apache url rewriting problem

I am setting up apache to do url rewriting. What I want to do is that if the user type the address of my website, say, http://mysite49.com, I wish the browser automatically change the url to https://mysite49.com. I have following questions:

1)Do I have to open two ports, both 80 and 443(for https)?
2)How to do this functionality?

Thanks,

David

Hi David,

I think that is a redirection rather than a URL rewritting question. (My understanding is that the term 'URL writing' does not apply to the protocol and server name portion of a URL.)

This is important in your context because if the initial connection to the server from the client is with HTTP then it cannot be internally switched by httpd to HTTPS. Why? Because the client will need to initiate a new HTTPS connection to get all that SSL stuff done first before httpd can start reading headers and stuff.

The rediction can be accomplished quickly with simple HTML file with redirection meta tags. Or you could have a script on your web server that does an HTTP redirection. I'd recommend the later because it is arguable more effeciant to do so at a lower level.

Hope that helps.

Stu
[ September 21, 2006: Message edited by: Stu Thompson ]

Sorry, I might not make my problem clear. What I am trying to discuss is that I want to put "RewriteEngine" directive in my config of apache, so that if somebody type: http://my_website_name.com , the url will be automatically changed to https://my_website_name.com, thus I want to force user to use https instead of http.

Here is what I put in the config httpd.conf of apache(It is working):

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*) https://my_website_name.com$1 [L,R]

However, my question is:

Do I need to open two ports : both 80 and 443 for my apache? Is it possible to only open port 443 if I am trying to achieve above?

Thanks,

David

Hi David,

My post stands. Rewrite is all server side, redirect involves both client and server. One cannot URL rewrite from HTTP to HTTP.

You will need to do a redirect. Your rewrite rule will not work.

To answer your second question, yes...you will need both ports open.

You will also need to brush up on the mechanics of HTTP and HTTPS to understand why. If I have time then tomorrow I could go into more depth.

Stu

Actually, the mod_rewrite module which is used here can do either redirect or rewrite, so, yes, it is possible to change from HTTP to HTTPS in this way. As far as HTTP is concerned, that is a client-side redirect, though.

And, like Stu says, both ports need to be open, because how would Apache ever see the HTTP request if port 80 wasn't open?

Hi Ulf,

Not saying I don't believe you but pllease explain how it would work. Everything I know about HTTP, HTTPS, and URL rewriting says it is not possible.

(Then again, i am weak on URL rewritting.) Specifically, how does the protocolol negotiation take place?

If I have it wrong I will gladly eat my boot. _p

Stu

I'm not up on the internals of mod_rewrite (i.e., how it works internally), but it can do either a rewrite (kind of like a forward) or a redirect (roundtrip to the client and back). The latter can be used to catch HTTP URLs and redirect to the appropriate HTTPS URL (but as far as Apache/mod_rewrite is concerned, it would still be a "rewrite", because that's what mod_rewrite does).

Like you suggest, I think there would be difficulties forwarding an HTTP request to an HTTPS address. But actually, come to think of it, mod_rewrite might just send an HTTPS request, and then return its results to the client via HTTP, thus completely masquerading the use of HTTPS. I'm not sure if that's really possible, though.

OK, if the mod_rewrite can force a roundtrip to the client then it would work. But that would really a redirection...based on a rewritten URL, yes, but a redirection none the less.

If mod_rewrite were to proxy the request to https and send the response back to the client over http...then, well...that sorta defeats the purpose. :p What benefit would there be to do this? It is definitely not secure.

David: The S in HTTPS is for secure (duh). The security is implemented via SSL. SSL sits just below HTTP on the network stack. That is important because the SSL negotiation (public and then private key exchange) must occur before the HTTP request and response(s) are read and written. Also note that the client must initiate the negotiation. The server cannot decide, after receiving a client HTTP request, that it suddenly wants everything encrypted.

Again, if I have any of this wrong then I'll eat my boot.
[ September 22, 2006: Message edited by: Stu Thompson ]

PS: I gather www.boh.com is exactly what David wants to do.

Originally posted by Matt Bad:
I have a similar question about mod_rewrite:

The request is https://my_reverse_proxy.com, and I want to use mod_rewite to forward
the request to https://my_internal_app.com.

The client broswer can not access https://my_internal_app.com directly. Is it possible?

Matt,
Please start a new thread with your question.
Most people aren't going to scroll all the way to the bottom of an old thread to look for a new question.
Also, if this discussion is still active, asking another question would be considered thread hijacking; a very rude thing to do.

-Ben

Stu, you are right( "PS: I gather www.boh.com is exactly what David wants to do."). That is exactly what I want to do.

What I implemented is the same way as www.boh.com does, what security concern can you suggest? I personally thinks it is secure for all pages between client and server.