Wednesday, 17 April 2013

Using IBM HTTP Server to rewrite URLs ( HTTP -> HTTPS )

Late last week, a colleague asked me for some assistance in configuring IBM HTTP Server to "redirect" user requests from HTTP to HTTPS, but using the mod_rewrite directive.

Now I have blogged about this before: -


so this post adds to what I earlier described.

Here's the relevant entries in my httpd.conf file: -

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
LoadModule rewrite_module modules/mod_rewrite.so

Listen 8080
<IfModule mod_ibm_ssl.c>
        Listen 8443
        <VirtualHost *:8443>
                SSLEnable
        </VirtualHost>
        KeyFile /opt/IBM/HTTPServer/ssl/BPMPCEXT.kdb
        SSLCachePortFilename /opt/IBM/HTTPServer/logsext/siddport
        ScriptSock logsext/cgisock
        SSLCachePortFilename /opt/IBM/HTTPServer/logsext/siddport
        ScriptSock logsext/cgisock
</IfModule>

<ifModule mod_rewrite.c>
     RewriteEngine on
     RewriteCond %{SERVER_PORT} ^8080$
     RewriteRule ^(.*)$ https://%{SERVER_NAME}:8443/BusinessSpace/ [R=301,L]
     RewriteLog logsext/rewrite.log
     RewriteLogLevel 4
</ifModule>


In essence, IHS will listen on port 8080 for non-SSL traffic ( I'm running IHS as a non-root user so cannot use port 80 - all non-root ports need to be >1024 ): -

Listen 8080

In addition, IHS will listen on port 8443 for SSL traffic: -

        Listen 8443
        <VirtualHost *:8443>

The rewrite rules are as follows: -

     RewriteCond %{SERVER_PORT} ^8080$
     RewriteRule ^(.*)$ https://%{SERVER_NAME}:8443/BusinessSpace/ [R=301,L]

In other words, for any request coming in on port 8080 is automatically written to go to the URI of /BusinessSpace/ on port 8443.

If I enter the URL of: -

http://bam8011.uk.ibm.com:8080

the URL gets rewritten and I get immediately redirected to: -

https://bam8011.uk.ibm.com:8443/mum/resources/bootstrap/login.jsp

If I was running IHS as root, then I could choose to use port 80 ( HTTP ) and port 443 ( HTTPS ). However, as we know, non-root processes cannot use ports <1024, which is why I'm using 8080 and 8443.

Note that SERVER_PORT and SERVER_NAME are internal variables - in some installations, they may not be available.

I've not yet fully dug into this, but it appears to relate to the directive: -

UseCanonicalName Off

Therefore, I'm assuming that IHS merely uses what the user entered in their browser, via the host HTTP header: -

GET /BusinessSpace/ HTTP/1.1
Host: bam8011.uk.ibm.com:8443
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31
DNT: 1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


I'm currently reading Chris Shiflett's blog post on this very subject: -

SERVER_NAME Versus HTTP_HOST
 
and will experiment.


No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...