com wrote:
On Wed, Feb 8, 2017 at 8:30 AM David Gerard dgerard@gmail.com wrote:
Remember that the server sees *only* http:// connections, it isn't doing SSL at all - SSL is terminated at the external IP. (Can Apache even see if the incoming request was originally https:// ?)
Since you're using two layers of Apache and basically proxying, no, the second Apache can't know. What you *could* do is set a header at the termination Apache though that passes the data through. Something with SetEnv or SetEnvIf (name it something like X_WAS_HTTPS) and then check for that at your second layer.
The external IP is actually a Netscaler, but yeah, I guess I'll ask them to inject X-Forwarded-Proto and redirect to https:// if it came in on port 80 originally. Cheers :-)
- d.
mediawiki-l@lists.wikimedia.org