Redirectting to https using SSLrequireSSL

NB: this page is currently a work in progress!


When I host a web site I like to serve exactly the same tree via http and https however some parts of the tree should only be served via https. Apache has the SSLrequireSSL directive to prevent access to such pages via http.

Apache has RFC2817 support which negotiates TLS upgrade on an http connection, in my opinion this protocol should never be used but I present a method here to hook the apache RFC2817 support to redirect to the same page on the https site.

The result is when you use the SSLrequireSSL directive the end user is automagically re-directed to the https version of the page!

This replies on the http site having the following directive

SSLEngine optional

Basic scripts

I will dump the basic scripts here and come back and fill out the full guide later. NB: these docs are not yet complete

#Multi language and custom Error Documents - static files
mkdir /srv/httpd
cp -a /usr/share/apache2/error /srv/httpd/

#Place in the SSLrequireSSL redirect scripts
cat << 'EOFeofEOF' >/srv/httpd/error/HTTP_UPGRADE_REQUIRED.cgi 

import os,sys

if os.environ.has_key('REDIRECT_SCRIPT_URI'):
    if URL.startswith('http://'):
        print("Status: 303 See Other" )
        print("Location: %s"%NEWURL)
        print("Connection: close")
        print("Content-Type: text/html; charset=iso-8859-1")
        print('<!--#set var="REDIRECT_STATUS" value="303" -->')
        print('<!--#include virtual="/error/HTTP_UPGRADE_REQUIRED.html.var" -->')

#If we get here things have gone wrong... so just 505 Internal Server Error
print("Status: 500 Internal Server Error" )
print("Connection: close")
print("Content-Type: text/html; charset=iso-8859-1")
print('<!--#set var="REDIRECT_STATUS" value="500" -->')
print('<!--#include virtual="/error/HTTP_INTERNAL_SERVER_ERROR.html.var" -->')

chmod a+x /srv/httpd/error/HTTP_UPGRADE_REQUIRED.cgi 

cat <<'EOFeofEOF' >/srv/httpd/error/HTTP_UPGRADE_REQUIRED.html.var
Content-language: en
Content-type: text/html; charset=ISO-8859-1
<!--#set var="TITLE" value="Upgrade Required" -->
<!--#if expr="$REDIRECT_SCRIPT_URI = /^http:\/\/(.*)/" -->
  <!--#set var="refreshurl" value="https://$1" -->
<!--#endif -->
<!--#include virtual="include/top.html" -->
   The requested resource can only be retrieved using SSL. <!-- The server is
   willing to upgrade the current connection to SSL, but your client doesn't
   support it. Either upgrade your client, or --> Try requesting the page using
<!--#if expr="$refreshurl" -->
  In 5 seconds you will be redirected to the https:// version: 
  <a href="<!--#echo encoding="url" var="refreshurl" -->">
    <!--#echo encoding="url" var="refreshurl" -->
<!--#endif -->

<!--#include virtual="include/bottom.html" -->

#Fixup standard files also for SSLrequireSSL redirect
cp  /srv/httpd/error/contact.html.var /srv/httpd/error/include/
# edit /srv/httpd/error/include/top.html
#add the following 3 lined between <head> and <title>
 <!--#if expr="$refreshurl" -->
 <meta http-equiv="REFRESH" content="5;url=<!--#echo encoding="url" var="refreshurl" -->">
 <!--#endif -->
# edit /srv/httpd/error/include/bottom.html
#change reference to "../contact.html.var" to "./contact.html.var"

In http vhost

#Use "SSLEngine  Optional" but then catch 426 Upgrade status and use it to redirect 303 to https://
SSLEngine  Optional
SSLCertificateFile      /path/to/crt
SSLCertificateKeyFile   /path/to/key
SSLCACertificateFile    /path/to/intermediateCA.crt

Alias /error/HTTP_UPGRADE_REQUIRED.html.var /srv/httpd/error/HTTP_UPGRADE_REQUIRED.html.var
ErrorDocument 426 /error/HTTP_UPGRADE_REQUIRED.cgi

ErrorDocument 403 default