Difference between revisions of "Https redirection"

From SME Server
Jump to navigationJump to search
m (Further separation of alternative methods and more explicit title for plain http blocking)
 
(22 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
{{Note box|this is the default behaviour for SME since e-smith-ibays-2.4.0-10 has been released}}
 +
 
== https forced redirection using custom template ==
 
== https forced redirection using custom template ==
  
Line 9: Line 11:
 
====Problem:====
 
====Problem:====
  
You want to force https access to an ibay whenever you access it using http
+
You want to force https access to an ibay, a Web directory or all web contents of your server, whenever you access it using http
 
  
 
====Solution:====
 
====Solution:====
  
Create a custom template that forces the redirection from http to https
+
Create a custom template that forces the redirection from http to https. This is a similar method to that used to force webmail to https
 
 
This is a similar method to that used to force webmail to https
 
 
  
 
====Information:====
 
====Information:====
Line 38: Line 36:
 
  cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
 
  cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
  
  pico 60redir-ibayname1
+
  nano 60redir-ibayname1
  
Paste or type the following code including the brackets, replacing ibayname with the name of your ibay
+
Paste or type the following code including the brackets, replacing each occurrence of '''ibayname''' with the name of your ibay
  
 
  {
 
  {
Line 48: Line 46:
 
  ## Redirect Web Address to Secure Address
 
  ## Redirect Web Address to Secure Address
 
  RewriteEngine on
 
  RewriteEngine on
  RewriteRule ^/ibayname https://%{HTTP_HOST}/ibayname
+
  RewriteRule ^/'''ibayname''' <nowiki>https://%{HTTP_HOST}/</nowiki>'''ibayname'''
 
   
 
   
 
  ## End Of Redirect
 
  ## End Of Redirect
Line 54: Line 52:
 
  }
 
  }
 
  }
 
  }
 +
 +
Save the file & exit by Ctrl+x, then issue the following command
  
Save the file & exit
+
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
  
  Ctrl o
+
  sv t /service/httpd-e-smith/
  
then
+
* This is an alternative if the solution above doesn't work.
  
  Ctrl x
+
  {
 +
if ($port ne "443")
 +
{
 +
$OUT .= <<'HERE';
 +
# Redirect transmission Address to Secure Address
 +
RewriteEngine On
 +
RewriteCond %{HTTPS} off
 +
RewriteRule /'''ibayname''' <nowiki>https://%{HTTP_HOST}:443/</nowiki>'''ibayname'''
 +
## End Of Redirect
 +
HERE
 +
}
 +
}
 +
 
 +
Save the file & exit by Ctrl+x, then issue the following command
  
 
  /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
 
  /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
  
  /etc/init.d/httpd restart
+
  sv t /service/httpd-e-smith/
  
 
  
If you wish to force https access to other ibays then make additional template fragments with a different filename that contain the same code except with the ibay name changed to suit
+
* If you wish to force https access to other ibays then make additional template fragments with a different filename that contain the same code except with the ibay name changed to suit
  
 
eg
 
eg
  
 
61redir-ibayname2
 
61redir-ibayname2
 +
 +
* Alternatively if you want to force all http trafics to https, you can make a general rule like this.
 +
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
 +
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
 +
nano 60all-httptohttps
 +
 +
{
 +
if ($port ne "443")
 +
{
 +
$OUT .= <<'HERE';
 +
# Redirect transmission Address to Secure Address
 +
RewriteEngine On
 +
RewriteCond %{HTTPS} off
 +
RewriteRule (.*) <nowiki>https://%{HTTP_HOST}%{REQUEST_URI}</nowiki>
 +
## End Of Redirect
 +
HERE
 +
}
 +
}
 +
 +
Save the file & exit by Ctrl+x, then issue the following command
 +
 +
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
 +
 +
sv t /service/httpd-e-smith/
 +
  
 
Warning: If you receive errors when you expand the template that refer to not finding HERE before EOF, then make sure you have no spaces before or after the HERE entry in the code
 
Warning: If you receive errors when you expand the template that refer to not finding HERE before EOF, then make sure you have no spaces before or after the HERE entry in the code
Line 99: Line 136:
  
 
This modifies the original code slightly & needs only one 60redir-ibay custom fragment  
 
This modifies the original code slightly & needs only one 60redir-ibay custom fragment  
 +
 +
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
 +
 +
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
 +
 +
nano -w 60redir-ibay
 +
 +
Then paste this
  
 
  {
 
  {
Line 104: Line 149:
 
     my $adb = esmith::AccountsDB->open_ro();
 
     my $adb = esmith::AccountsDB->open_ro();
 
     $OUT = "";
 
     $OUT = "";
 
+
 
     foreach my $ibay ($adb->ibays)
 
     foreach my $ibay ($adb->ibays)
 
     {
 
     {
Line 125: Line 170:
 
  }
 
  }
  
Follow the procedure from the earlier part of this Howto & then issue this db command
 
  
  db accounts setprop ibayname HTTPSredir on
+
Save the file & exit by Ctrl+x, then issue the following command
 +
 
 +
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
 +
 
 +
sv t /service/httpd-e-smith/
 +
 
 +
then issue this db command, you have to change '''ibayname''' to the actual name of your ibay
 +
  db accounts setprop '''ibayname''' HTTPSredir on
  
 
==Alternative methods ==  
 
==Alternative methods ==  

Latest revision as of 03:48, 16 April 2018

Important.png Note:
this is the default behaviour for SME since e-smith-ibays-2.4.0-10 has been released


https forced redirection using custom template

Solution using a custom template only

These instructions come from an earlier Howto that is still applicable to sme7.x http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/rmitchell/smeserver/howto/https%20ibay%20forced%20redirection%20HOWTO%20for%20sme%20server.htm

Problem:

You want to force https access to an ibay, a Web directory or all web contents of your server, whenever you access it using http

Solution:

Create a custom template that forces the redirection from http to https. This is a similar method to that used to force webmail to https

Information:

This how to is based on forum & devinfo posts, thanks to the posters particularly Orien Love & Tony Clayton and thanks for all the help I have received over the years from Gordon Rowell & Charlie Brady.

See http://contribs.org/modules/pbboard/viewtopic.php?p=98152&PHPSESSID=959ab7d52917db44da0c916f4be29d18#98152

and

http://lists.contribs.org/mailman/public/devinfo/msg07284.html


Configuration Procedure:

If it does not already exist then create the following directory

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
nano 60redir-ibayname1

Paste or type the following code including the brackets, replacing each occurrence of ibayname with the name of your ibay

{
if ($port ne "443")
{
$OUT .= <<'HERE';
## Redirect Web Address to Secure Address
RewriteEngine on
RewriteRule ^/ibayname https://%{HTTP_HOST}/ibayname

## End Of Redirect
HERE
}
}

Save the file & exit by Ctrl+x, then issue the following command

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith/
  • This is an alternative if the solution above doesn't work.
{
if ($port ne "443")
{
$OUT .= <<'HERE';
# Redirect transmission Address to Secure Address
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule /ibayname https://%{HTTP_HOST}:443/ibayname
## End Of Redirect
HERE
}
}

Save the file & exit by Ctrl+x, then issue the following command

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith/


  • If you wish to force https access to other ibays then make additional template fragments with a different filename that contain the same code except with the ibay name changed to suit

eg

61redir-ibayname2

  • Alternatively if you want to force all http trafics to https, you can make a general rule like this.
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
nano 60all-httptohttps
{
if ($port ne "443")
{
$OUT .= <<'HERE';
# Redirect transmission Address to Secure Address
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
## End Of Redirect
HERE
}
}

Save the file & exit by Ctrl+x, then issue the following command

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith/


Warning: If you receive errors when you expand the template that refer to not finding HERE before EOF, then make sure you have no spaces before or after the HERE entry in the code

You can download a copy of this fragment from here, remember to edit it to suit your ibayname:

http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs//rmitchell/smeserver/contribs/https-ibay-redirection/

Removal Procedure:

rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/60redir-ibayname1

and also remove any other additional ibay redirect fragments if required eg

rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/61redir-ibayname2
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
/etc/init.d/httpd restart


Modified code to use a db setting

From http://forums.contribs.org/index.php/topic,47451.msg234224.html#msg234224

This modifies the original code slightly & needs only one 60redir-ibay custom fragment

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
nano -w 60redir-ibay

Then paste this

{
   use esmith::AccountsDB;
   my $adb = esmith::AccountsDB->open_ro();
   $OUT = "";

   foreach my $ibay ($adb->ibays)
   {
     my %properties = $ibay->props;
     my $key = $ibay->key;
     if ($properties{'HTTPSredir'})
     {
         if ($properties{'HTTPSredir'} eq 'on')
         {
            if ($port ne "443")
            {
               $OUT .= "    ## Redirect Web Address to Secure Address\n";
               $OUT .= "    RewriteEngine on\n";
               $OUT .= "    RewriteRule ^/$key(/.*|\$) https://%{HTTP_HOST}/$key\$1 [L,R]\n";
               $OUT .= "    ## End Of Redirect\n";
             }
         }
      }
   }
}


Save the file & exit by Ctrl+x, then issue the following command

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith/

then issue this db command, you have to change ibayname to the actual name of your ibay

db accounts setprop ibayname HTTPSredir on

Alternative methods

Block plain http using custom template and db commands

Here is an alternative method based on this forum thread http://forums.contribs.org/index.php/topic,31772.new.html#new

This method requires the use of https, and will deny access if http is used.

At a command prompt do the following:

cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/90e-smithAccess40ibays /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/90e-smithAccess40ibays

Edit the custom template fragment:

pico -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/90e-smithAccess40ibays

It should contain the following code:

$OUT .= "\n";
$OUT .= "#------------------------------------------------------------\n";
$OUT .= "# $key ibay directories ($properties{'Name'})\n";
$OUT .= "#------------------------------------------------------------\n";
$OUT .= "\n";
$OUT .= "<Directory /home/e-smith/files/ibays/$key/html>\n";
## custom code addition
       if($properties{'SSLRequireSSL'})
       {
       if($properties{'SSLRequireSSL'} eq 'on')
           {
           $OUT.="     SSLRequireSSL\n";
           }
       }
## / custom code addition

Save & exit:

Ctrl c
Ctrl x

Then for each ibay you wish to enable secure https access for do:

db accounts setprop ibayname SSLRequireSSL on

(where ibayname is the name of the applicable ibay)

Follow the above with:

expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith